Merge release-20210208.0-71-g2a2cb29e1 (automated)

7 files changed, 217 insertions, 70 deletions

diff --git a/pkg/sentry/socket/netstack/netstack.go b/pkg/sentry/socket/netstack/netstack.go
index a632b8bcd..f77a867f1 100644
--- a/pkg/sentry/socket/netstack/netstack.go
+++ b/pkg/sentry/socket/netstack/netstack.go
@@ -184,6 +184,10 @@ var Metrics = tcpip.Stats{
 		IPTablesPreroutingDropped:           mustCreateMetric("/netstack/ip/iptables/prerouting_dropped", "Total number of IP packets dropped in the Prerouting chain."),
 		IPTablesInputDropped:                mustCreateMetric("/netstack/ip/iptables/input_dropped", "Total number of IP packets dropped in the Input chain."),
 		IPTablesOutputDropped:               mustCreateMetric("/netstack/ip/iptables/output_dropped", "Total number of IP packets dropped in the Output chain."),
+		OptionTimestampReceived:             mustCreateMetric("/netstack/ip/options/timestamp_received", "Total number of timestamp options found in received IP packets."),
+		OptionRecordRouteReceived:           mustCreateMetric("/netstack/ip/options/record_route_received", "Total number of record route options found in received IP packets."),
+		OptionRouterAlertReceived:           mustCreateMetric("/netstack/ip/options/router_alert_received", "Total number of router alert options found in received IP packets."),
+		OptionUnknownReceived:               mustCreateMetric("/netstack/ip/options/unknown_received", "Total number of unknown options found in received IP packets."),
 	},
 	ARP: tcpip.ARPStats{
 		PacketsReceived:                                 mustCreateMetric("/netstack/arp/packets_received", "Number of ARP packets received from the link layer."),
diff --git a/pkg/tcpip/header/ipv4.go b/pkg/tcpip/header/ipv4.go
index 48ca60319..f588311e0 100644
--- a/pkg/tcpip/header/ipv4.go
+++ b/pkg/tcpip/header/ipv4.go
@@ -519,6 +519,7 @@ func (o *IPv4OptionGeneric) Contents() []byte { return []byte(*o) }
 // IPv4OptionIterator is an iterator pointing to a specific IP option
 // at any point of time. It also holds information as to a new options buffer
 // that we are building up to hand back to the caller.
+// TODO(https://gvisor.dev/issues/5513): Add unit tests for IPv4OptionIterator.
 type IPv4OptionIterator struct {
 	options IPv4Options
 	// ErrCursor is where we are while parsing options. It is exported as any
@@ -539,6 +540,15 @@ func (o IPv4Options) MakeIterator() IPv4OptionIterator {
 	}
 }
 
+// InitReplacement copies the option into the new option buffer.
+func (i *IPv4OptionIterator) InitReplacement(option IPv4Option) IPv4Options {
+	replacementOption := i.RemainingBuffer()[:option.Size()]
+	if copied := copy(replacementOption, option.Contents()); copied != len(replacementOption) {
+		panic(fmt.Sprintf("copied %d bytes in the replacement option buffer, expected %d bytes", copied, len(replacementOption)))
+	}
+	return replacementOption
+}
+
 // RemainingBuffer returns the remaining (unused) part of the new option buffer,
 // into which a new option may be written.
 func (i *IPv4OptionIterator) RemainingBuffer() IPv4Options {
@@ -649,6 +659,17 @@ func (i *IPv4OptionIterator) Next() (IPv4Option, bool, *IPv4OptParameterProblem)
 		}
 		retval := IPv4OptionRecordRoute(optionBody)
 		return &retval, false, nil
+
+	case IPv4OptionRouterAlertType:
+		if optLen != IPv4OptionRouterAlertLength {
+			i.ErrCursor++
+			return nil, false, &IPv4OptParameterProblem{
+				Pointer:  i.ErrCursor,
+				NeedICMP: true,
+			}
+		}
+		retval := IPv4OptionRouterAlert(optionBody)
+		return &retval, false, nil
 	}
 	retval := IPv4OptionGeneric(optionBody)
 	return &retval, false, nil
@@ -896,11 +917,30 @@ const (
 	// payload of the router alert option.
 	IPv4OptionRouterAlertValue = 0
 
