From 0233ce6217abbc515914b3a9da45f64f57859e96 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 30 Mar 2021 17:23:50 +0200 Subject: [PATCH] BUG/MINOR: tcp: fix silent-drop workaround for IPv6 As reported in github issue #1203 the TTL-based workaround that is used when permissions are insufficient for the TCP_REPAIR trick does not work for IPv6 because we're using only SOL_IP with IP_TTL. In IPv6 we have to use SOL_IPV6 and IPV6_UNICAST_HOPS. Let's pick the right one based on the source address's family. This may be backported to all versions. (cherry picked from commit ab79ee8b117dbb2c2872747e8119492e70506392) Signed-off-by: Willy Tarreau (cherry picked from commit 64300c5118f0e2cd40ccf1b6aa9d5f19ada0cdc9) [wt: this is in proto_tcp.c in 2.2] Signed-off-by: Willy Tarreau (cherry picked from commit 9650f63fb150e0f1c1bcb7012d59eff0ee61a868) Signed-off-by: Willy Tarreau --- src/proto_tcp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/proto_tcp.c b/src/proto_tcp.c index 33139b5..bd615a5 100644 --- a/src/proto_tcp.c +++ b/src/proto_tcp.c @@ -1349,7 +1349,12 @@ static enum act_return tcp_exec_action_silent_drop(struct act_rule *rule, struct * network and has no effect on local net. */ #ifdef IP_TTL - setsockopt(conn->handle.fd, SOL_IP, IP_TTL, &one, sizeof(one)); + if (conn->src && conn->src->ss_family == AF_INET) + setsockopt(conn->handle.fd, SOL_IP, IP_TTL, &one, sizeof(one)); +#endif +#ifdef IPV6_UNICAST_HOPS + if (conn->src && conn->src->ss_family == AF_INET6) + setsockopt(conn->handle.fd, SOL_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one)); #endif out: /* kill the stream if any */ -- 1.7.10.4