* [PATCH net-next] net ipv6: Prevent neighbor add if protocol is disabled on device
@ 2019-04-17 0:31 David Ahern
2019-04-18 6:19 ` David Miller
0 siblings, 1 reply; 2+ messages in thread
From: David Ahern @ 2019-04-17 0:31 UTC (permalink / raw)
To: davem; +Cc: netdev, roopa, David Ahern
From: David Ahern <dsahern@gmail.com>
Disabling IPv6 on an interface removes existing entries but nothing prevents
new entries from being manually added. To that end, add a new neigh_table
operation, allow_add, that is called on RTM_NEWNEIGH to see if neighbor
entries are allowed on a given device. If IPv6 is disabled on the device,
allow_add returns false and passes a message back to the user via extack.
$ echo 1 > /proc/sys/net/ipv6/conf/eth1/disable_ipv6
$ ip -6 neigh add fe80::4c88:bff:fe21:2704 dev eth1 lladdr de:ad:be:ef:01:01
Error: IPv6 is disabled on this device.
Signed-off-by: David Ahern <dsahern@gmail.com>
---
include/net/neighbour.h | 2 ++
net/core/neighbour.c | 5 +++++
net/ipv6/ndisc.c | 17 +++++++++++++++++
3 files changed, 24 insertions(+)
diff --git a/include/net/neighbour.h b/include/net/neighbour.h
index 3e5438bd0101..50a67bd6a434 100644
--- a/include/net/neighbour.h
+++ b/include/net/neighbour.h
@@ -205,6 +205,8 @@ struct neigh_table {
int (*pconstructor)(struct pneigh_entry *);
void (*pdestructor)(struct pneigh_entry *);
void (*proxy_redo)(struct sk_buff *skb);
+ bool (*allow_add)(const struct net_device *dev,
+ struct netlink_ext_ack *extack);
char *id;
struct neigh_parms parms;
struct list_head parms_list;
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 30f6fd8f68e0..997cfa8f99ba 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1920,6 +1920,11 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
goto out;
}
+ if (tbl->allow_add && !tbl->allow_add(dev, extack)) {
+ err = -EINVAL;
+ goto out;
+ }
+
neigh = neigh_lookup(tbl, dst, dev);
if (neigh == NULL) {
bool exempt_from_gc;
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 66c8b294e02b..4c8e2ea8bf19 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -77,6 +77,8 @@ static u32 ndisc_hash(const void *pkey,
const struct net_device *dev,
__u32 *hash_rnd);
static bool ndisc_key_eq(const struct neighbour *neigh, const void *pkey);
+static bool ndisc_allow_add(const struct net_device *dev,
+ struct netlink_ext_ack *extack);
static int ndisc_constructor(struct neighbour *neigh);
static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);
static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);
@@ -117,6 +119,7 @@ struct neigh_table nd_tbl = {
.pconstructor = pndisc_constructor,
.pdestructor = pndisc_destructor,
.proxy_redo = pndisc_redo,
+ .allow_add = ndisc_allow_add,
.id = "ndisc_cache",
.parms = {
.tbl = &nd_tbl,
@@ -392,6 +395,20 @@ static void pndisc_destructor(struct pneigh_entry *n)
ipv6_dev_mc_dec(dev, &maddr);
}
+/* called with rtnl held */
+static bool ndisc_allow_add(const struct net_device *dev,
+ struct netlink_ext_ack *extack)
+{
+ struct inet6_dev *idev = __in6_dev_get(dev);
+
+ if (!idev || idev->cnf.disable_ipv6) {
+ NL_SET_ERR_MSG(extack, "IPv6 is disabled on this device");
+ return false;
+ }
+
+ return true;
+}
+
static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,
int len)
{
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net-next] net ipv6: Prevent neighbor add if protocol is disabled on device
2019-04-17 0:31 [PATCH net-next] net ipv6: Prevent neighbor add if protocol is disabled on device David Ahern
@ 2019-04-18 6:19 ` David Miller
0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2019-04-18 6:19 UTC (permalink / raw)
To: dsahern; +Cc: netdev, roopa, dsahern
From: David Ahern <dsahern@kernel.org>
Date: Tue, 16 Apr 2019 17:31:43 -0700
> From: David Ahern <dsahern@gmail.com>
>
> Disabling IPv6 on an interface removes existing entries but nothing prevents
> new entries from being manually added. To that end, add a new neigh_table
> operation, allow_add, that is called on RTM_NEWNEIGH to see if neighbor
> entries are allowed on a given device. If IPv6 is disabled on the device,
> allow_add returns false and passes a message back to the user via extack.
>
> $ echo 1 > /proc/sys/net/ipv6/conf/eth1/disable_ipv6
> $ ip -6 neigh add fe80::4c88:bff:fe21:2704 dev eth1 lladdr de:ad:be:ef:01:01
> Error: IPv6 is disabled on this device.
>
> Signed-off-by: David Ahern <dsahern@gmail.com>
Also applied, thanks.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-18 6:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-17 0:31 [PATCH net-next] net ipv6: Prevent neighbor add if protocol is disabled on device David Ahern
2019-04-18 6:19 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).