Filter out received packets with a local source IP address.

CERT Advisory CA-96.21 III. Solution advises that devices drop packets which could not have correctly arrived on the wire, such as receiving a packet where the source IP address is owned by the device that sent it. Fixes #1507 PiperOrigin-RevId: 290378240
author: Eyal Soha <eyalsoha@google.com> 2020-01-17 18:24:39 -0800
committer: gVisor bot <gvisor-bot@google.com> 2020-01-17 18:26:20 -0800
commit: 47d85257d3d015f0b9f7739c81af0ee9f510aaf5 (patch)
tree: e81113cd50046872d06104f0bd3c24ef7ee48275 /pkg/tcpip/tcpip.go
parent: f1a5178c589dbd9a1fe4f1b9fb943fbe64791b58 (diff)
1 files changed, 7 insertions, 3 deletions
diff --git a/pkg/tcpip/tcpip.go b/pkg/tcpip/tcpip.go
index b7813cbc0..6243762e3 100644
--- a/pkg/tcpip/tcpip.go
+++ b/pkg/tcpip/tcpip.go
@@ -903,9 +903,13 @@ type IPStats struct {
 	// link layer in nic.DeliverNetworkPacket.
 	PacketsReceived *StatCounter
 
-	// InvalidAddressesReceived is the total number of IP packets received
-	// with an unknown or invalid destination address.
-	InvalidAddressesReceived *StatCounter
+	// InvalidDestinationAddressesReceived is the total number of IP packets
+	// received with an unknown or invalid destination address.
+	InvalidDestinationAddressesReceived *StatCounter
+
+	// InvalidSourceAddressesReceived is the total number of IP packets received
+	// with a source address that should never have been received on the wire.
+	InvalidSourceAddressesReceived *StatCounter
 
 	// PacketsDelivered is the total number of incoming IP packets that
 	// are successfully delivered to the transport layer via HandlePacket.
author	Eyal Soha <eyalsoha@google.com>	2020-01-17 18:24:39 -0800
committer	gVisor bot <gvisor-bot@google.com>	2020-01-17 18:26:20 -0800
commit	47d85257d3d015f0b9f7739c81af0ee9f510aaf5 (patch)
tree	e81113cd50046872d06104f0bd3c24ef7ee48275 /pkg/tcpip/tcpip.go
parent	f1a5178c589dbd9a1fe4f1b9fb943fbe64791b58 (diff)