-	// iPv4OptionRouterAlertValueOffset is the offset for the value of a
+	// IPv4OptionRouterAlertValueOffset is the offset for the value of a
 	// RouterAlert option.
-	iPv4OptionRouterAlertValueOffset = 2
+	IPv4OptionRouterAlertValueOffset = 2
 )
 
+var _ IPv4Option = (*IPv4OptionRouterAlert)(nil)
+
+// IPv4OptionRouterAlert is an IPv4 RouterAlert option defined by RFC 2113.
+type IPv4OptionRouterAlert []byte
+
+// Type implements IPv4Option.
+func (*IPv4OptionRouterAlert) Type() IPv4OptionType { return IPv4OptionRouterAlertType }
+
+// Size implements IPv4Option.
+func (ra *IPv4OptionRouterAlert) Size() uint8 { return uint8(len(*ra)) }
+
+// Contents implements IPv4Option.
+func (ra *IPv4OptionRouterAlert) Contents() []byte { return []byte(*ra) }
+
+// Value returns the value of the IPv4OptionRouterAlert.
+func (ra *IPv4OptionRouterAlert) Value() uint16 {
+	return binary.BigEndian.Uint16(ra.Contents()[IPv4OptionRouterAlertValueOffset:])
+}
+
 // IPv4SerializableOption is an interface to represent serializable IPv4 option
 // types.
 type IPv4SerializableOption interface {
@@ -999,7 +1039,7 @@ func (*IPv4SerializableRouterAlertOption) optionType() IPv4OptionType {
 
 // Length implements IPv4SerializableOption.
 func (*IPv4SerializableRouterAlertOption) length() uint8 {
-	return IPv4OptionRouterAlertLength - iPv4OptionRouterAlertValueOffset
+	return IPv4OptionRouterAlertLength - IPv4OptionRouterAlertValueOffset
 }
 
 // SerializeInto implements IPv4SerializableOption.
diff --git a/pkg/tcpip/network/internal/ip/stats.go b/pkg/tcpip/network/internal/ip/stats.go
index 898f8b356..5f7e60c5c 100644
--- a/pkg/tcpip/network/internal/ip/stats.go
+++ b/pkg/tcpip/network/internal/ip/stats.go
@@ -68,11 +68,17 @@ type MultiCounterIPStats struct {
 	// Output chain.
 	IPTablesOutputDropped tcpip.MultiCounterStat
 
-	// OptionTSReceived is the number of Timestamp options seen.
-	OptionTSReceived tcpip.MultiCounterStat
+	// TODO(https://gvisor.dev/issues/5529): Move the IPv4-only option stats out
 
-	// OptionRRReceived is the number of Record Route options seen.
-	OptionRRReceived tcpip.MultiCounterStat
+	// of IPStats.
+	// OptionTimestampReceived is the number of Timestamp options seen.
+	OptionTimestampReceived tcpip.MultiCounterStat
+
+	// OptionRecordRouteReceived is the number of Record Route options seen.
+	OptionRecordRouteReceived tcpip.MultiCounterStat
+
+	// OptionRouterAlertReceived is the number of Router Alert options seen.
+	OptionRouterAlertReceived tcpip.MultiCounterStat
 
