diff options
| author | Ghanan Gowripalan <ghanan@google.com> | 2021-03-23 09:54:57 -0700 |
|---|---|---|
| committer | gVisor bot <gvisor-bot@google.com> | 2021-03-23 09:57:01 -0700 |
| commit | 409a11445442488ec7e0397372a673910062fa5f (patch) | |
| tree | 16a555f5a33f591afc94105e1fc7e69e6b263a2c /pkg/tcpip/network | |
| parent | 7dbd6924a3f428d9b8698a5a7bf2707539722b6f (diff) | |
Explicitly allow martian loopback packets
...instead of opting out of them.
Loopback traffic should be stack-local but gVisor has some clients
that depend on the ability to receive loopback traffic that originated
from outside of the stack. Because of this, we guard this change behind
IP protocol options.
A previous change provided the facility to deny these martian loopback
packets but this change requires client to opt-in to accepting martian
loopback packets as accepting martian loopback packets are not meant
to be accepted, as per RFC 1122 section 3.2.1.3.g:
(g) { 127, <any> }
Internal host loopback address. Addresses of this form
MUST NOT appear outside a host.
PiperOrigin-RevId: 364581174
Diffstat (limited to 'pkg/tcpip/network')
| -rw-r--r-- | pkg/tcpip/network/ipv4/ipv4.go | 8 | ||||
| -rw-r--r-- | pkg/tcpip/network/ipv6/ipv6.go | 8 |
2 files changed, 8 insertions, 8 deletions
diff --git a/pkg/tcpip/network/ipv4/ipv4.go b/pkg/tcpip/network/ipv4/ipv4.go index a43107d30..a1660e9a3 100644 --- a/pkg/tcpip/network/ipv4/ipv4.go +++ b/pkg/tcpip/network/ipv4/ipv4.go @@ -641,7 +641,7 @@ func (e *endpoint) HandlePacket(pkt *stack.PacketBuffer) { } if !e.nic.IsLoopback() { - if e.protocol.options.DropExternalLoopbackTraffic { + if !e.protocol.options.AllowExternalLoopbackTraffic { if header.IsV4LoopbackAddress(h.SourceAddress()) { stats.InvalidSourceAddressesReceived.Increment() return @@ -1230,9 +1230,9 @@ type Options struct { // IGMP holds options for IGMP. IGMP IGMPOptions - // DropExternalLoopbackTraffic indicates that inbound loopback packets (i.e. - // martian loopback packets) should be dropped. - DropExternalLoopbackTraffic bool + // AllowExternalLoopbackTraffic indicates that inbound loopback packets (i.e. + // martian loopback packets) should be accepted. + AllowExternalLoopbackTraffic bool } // NewProtocolWithOptions returns an IPv4 network protocol. diff --git a/pkg/tcpip/network/ipv6/ipv6.go b/pkg/tcpip/network/ipv6/ipv6.go index b94cb428f..83e98bab9 100644 --- a/pkg/tcpip/network/ipv6/ipv6.go +++ b/pkg/tcpip/network/ipv6/ipv6.go @@ -931,7 +931,7 @@ func (e *endpoint) HandlePacket(pkt *stack.PacketBuffer) { } if !e.nic.IsLoopback() { - if e.protocol.options.DropExternalLoopbackTraffic { + if !e.protocol.options.AllowExternalLoopbackTraffic { if header.IsV6LoopbackAddress(h.SourceAddress()) { stats.InvalidSourceAddressesReceived.Increment() return @@ -2071,9 +2071,9 @@ type Options struct { // DADConfigs holds the default DAD configurations used by IPv6 endpoints. DADConfigs stack.DADConfigurations - // DropExternalLoopbackTraffic indicates that inbound loopback packets (i.e. - // martian loopback packets) should be dropped. - DropExternalLoopbackTraffic bool + // AllowExternalLoopbackTraffic indicates that inbound loopback packets (i.e. + // martian loopback packets) should be accepted. + AllowExternalLoopbackTraffic bool } // NewProtocolWithOptions returns an IPv6 network protocol. |