From 98fdb1a97fd1edc24e6409daaec4fc5b42df58e5 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Tue, 16 Jul 2024 16:41:25 +0200 Subject: [PATCH] fix(lwip): Add default IPv6 input filter to drop traffic if ipv6 not assigned * Makes LWIP_HOOK_IP6_INPUT default to LWIP_HOOK_IP6_INPUT_DEFAULT * Updated the stub hook implementation to actually filter out all IPv6 packets if the input netif has no link local address. --- components/lwip/Kconfig | 10 ++++++--- .../lwip/port/hooks/lwip_default_hooks.c | 22 +++++++++++++++---- 2 files changed, 25 insertions(+), 7 deletions(-) diff --git a/components/lwip/Kconfig b/components/lwip/Kconfig index 4af717287b..c5e1b77de0 100644 --- a/components/lwip/Kconfig +++ b/components/lwip/Kconfig @@ -1295,11 +1295,15 @@ menu "LWIP" choice LWIP_HOOK_IP6_INPUT prompt "IPv6 packet input" depends on LWIP_IPV6 - default LWIP_HOOK_IP6_INPUT_NONE + default LWIP_HOOK_IP6_INPUT_DEFAULT help Enables custom IPv6 packet input. - Setting this to "default" provides weak implementation - stub that could be overwritten in application code. + Setting this to "default" provides weak IDF implementation, + which drops all incoming IPv6 traffic if the interface has no link local address. + (this default implementation is "weak" and could be still overwritten + in the application if some additional IPv6 input packet filtering is needed) + Setting this to "none" removes this default filter and conforms to the lwIP + implementation (which accepts multicasts even if the interface has no link local address) Setting this to "custom" provides hook's declaration only and expects the application to implement it. diff --git a/components/lwip/port/hooks/lwip_default_hooks.c b/components/lwip/port/hooks/lwip_default_hooks.c index ede43bdfc5..ce95169584 100644 --- a/components/lwip/port/hooks/lwip_default_hooks.c +++ b/components/lwip/port/hooks/lwip_default_hooks.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -56,11 +56,25 @@ const ip_addr_t *__weak lwip_hook_ip6_select_source_address(struct netif *netif, #endif #ifdef CONFIG_LWIP_HOOK_IP6_INPUT_DEFAULT +/** + * @brief The default IPv6 input hook checks if we already have an IPv6 address (netif->ip6_addr[0] is link local), + * so we drop all incoming IPv6 packets if the input netif has no LL address. + * + * LWIP accepts IPv6 multicast packets even if the ip6_addr[] for the given address wasn't set, + * this may cause trouble if we enable IPv6 SLAAC (LWIP_IPV6_AUTOCONFIG), but have not created any LL address. + * If the router sends a packet to all nodes 0xff01::1 with RDNSS servers, it would be accepted and rewrite + * DNS server info with IPv6 values (which won't be routable without any IPv6 address assigned) + */ int __weak lwip_hook_ip6_input(struct pbuf *p, struct netif *inp) { - LWIP_UNUSED_ARG(p); - LWIP_UNUSED_ARG(inp); - + /* Check if the first IPv6 address (link-local) is unassigned (all zeros). + * If the address is empty, it indicates that no link-local address has been configured, + * and the interface should not accept incoming IPv6 traffic. */ + if (ip6_addr_isany(ip_2_ip6(&inp->ip6_addr[0]))) { + /* We don't have an LL address -> eat this packet here, so it won't get accepted on the input netif */ + pbuf_free(p); + return 1; + } return 0; } #endif