 	// OptionUnknownReceived is the number of unknown IP options seen.
 	OptionUnknownReceived tcpip.MultiCounterStat
@@ -92,9 +98,10 @@ func (m *MultiCounterIPStats) Init(a, b *tcpip.IPStats) {
 	m.IPTablesPreroutingDropped.Init(a.IPTablesPreroutingDropped, b.IPTablesPreroutingDropped)
 	m.IPTablesInputDropped.Init(a.IPTablesInputDropped, b.IPTablesInputDropped)
 	m.IPTablesOutputDropped.Init(a.IPTablesOutputDropped, b.IPTablesOutputDropped)
-	m.OptionTSReceived.Init(a.OptionTSReceived, b.OptionTSReceived)
-	m.OptionRRReceived.Init(a.OptionRRReceived, b.OptionRRReceived)
+	m.OptionTimestampReceived.Init(a.OptionTimestampReceived, b.OptionTimestampReceived)
+	m.OptionRecordRouteReceived.Init(a.OptionRecordRouteReceived, b.OptionRecordRouteReceived)
+	m.OptionRouterAlertReceived.Init(a.OptionRouterAlertReceived, b.OptionRouterAlertReceived)
 	m.OptionUnknownReceived.Init(a.OptionUnknownReceived, b.OptionUnknownReceived)
 }
 
-// LINT.ThenChange(:MultiCounterIPStats, ../../tcpip.go:IPStats)
+// LINT.ThenChange(:MultiCounterIPStats, ../../../tcpip.go:IPStats)
diff --git a/pkg/tcpip/network/ipv4/icmp.go b/pkg/tcpip/network/ipv4/icmp.go
index b44304cee..bd0eabad1 100644
--- a/pkg/tcpip/network/ipv4/icmp.go
+++ b/pkg/tcpip/network/ipv4/icmp.go
@@ -214,7 +214,7 @@ func (e *endpoint) handleICMP(pkt *stack.PacketBuffer) {
 			op = &optionUsageReceive{}
 		}
 		var optProblem *header.IPv4OptParameterProblem
-		newOptions, optProblem = e.processIPOptions(pkt, opts, op)
+		newOptions, _, optProblem = e.processIPOptions(pkt, opts, op)
 		if optProblem != nil {
 			if optProblem.NeedICMP {
 				_ = e.protocol.returnError(&icmpReasonParamProblem{
diff --git a/pkg/tcpip/network/ipv4/igmp.go b/pkg/tcpip/network/ipv4/igmp.go
index 12632aceb..0a15ae897 100644
--- a/pkg/tcpip/network/ipv4/igmp.go
+++ b/pkg/tcpip/network/ipv4/igmp.go
@@ -145,10 +145,57 @@ func (igmp *igmpState) init(ep *endpoint) {
 	})
 }
 
+// Precondition: igmp.ep.mu must be locked.
+func (igmp *igmpState) isSourceIPValidLocked(src tcpip.Address, messageType header.IGMPType) bool {
+	if messageType == header.IGMPMembershipQuery {
+		// RFC 2236 does not require the IGMP implementation to check the source IP
+		// for Membership Query messages.
+		return true
+	}
+
+	// As per RFC 2236 section 10,
+	//
+	//   Ignore the Report if you cannot identify the source address of the
+	//   packet as belonging to a subnet assigned to the interface on which the
+	//   packet was received.
+	//
+	//   Ignore the Leave message if you cannot identify the source address of
+	//   the packet as belonging to a subnet assigned to the interface on which
+	//   the packet was received.
+	//
+	// Note: this rule applies to both V1 and V2 Membership Reports.
+	var isSourceIPValid bool
+	igmp.ep.mu.addressableEndpointState.ForEachPrimaryEndpoint(func(addressEndpoint stack.AddressEndpoint) bool {
+		if subnet := addressEndpoint.Subnet(); subnet.Contains(src) {
+			isSourceIPValid = true
+			return false
+		}
+		return true
+	})
+
+	return isSourceIPValid
+}
+
+// Precondition: igmp.ep.mu must be locked.
+func (igmp *igmpState) isPacketValidLocked(pkt *stack.PacketBuffer, messageType header.IGMPType, hasRouterAlertOption bool) bool {
+	// We can safely assume that the IP header is valid if we got this far.
+	iph := header.IPv4(pkt.NetworkHeader().View())
+
+	// As per RFC 2236 section 2,
+	//
+	//   All IGMP messages described in this document are sent with IP TTL 1, and
+	//   contain the IP Router Alert option [RFC 2113] in their IP header.
+	if !hasRouterAlertOption || iph.TTL() != header.IGMPTTL {
+		return false
+	}
+
+	return igmp.isSourceIPValidLocked(iph.SourceAddress(), messageType)
+}
+
 // handleIGMP handles an IGMP packet.
 //
 // Precondition: igmp.ep.mu must be locked.
-func (igmp *igmpState) handleIGMP(pkt *stack.PacketBuffer) {
+func (igmp *igmpState) handleIGMP(pkt *stack.PacketBuffer, hasRouterAlertOption bool) {
 	received := igmp.ep.stats.igmp.packetsReceived
 	headerView, ok := pkt.Data.PullUp(header.IGMPMinimumSize)
 	if !ok {
@@ -168,30 +215,38 @@ func (igmp *igmpState) handleIGMP(pkt *stack.PacketBuffer) {
 		return
 	}
 
