[PATCH net-next v4 7/7] ipv6: Document enforce_ext_hdr_order sysctl

[PATCH net-next v4 0/7] ipv6: Address ext hdr DoS vulnerabilities · Tom Herbert <hidden> · 2026-01-21
[PATCH net-next v4 1/7] ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is · Tom Herbert <hidden> · 2026-01-21
Re: [PATCH net-next v4 1/7] ipv6: Check of max HBH or DestOp sysctl is zero and drop if it is · Justin Iurman <justin.iurman@gmail.com> · 2026-01-23
[PATCH net-next v4 2/7] ipv6: Cleanup IPv6 TLV definitions · Tom Herbert <hidden> · 2026-01-21
Re: [PATCH net-next v4 2/7] ipv6: Cleanup IPv6 TLV definitions · Justin Iurman <justin.iurman@gmail.com> · 2026-01-23
[PATCH net-next v4 3/7] ipv6: Add case for IPV6_TLV_TNL_ENCAP_LIMIT in EH TLV switch · Tom Herbert <hidden> · 2026-01-21
[PATCH net-next v4 4/7] ipv6: Set HBH and DestOpt limits to 2 · Tom Herbert <hidden> · 2026-01-21
[PATCH net-next v4 5/7] ipv6: Document defaults for max_{dst|hbh}_opts_number sysctls · Tom Herbert <hidden> · 2026-01-21
[PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Tom Herbert <hidden> · 2026-01-21
Re: [PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Justin Iurman <justin.iurman@gmail.com> · 2026-01-23
Re: [PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Tom Herbert <hidden> · 2026-01-26
Re: [PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Justin Iurman <justin.iurman@gmail.com> · 2026-01-26
Re: [PATCH net-next v4 6/7] ipv6: Enforce Extension Header ordering · Tom Herbert <hidden> · 2026-01-26
[PATCH net-next v4 7/7] ipv6: Document enforce_ext_hdr_order sysctl · Tom Herbert <hidden> · 2026-01-21

STALE151d

Revisions (7)

2026-01-19 v3 [diff vs current]
2026-01-21 v4 current
2026-01-26 v5 [diff vs current]
2026-02-03 v6 [diff vs current]
2026-02-04 v7 [diff vs current]
2026-03-14 v9 [diff vs current]
2026-05-04 v10 [diff vs current]

From: Tom Herbert <hidden>
Date: 2026-01-21 21:50:05
Subsystem: documentation, networking [general], the rest · Maintainers: Jonathan Corbet, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds

Document the enforce_ext_hdr_order sysctl that controls whether
Extension Header order is enforced on receive.

Signed-off-by: Tom Herbert <redacted>
---
 Documentation/networking/ip-sysctl.rst | 29 ++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index 5051fe653c96..f8fa9f67b2ed 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst

@@ -2581,6 +2581,35 @@ ioam6_id_wide - LONG INTEGER
 
         Default: 0xFFFFFFFFFFFFFF
 
+enforce_ext_hdr_order - BOOLEAN
+	Enforce recommended Extension Header ordering in RFC8200.
+	If the sysctl is set to 1 then the ordering the ordering is
+	enforced in received packets and each Extension Header
+	may be present at most once per packet. If the sysctl is
+	set to 0 then ordering is not enforced and Extension Headers
+	may be present in any order and have any number of
+	occurences per packet (except for Hop-by-Hop Options). Also,
+	if the sysctl is set then Destination Options before the
+	Routing header are disllowed.
+
+	The Extension Header order is:
+
+	    IPv6 header
+	    Hop-by-Hop Options header
+	    Routing header
+	    Fragment header
+	    Authentication header
+	    Encapsulating Security Payload header
+	    Destination Options header
+	    Upper-Layer header
+
+	Possible values:
+
+	- 0 (disabled)
+	- 1 (enabled)
+
+	Default: 1 (enabled)
+
 IPv6 Fragmentation:
 
 ip6frag_high_thresh - INTEGER

-- 
2.43.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help