Re: [PATCH net-next v2] ipv4: Add support to disable icmp timestamp

Mon, 13 May 2019 23:41:30 -0700 

On Tue, May 14, 2019 at 10:56:54AM +0800, Weilong Chen wrote:
> The remote host answers to an ICMP timestamp request.
> This allows an attacker to know the time and date on your host.
> 
> This path is an another way contrast to iptables rules:
> iptables -A input -p icmp --icmp-type timestamp-request -j DROP
> iptables -A output -p icmp --icmp-type timestamp-reply -j DROP
> 
> Default is enabled.
> 
> enable:
>       sysctl -w net.ipv4.icmp_timestamp_enable=1
> disable
>       sysctl -w net.ipv4.icmp_timestamp_enable=0
> testing:
>       hping3 --icmp --icmp-ts -V $IPADDR
> 
> Signed-off-by: Weilong Chen <chenweil...@huawei.com>
> ---

I'm not sure what you are trying to do but this looks like a process
violation:

  - it's exactly the same as the patch rejected yesterday
  - it's marked as "v2" again
  - net-next is closed until the end of merge window anyway

Michal Kubecek

>  include/net/ip.h           | 2 ++
>  net/ipv4/icmp.c            | 5 +++++
>  net/ipv4/sysctl_net_ipv4.c | 8 ++++++++
>  3 files changed, 15 insertions(+)
> 
> diff --git a/include/net/ip.h b/include/net/ip.h
> index 2d3cce7..71840e4 100644
> --- a/include/net/ip.h
> +++ b/include/net/ip.h
> @@ -718,6 +718,8 @@ bool icmp_global_allow(void);
>  extern int sysctl_icmp_msgs_per_sec;
>  extern int sysctl_icmp_msgs_burst;
>  
> +extern int sysctl_icmp_timestamp_enable;
> +
>  #ifdef CONFIG_PROC_FS
>  int ip_misc_proc_init(void);
>  #endif
> diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
> index f3a5893..5010541 100644
> --- a/net/ipv4/icmp.c
> +++ b/net/ipv4/icmp.c
> @@ -232,6 +232,7 @@ static inline void icmp_xmit_unlock(struct sock *sk)
>  
>  int sysctl_icmp_msgs_per_sec __read_mostly = 1000;
>  int sysctl_icmp_msgs_burst __read_mostly = 50;
> +int sysctl_icmp_timestamp_enable __read_mostly = 1;
>  
>  static struct {
>       spinlock_t      lock;
> @@ -953,6 +954,10 @@ static bool icmp_echo(struct sk_buff *skb)
>  static bool icmp_timestamp(struct sk_buff *skb)
>  {
>       struct icmp_bxm icmp_param;
> +
> +     if (!sysctl_icmp_timestamp_enable)
> +             goto out_err;
> +
>       /*
>        *      Too short.
>        */
> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> index 875867b..1fe467e 100644
> --- a/net/ipv4/sysctl_net_ipv4.c
> +++ b/net/ipv4/sysctl_net_ipv4.c
> @@ -544,6 +544,14 @@ static struct ctl_table ipv4_table[] = {
>               .extra1         = &zero,
>       },
>       {
> +             .procname       = "icmp_timestamp_enable",
> +             .data           = &sysctl_icmp_timestamp_enable,
> +             .maxlen         = sizeof(int),
> +             .mode           = 0644,
> +             .proc_handler   = proc_dointvec_minmax,
> +             .extra1         = &zero,
> +     },
> +     {
>               .procname       = "udp_mem",
>               .data           = &sysctl_udp_mem,
>               .maxlen         = sizeof(sysctl_udp_mem),
> -- 
> 2.7.4
>

Reply via email to