+	isValid := func(minimumSize int) bool {
+		return len(headerView) >= minimumSize && igmp.isPacketValidLocked(pkt, h.Type(), hasRouterAlertOption)
+	}
+
 	switch h.Type() {
 	case header.IGMPMembershipQuery:
 		received.membershipQuery.Increment()
-		if len(headerView) < header.IGMPQueryMinimumSize {
+		if !isValid(header.IGMPQueryMinimumSize) {
 			received.invalid.Increment()
 			return
 		}
 		igmp.handleMembershipQuery(h.GroupAddress(), h.MaxRespTime())
 	case header.IGMPv1MembershipReport:
 		received.v1MembershipReport.Increment()
-		if len(headerView) < header.IGMPReportMinimumSize {
+		if !isValid(header.IGMPReportMinimumSize) {
 			received.invalid.Increment()
 			return
 		}
 		igmp.handleMembershipReport(h.GroupAddress())
 	case header.IGMPv2MembershipReport:
 		received.v2MembershipReport.Increment()
-		if len(headerView) < header.IGMPReportMinimumSize {
+		if !isValid(header.IGMPReportMinimumSize) {
 			received.invalid.Increment()
 			return
 		}
 		igmp.handleMembershipReport(h.GroupAddress())
 	case header.IGMPLeaveGroup:
 		received.leaveGroup.Increment()
+		if !isValid(header.IGMPLeaveMessageMinimumSize) {
+			received.invalid.Increment()
+			return
+		}
 		// As per RFC 2236 Section 6, Page 7: "IGMP messages other than Query or
 		// Report, are ignored in all states"
 
diff --git a/pkg/tcpip/network/ipv4/ipv4.go b/pkg/tcpip/network/ipv4/ipv4.go
index 250e4846a..4a429ea6c 100644
--- a/pkg/tcpip/network/ipv4/ipv4.go
+++ b/pkg/tcpip/network/ipv4/ipv4.go
@@ -562,7 +562,7 @@ func (e *endpoint) forwardPacket(pkt *stack.PacketBuffer) tcpip.Error {
 	}
 
