From 2ce85919bbba9e29ee85508abb4ba0c662c2b080 Mon Sep 17 00:00:00 2001
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Fri, 12 Nov 2021 09:00:33 -0800
Subject: [PATCH] Add net.inet.ip.source_address_validation

Drop packets arriving from the network that have our source IP
address.  If maliciously crafted they can create evil effects
like an RST exchange between two of our listening TCP ports.
Such packets just can't be legitimate.  Enable the tunable
by default.  Long time due for a modern Internet host.

Reviewed by:		donner, melifaro
Differential revision:	https://reviews.freebsd.org/D32914
---
 share/man/man4/inet.4  |  8 ++++++++
 sys/netinet/ip_input.c | 16 ++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/share/man/man4/inet.4 b/share/man/man4/inet.4
index 7a8a653dff25..dbab301302b1 100644
--- a/share/man/man4/inet.4
+++ b/share/man/man4/inet.4
@@ -219,6 +219,14 @@ or destination address rewriting
 .Xr pfil 4
 filters may override and bypass this check.
 Disabled by default.
+.It Va ip.source_address_validation
+Boolean: perform source address validation for packets destined for the local
+host.
+Consider this as following Section 3.2 of RFC3704/BCP84, where we treat local
+host as our own infrastructure.
+This has no effect on packets to be forwarded, so don't consider it as
+anti-spoof feature for a router.
+Enabled by default.
 .It Va ip.rfc6864
 Boolean: control IP IDs generation behaviour.
 True value enables RFC6864 support, which specifies that IP ID field of
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index a678c15caad5..9db1f8c6f2e7 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -124,6 +124,12 @@ SYSCTL_BOOL(_net_inet_ip, OID_AUTO, rfc1122_strong_es,
     CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_strong_es), false,
     "Packet's IP destination address must match address on arrival interface");
 
+VNET_DEFINE_STATIC(bool, ip_sav) = true;
+#define	V_ip_sav	VNET(ip_sav)
+SYSCTL_BOOL(_net_inet_ip, OID_AUTO, source_address_validation,
+    CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip_sav), true,
+    "Drop incoming packets with source address that is a local address");
+
 VNET_DEFINE(pfil_head_t, inet_pfil_head);	/* Packet filter hooks */
 
 static struct netisr_handler ip_nh = {
@@ -683,6 +689,16 @@ ip_input(struct mbuf *m)
 			goto bad;
 		}
 
+		/*
+		 * net.inet.ip.source_address_validation: drop incoming
+		 * packets that pretend to be ours.
+		 */
+		if (V_ip_sav && !(ifp->if_flags & IFF_LOOPBACK) &&
+		    __predict_false(in_localip_fib(ip->ip_src, ifp->if_fib))) {
+			IPSTAT_INC(ips_badaddr);
+			goto bad;
+		}
+
 		counter_u64_add(ia->ia_ifa.ifa_ipackets, 1);
 		counter_u64_add(ia->ia_ifa.ifa_ibytes, m->m_pkthdr.len);
 		goto ours;