stealth

1. From 2a96213b42233a43901f9a38abd6d7b5da9b0a93 Mon Sep 17 00:00:00 2001
2. From: Matteo Croce <matteo@openwrt.org>
3. Date: Thu, 2 Jul 2015 00:30:22 +0200
4. Subject: [PATCH] add stealth mode
5.  
6. Add option to disable any reply not related to a listening socket,
7. like RST/ACK for TCP and ICMP Dest-Unreach for UDP.
8. Also disables ICMP replies to echo request and timestamp.
9. The stealth mode can be enabled selectively for a single interface.
10. ---
11. include/linux/inetdevice.h | 1 +
12.  include/linux/ipv6.h       | 1 +
13.  include/uapi/linux/ip.h    | 1 +
14.  net/ipv4/devinet.c         | 1 +
15.  net/ipv4/icmp.c            | 6 ++++++
16.  net/ipv4/tcp_ipv4.c        | 3 ++-
17.  net/ipv4/udp.c             | 4 +++-
18.  net/ipv6/addrconf.c        | 7 +++++++
19.  net/ipv6/icmp.c            | 3 ++-
20.  net/ipv6/tcp_ipv6.c        | 2 +-
21.  net/ipv6/udp.c             | 3 ++-
22.  11 files changed, 27 insertions(+), 5 deletions(-)
23.  
24. diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
25. index a4328ce..a64c01e 100644
26. --- a/include/linux/inetdevice.h
27. +++ b/include/linux/inetdevice.h
28. @@ -128,6 +128,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
29.  #define IN_DEV_ARP_ANNOUNCE(in_dev)    IN_DEV_MAXCONF((in_dev), ARP_ANNOUNCE)
30.  #define IN_DEV_ARP_IGNORE(in_dev)  IN_DEV_MAXCONF((in_dev), ARP_IGNORE)
31.  #define IN_DEV_ARP_NOTIFY(in_dev)  IN_DEV_MAXCONF((in_dev), ARP_NOTIFY)
32. +#define IN_DEV_STEALTH(in_dev)     IN_DEV_MAXCONF((in_dev), STEALTH)
33.  
34.  struct in_ifaddr {
35.     struct hlist_node   hash;
36. diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
37. index 82806c6..49494ec 100644
38. --- a/include/linux/ipv6.h
39. +++ b/include/linux/ipv6.h
40. @@ -53,6 +53,7 @@ struct ipv6_devconf {
41.     __s32           ndisc_notify;
42.     __s32       suppress_frag_ndisc;
43.     __s32       accept_ra_mtu;
44. +   __s32       stealth;
45.     struct ipv6_stable_secret {
46.         bool initialized;
47.         struct in6_addr secret;
48. diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
49. index 08f894d..4acbf99 100644
50. --- a/include/uapi/linux/ip.h
51. +++ b/include/uapi/linux/ip.h
52. @@ -165,6 +165,7 @@ enum
53.     IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL,
54.     IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
55.     IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
56. +   IPV4_DEVCONF_STEALTH,
57.     __IPV4_DEVCONF_MAX
58.  };
59.  
60. diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
61. index 7498716..6b9930a 100644
62. --- a/net/ipv4/devinet.c
63. +++ b/net/ipv4/devinet.c
64. @@ -2178,6 +2178,7 @@ static struct devinet_sysctl_table {
65.                           "promote_secondaries"),
66.         DEVINET_SYSCTL_FLUSHING_ENTRY(ROUTE_LOCALNET,
67.                           "route_localnet"),
68. +       DEVINET_SYSCTL_RW_ENTRY(STEALTH, "stealth"),
69.     },
70.  };
71.  
72. diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
73. index f5203fb..2f1b31f 100644
74. --- a/net/ipv4/icmp.c
75. +++ b/net/ipv4/icmp.c
76. @@ -882,6 +882,9 @@ static bool icmp_echo(struct sk_buff *skb)
77.  {
78.     struct net *net;
79.  
80. +   if(IN_DEV_STEALTH(skb->dev->ip_ptr))
81. +       return true;
82. +
83.     net = dev_net(skb_dst(skb)->dev);
84.     if (!net->ipv4.sysctl_icmp_echo_ignore_all) {
85.         struct icmp_bxm icmp_param;
86. @@ -915,6 +918,9 @@ static bool icmp_timestamp(struct sk_buff *skb)
87.     if (skb->len < 4)
88.         goto out_err;
89.  
