From: Willy Tarreau <w@1wt.eu>
Date: Tue, 30 Mar 2021 15:23:50 +0000 (+0200)
Subject: BUG/MINOR: tcp: fix silent-drop workaround for IPv6
X-Git-Tag: v2.4-dev15~66
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ab79ee8b1;p=thirdparty%2Fhaproxy.git

BUG/MINOR: tcp: fix silent-drop workaround for IPv6

As reported in github issue #1203 the TTL-based workaround that is used
when permissions are insufficient for the TCP_REPAIR trick does not work
for IPv6 because we're using only SOL_IP with IP_TTL. In IPv6 we have to
use SOL_IPV6 and IPV6_UNICAST_HOPS. Let's pick the right one based on the
source address's family.

This may be backported to all versions.
---

diff --git a/src/tcp_act.c b/src/tcp_act.c
index b3993f7de5..3bb4ab86c4 100644
--- a/src/tcp_act.c
+++ b/src/tcp_act.c
@@ -207,7 +207,12 @@ static enum act_return tcp_exec_action_silent_drop(struct act_rule *rule, struct
 	 * network and has no effect on local net.
 	 */
 #ifdef IP_TTL
-	setsockopt(conn->handle.fd, SOL_IP, IP_TTL, &one, sizeof(one));
+	if (conn->src && conn->src->ss_family == AF_INET)
+		setsockopt(conn->handle.fd, SOL_IP, IP_TTL, &one, sizeof(one));
+#endif
+#ifdef IPV6_UNICAST_HOPS
+	if (conn->src && conn->src->ss_family == AF_INET6)
+		setsockopt(conn->handle.fd, SOL_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
 #endif
  out:
 	/* kill the stream if any */