 	if opts := h.Options(); len(opts) != 0 {
-		newOpts, optProblem := e.processIPOptions(pkt, opts, &optionUsageForward{})
+		newOpts, _, optProblem := e.processIPOptions(pkt, opts, &optionUsageForward{})
 		if optProblem != nil {
 			if optProblem.NeedICMP {
 				_ = e.protocol.returnError(&icmpReasonParamProblem{
@@ -776,7 +776,7 @@ func (e *endpoint) handlePacket(pkt *stack.PacketBuffer) {
 			// If there are options we need to check them before we do assembly
 			// or we could be assembling errant packets. However we do not change the
 			// options as that could lead to double processing later.
-			if _, optProblem := e.processIPOptions(pkt, opts, &optionUsageVerify{}); optProblem != nil {
+			if _, _, optProblem := e.processIPOptions(pkt, opts, &optionUsageVerify{}); optProblem != nil {
 				if optProblem.NeedICMP {
 					_ = e.protocol.returnError(&icmpReasonParamProblem{
 						pointer: optProblem.Pointer,
@@ -846,8 +846,9 @@ func (e *endpoint) handlePacket(pkt *stack.PacketBuffer) {
 		return
 	}
 	// ICMP handles options itself but do it here for all remaining destinations.
+	var hasRouterAlertOption bool
 	if opts := h.Options(); len(opts) != 0 {
-		newOpts, optProblem := e.processIPOptions(pkt, opts, &optionUsageReceive{})
+		newOpts, processedOpts, optProblem := e.processIPOptions(pkt, opts, &optionUsageReceive{})
 		if optProblem != nil {
 			if optProblem.NeedICMP {
 				_ = e.protocol.returnError(&icmpReasonParamProblem{
@@ -858,6 +859,7 @@ func (e *endpoint) handlePacket(pkt *stack.PacketBuffer) {
 			}
 			return
 		}
+		hasRouterAlertOption = processedOpts.routerAlert
 		copied := copy(opts, newOpts)
 		if copied != len(newOpts) {
 			panic(fmt.Sprintf("copied %d bytes of new options, expected %d bytes", copied, len(newOpts)))
@@ -869,7 +871,7 @@ func (e *endpoint) handlePacket(pkt *stack.PacketBuffer) {
 	}
 	if p == header.IGMPProtocolNumber {
 		e.mu.Lock()
-		e.mu.igmp.handleIGMP(pkt)
+		e.mu.igmp.handleIGMP(pkt, hasRouterAlertOption)
 		e.mu.Unlock()
 		return
 	}
@@ -1291,9 +1293,12 @@ type optionActions struct {
 	// timestamp controls what to do with a Timestamp option.
 	timestamp optionAction
 
-	// recordroute controls what to do with a Record Route option.
+	// recordRoute controls what to do with a Record Route option.
 	recordRoute optionAction
 
+	// routerAlert controls what to do with a Router Alert option.
+	routerAlert optionAction
+
 	// unknown controls what to do with an unknown option.
 	unknown optionAction
 }
@@ -1314,6 +1319,7 @@ func (*optionUsageVerify) actions() optionActions {
 	return optionActions{
 		timestamp:   optionVerify,
 		recordRoute: optionVerify,
+		routerAlert: optionVerify,
 		unknown:     optionRemove,
 	}
 }
@@ -1327,6 +1333,7 @@ func (*optionUsageReceive) actions() optionActions {
 	return optionActions{
 		timestamp:   optionProcess,
 		recordRoute: optionProcess,
+		routerAlert: optionVerify,
 		unknown:     optionPass,
 	}
 }
@@ -1341,6 +1348,7 @@ func (*optionUsageForward) actions() optionActions {
 	return optionActions{
 		timestamp:   optionProcess,
 		recordRoute: optionProcess,
+		routerAlert: optionVerify,
 		unknown:     optionPass,
 	}
 }
@@ -1354,6 +1362,7 @@ func (*optionUsageEcho) actions() optionActions {
 	return optionActions{
 		timestamp:   optionProcess,
 		recordRoute: optionProcess,
+		routerAlert: optionVerify,
 		unknown:     optionRemove,
 	}
 }
@@ -1551,45 +1560,64 @@ func handleRecordRoute(rrOpt header.IPv4OptionRecordRoute, localAddress tcpip.Ad
 	return nil
 }
 
+// handleRouterAlert performs sanity checks on a Router Alert option.
+func handleRouterAlert(raOpt header.IPv4OptionRouterAlert) *header.IPv4OptParameterProblem {
+	// Only the zero value is acceptable, as per RFC 2113, section 2.1:
+	//   Value:  A two octet code with the following values:
+	//     0 - Router shall examine packet
+	//     1-65535 - Reserved
+	if raOpt.Value() != header.IPv4OptionRouterAlertValue {
+		return &header.IPv4OptParameterProblem{
+			Pointer:  header.IPv4OptionRouterAlertValueOffset,
+			NeedICMP: true,
+		}
+	}
+	return nil
+}
+
+type optionTracker struct {
+	timestamp   bool
+	recordRoute bool
+	routerAlert bool
+}
+
 // processIPOptions parses the IPv4 options and produces a new set of options
 // suitable for use in the next step of packet processing as informed by usage.
 // The original will not be touched.
 //
-// Returns
-// - The location of an error if there was one (or 0 if no error)
-// - If there is an error, information as to what it was was.
-// - The replacement option set.
-func (e *endpoint) processIPOptions(pkt *stack.PacketBuffer, orig header.IPv4Options, usage optionsUsage) (header.IPv4Options, *header.IPv4OptParameterProblem) {
+// If there were no errors during parsing, the new set of options is returned as
+// a new buffer.
+func (e *endpoint) processIPOptions(pkt *stack.PacketBuffer, orig header.IPv4Options, usage optionsUsage) (header.IPv4Options, optionTracker, *header.IPv4OptParameterProblem) {
 	stats := e.stats.ip
 	opts := header.IPv4Options(orig)
 	optIter := opts.MakeIterator()
 