90. +   if(IN_DEV_STEALTH(skb->dev->ip_ptr))
91. +       return true;
92. +
93.     /*
94.      *  Fill in the current time as ms since midnight UT:
95.      */
96. diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
97. index d7d4c2b..c887d6e 100644
98. --- a/net/ipv4/tcp_ipv4.c
99. +++ b/net/ipv4/tcp_ipv4.c
100. @@ -77,6 +77,7 @@
101.  #include <net/busy_poll.h>
102.  
103.  #include <linux/inet.h>
104. +#include <linux/inetdevice.h>
105.  #include <linux/ipv6.h>
106.  #include <linux/stddef.h>
107.  #include <linux/proc_fs.h>
108. @@ -1652,7 +1653,7 @@ csum_error:
109.         TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
110.  bad_packet:
111.         TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
112. -   } else {
113. +   } else if(!IN_DEV_STEALTH(skb->dev->ip_ptr)) {
114.         tcp_v4_send_reset(NULL, skb);
115.     }
116.  
117. diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
118. index 83aa604..b3b0dee 100644
119. --- a/net/ipv4/udp.c
120. +++ b/net/ipv4/udp.c
121. @@ -96,6 +96,7 @@
122.  #include <linux/timer.h>
123.  #include <linux/mm.h>
124.  #include <linux/inet.h>
125. +#include <linux/inetdevice.h>
126.  #include <linux/netdevice.h>
127.  #include <linux/slab.h>
128.  #include <net/tcp_states.h>
129. @@ -1823,7 +1824,8 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
130.         goto csum_error;
131.  
132.     UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
133. -   icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
134. +   if(!IN_DEV_STEALTH(skb->dev->ip_ptr))
135. +       icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
136.  
137.     /*
138.      * Hmm.  We got an UDP packet to a port to which we
139. diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
140. index 21c2c81..b9e44e2 100644
141. --- a/net/ipv6/addrconf.c
142. +++ b/net/ipv6/addrconf.c
143. @@ -5585,6 +5585,13 @@ static struct addrconf_sysctl_table
144.             .proc_handler   = addrconf_sysctl_stable_secret,
145.         },
146.         {
147. +           .procname   = "stealth",
148. +           .data       = &ipv6_devconf.stealth,
149. +           .maxlen     = sizeof(int),
150. +           .mode       = 0644,
151. +           .proc_handler   = proc_dointvec,
152. +       },
153. +       {
154.             /* sentinel */
155.         }
156.     },
157. diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
158. index 713d743..94b08ac 100644
159. --- a/net/ipv6/icmp.c
160. +++ b/net/ipv6/icmp.c
161. @@ -723,7 +723,8 @@ static int icmpv6_rcv(struct sk_buff *skb)
162.  
163.     switch (type) {
164.     case ICMPV6_ECHO_REQUEST:
165. -       icmpv6_echo_reply(skb);
166. +       if(!idev->cnf.stealth)
167. +           icmpv6_echo_reply(skb);
168.         break;
169.  
170.     case ICMPV6_ECHO_REPLY:
171. diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
172. index 6748c42..cae96d7 100644
173. --- a/net/ipv6/tcp_ipv6.c
174. +++ b/net/ipv6/tcp_ipv6.c
175. @@ -1445,7 +1445,7 @@ csum_error:
176.         TCP_INC_STATS_BH(net, TCP_MIB_CSUMERRORS);
177.  bad_packet:
178.         TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
179. -   } else {
180. +   } else if(!__in6_dev_get(skb->dev)->cnf.stealth) {
181.         tcp_v6_send_reset(NULL, skb);
182.     }
183.  
184. diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
185. index e51fc3e..c0cee63 100644
186. --- a/net/ipv6/udp.c
187. +++ b/net/ipv6/udp.c
188. @@ -934,7 +934,8 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
189.         goto csum_error;
190.  
191.     UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
192. -   icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
193. +   if(!__in6_dev_get(skb->dev)->cnf.stealth)
194. +       icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
195.  
196.     kfree_skb(skb);
197.     return 0;
198. --
199. 2.1.4