From ab79ee8b117dbb2c2872747e8119492e70506392 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 30 Mar 2021 17:23:50 +0200
Subject: [PATCH] BUG/MINOR: tcp: fix silent-drop workaround for IPv6

As reported in github issue #1203 the TTL-based workaround that is used
when permissions are insufficient for the TCP_REPAIR trick does not work
for IPv6 because we're using only SOL_IP with IP_TTL. In IPv6 we have to
use SOL_IPV6 and IPV6_UNICAST_HOPS. Let's pick the right one based on the
source address's family.

This may be backported to all versions.
---
 src/tcp_act.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/tcp_act.c b/src/tcp_act.c
index b3993f7de..3bb4ab86c 100644
--- a/src/tcp_act.c
+++ b/src/tcp_act.c
@@ -207,7 +207,12 @@ static enum act_return tcp_exec_action_silent_drop(struct act_rule *rule, struct
 	 * network and has no effect on local net.
 	 */
 #ifdef IP_TTL
-	setsockopt(conn->handle.fd, SOL_IP, IP_TTL, &one, sizeof(one));
+	if (conn->src && conn->src->ss_family == AF_INET)
+		setsockopt(conn->handle.fd, SOL_IP, IP_TTL, &one, sizeof(one));
+#endif
+#ifdef IPV6_UNICAST_HOPS
+	if (conn->src && conn->src->ss_family == AF_INET6)
+		setsockopt(conn->handle.fd, SOL_IPV6, IPV6_UNICAST_HOPS, &one, sizeof(one));
 #endif
  out:
 	/* kill the stream if any */