-	// Each option other than NOP must only appear (RFC 791 section 3.1, at the
-	// definition of every type). Keep track of each of the possible types in
-	// the 8 bit 'type' field.
+	// Except NOP, each option must only appear at most once (RFC 791 section 3.1,
+	// at the definition of every type).
+	// Keep track of each option we find to enable duplicate option detection.
 	var seenOptions [math.MaxUint8 + 1]bool
 
-	// TODO(gvisor.dev/issue/4586):
-	// This will need tweaking  when we start really forwarding packets
-	// as we may need to get two addresses, for rx and tx interfaces.
-	// We will also have to take usage into account.
+	// TODO(https://gvisor.dev/issue/4586): This will need tweaking when we start
+	// really forwarding packets as we may need to get two addresses, for rx and
+	// tx interfaces. We will also have to take usage into account.
 	prefixedAddress, ok := e.protocol.stack.GetMainNICAddress(e.nic.ID(), ProtocolNumber)
 	localAddress := prefixedAddress.Address
 	if !ok {
 		h := header.IPv4(pkt.NetworkHeader().View())
 		dstAddr := h.DestinationAddress()
 		if pkt.NetworkPacketInfo.LocalAddressBroadcast || header.IsV4MulticastAddress(dstAddr) {
-			return nil, &header.IPv4OptParameterProblem{
+			return nil, optionTracker{}, &header.IPv4OptParameterProblem{
 				NeedICMP: false,
 			}
 		}
 		localAddress = dstAddr
 	}
 
+	var optionsProcessed optionTracker
 	for {
 		option, done, optProblem := optIter.Next()
 		if done || optProblem != nil {
-			return optIter.Finalize(), optProblem
+			return optIter.Finalize(), optionsProcessed, optProblem
 		}
 		optType := option.Type()
 		if optType == header.IPv4OptionNOPType {
@@ -1598,53 +1626,61 @@ func (e *endpoint) processIPOptions(pkt *stack.PacketBuffer, orig header.IPv4Opt
 		}
 		if optType == header.IPv4OptionListEndType {
 			optIter.PushNOPOrEnd(optType)
-			return optIter.Finalize(), nil
+			return optIter.Finalize(), optionsProcessed, nil
 		}
 
 		// check for repeating options (multiple NOPs are OK)
 		if seenOptions[optType] {
-			return nil, &header.IPv4OptParameterProblem{
+			return nil, optionTracker{}, &header.IPv4OptParameterProblem{
 				Pointer:  optIter.ErrCursor,
 				NeedICMP: true,
 			}
 		}
 		seenOptions[optType] = true
 
-		optLen := int(option.Size())
-		switch option := option.(type) {
-		case *header.IPv4OptionTimestamp:
-			stats.OptionTSReceived.Increment()
-			if usage.actions().timestamp != optionRemove {
-				clock := e.protocol.stack.Clock()
-				newBuffer := optIter.RemainingBuffer()[:len(*option)]
-				_ = copy(newBuffer, option.Contents())
-				if optProblem := handleTimestamp(header.IPv4OptionTimestamp(newBuffer), localAddress, clock, usage); optProblem != nil {
-					optProblem.Pointer += optIter.ErrCursor
-					return nil, optProblem
+		optLen, optProblem := func() (int, *header.IPv4OptParameterProblem) {
+			switch option := option.(type) {
+			case *header.IPv4OptionTimestamp:
+				stats.OptionTimestampReceived.Increment()
+				optionsProcessed.timestamp = true
+				if usage.actions().timestamp != optionRemove {
+					clock := e.protocol.stack.Clock()
+					newBuffer := optIter.InitReplacement(option)
+					optProblem := handleTimestamp(header.IPv4OptionTimestamp(newBuffer), localAddress, clock, usage)
+					return len(newBuffer), optProblem
 				}
-				optIter.ConsumeBuffer(optLen)
-			}
 
-		case *header.IPv4OptionRecordRoute:
-			stats.OptionRRReceived.Increment()
-			if usage.actions().recordRoute != optionRemove {
-				newBuffer := optIter.RemainingBuffer()[:len(*option)]
-				_ = copy(newBuffer, option.Contents())
-				if optProblem := handleRecordRoute(header.IPv4OptionRecordRoute(newBuffer), localAddress, usage); optProblem != nil {
-					optProblem.Pointer += optIter.ErrCursor
-					return nil, optProblem
+			case *header.IPv4OptionRecordRoute:
+				stats.OptionRecordRouteReceived.Increment()
+				optionsProcessed.recordRoute = true
+				if usage.actions().recordRoute != optionRemove {
+					newBuffer := optIter.InitReplacement(option)
+					optProblem := handleRecordRoute(header.IPv4OptionRecordRoute(newBuffer), localAddress, usage)
+					return len(newBuffer), optProblem
 				}
-				optIter.ConsumeBuffer(optLen)
-			}
 
-		default:
-			stats.OptionUnknownReceived.Increment()
-			if usage.actions().unknown == optionPass {
-				newBuffer := optIter.RemainingBuffer()[:optLen]
-				// Arguments already heavily checked.. ignore result.
-				_ = copy(newBuffer, option.Contents())
-				optIter.ConsumeBuffer(optLen)
+			case *header.IPv4OptionRouterAlert:
+				stats.OptionRouterAlertReceived.Increment()
+				optionsProcessed.routerAlert = true
+				if usage.actions().routerAlert != optionRemove {
+					newBuffer := optIter.InitReplacement(option)
+					optProblem := handleRouterAlert(header.IPv4OptionRouterAlert(newBuffer))
+					return len(newBuffer), optProblem
+				}
+
+			default:
+				stats.OptionUnknownReceived.Increment()
+				if usage.actions().unknown == optionPass {
+					return len(optIter.InitReplacement(option)), nil
+				}
 			}
+			return 0, nil
+		}()
+
+		if optProblem != nil {
+			optProblem.Pointer += optIter.ErrCursor
+			return nil, optionTracker{}, optProblem
 		}
+		optIter.ConsumeBuffer(optLen)
 	}
 }
diff --git a/pkg/tcpip/tcpip.go b/pkg/tcpip/tcpip.go
index ba063dc26..01a4389e3 100644
--- a/pkg/tcpip/tcpip.go
+++ b/pkg/tcpip/tcpip.go
@@ -1581,11 +1581,16 @@ type IPStats struct {
 	// the Output chain.
 	IPTablesOutputDropped *StatCounter
 
-	// OptionTSReceived is the number of Timestamp options seen.
-	OptionTSReceived *StatCounter
+	// TODO(https://gvisor.dev/issues/5529): Move the IPv4-only option stats out
+	// of IPStats.
+	// OptionTimestampReceived is the number of Timestamp options seen.
+	OptionTimestampReceived *StatCounter
 
-	// OptionRRReceived is the number of Record Route options seen.
-	OptionRRReceived *StatCounter
+	// OptionRecordRouteReceived is the number of Record Route options seen.
+	OptionRecordRouteReceived *StatCounter
+
+	// OptionRouterAlertReceived is the number of Router Alert options seen.
+	OptionRouterAlertReceived *StatCounter
 
 	// OptionUnknownReceived is the number of unknown IP options seen.
 	OptionUnknownReceived *StatCounter