[PATCH] net: relax PKTINFO non local ipv6 udp xmit check

[PATCH] net: relax PKTINFO non local ipv6 udp xmit check

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Allow transparent sockets to be less restrictive about
the source ip of ipv6 udp packets being sent.

Google-Bug-Id: 5018138
Signed-off-by: Maciej Żenczykowski <maze@google.com>
CC: "Erik Kline" <ek@google.com>
CC: "Lorenzo Colitti" <lorenzo@google.com>
---
 include/net/transp_v6.h  |    1 +
 net/ipv6/datagram.c      |    5 +++--
 net/ipv6/ip6_flowlabel.c |    2 +-
 net/ipv6/ipv6_sockglue.c |    2 +-
 net/ipv6/raw.c           |    2 +-
 net/ipv6/udp.c           |    2 +-
 6 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/include/net/transp_v6.h b/include/net/transp_v6.h
index 5271a74..498433d 100644
--- a/include/net/transp_v6.h
+++ b/include/net/transp_v6.h
@@ -39,6 +39,7 @@ extern int			datagram_recv_ctl(struct sock *sk,
 						  struct sk_buff *skb);
 
 extern int			datagram_send_ctl(struct net *net,
+						  struct sock *sk,
 						  struct msghdr *msg,
 						  struct flowi6 *fl6,
 						  struct ipv6_txoptions *opt,
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 9ef1831..03e20fa 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -599,7 +599,7 @@ int datagram_recv_ctl(struct sock *sk, struct msghdr *msg, struct sk_buff *skb)
 	return 0;
 }
 
-int datagram_send_ctl(struct net *net,
+int datagram_send_ctl(struct net *net, struct sock *sk,
 		      struct msghdr *msg, struct flowi6 *fl6,
 		      struct ipv6_txoptions *opt,
 		      int *hlimit, int *tclass, int *dontfrag)
@@ -658,7 +658,8 @@ int datagram_send_ctl(struct net *net,
 
 			if (addr_type != IPV6_ADDR_ANY) {
 				int strict = __ipv6_addr_src_scope(addr_type) <= IPV6_ADDR_SCOPE_LINKLOCAL;
-				if (!ipv6_chk_addr(net, &src_info->ipi6_addr,
+				if (!(sk && inet_sk(sk)->transparent) &&
+				    !ipv6_chk_addr(net, &src_info->ipi6_addr,
 						   strict ? dev : NULL, 0))
 					err = -EINVAL;
 				else
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index f3caf1b..a896987 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -360,7 +360,7 @@ fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
 		msg.msg_control = (void*)(fl->opt+1);
 		memset(&flowi6, 0, sizeof(flowi6));
 
-		err = datagram_send_ctl(net, &msg, &flowi6, fl->opt, &junk,
+		err = datagram_send_ctl(net, NULL, &msg, &flowi6, fl->opt, &junk,
 					&junk, &junk);
 		if (err)
 			goto done;
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 147ede38..2fbda5f 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -475,7 +475,7 @@ sticky_done:
 		msg.msg_controllen = optlen;
 		msg.msg_control = (void*)(opt+1);
 
-		retv = datagram_send_ctl(net, &msg, &fl6, opt, &junk, &junk,
+		retv = datagram_send_ctl(net, sk, &msg, &fl6, opt, &junk, &junk,
 					 &junk);
 		if (retv)
 			goto done;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index f34902f..131be5e 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -817,7 +817,7 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
 		memset(opt, 0, sizeof(struct ipv6_txoptions));
 		opt->tot_len = sizeof(struct ipv6_txoptions);
 
-		err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
+		err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt, &hlimit,
 					&tclass, &dontfrag);
 		if (err < 0) {
 			fl6_sock_release(flowlabel);
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 35bbdc4..b0fb25c 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1090,7 +1090,7 @@ do_udp_sendmsg:
 		memset(opt, 0, sizeof(struct ipv6_txoptions));
 		opt->tot_len = sizeof(*opt);
 
-		err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
+		err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt, &hlimit,
 					&tclass, &dontfrag);
 		if (err < 0) {
 			fl6_sock_release(flowlabel);
-- 
1.7.3.1

Re: [PATCH] net: relax PKTINFO non local ipv6 udp xmit check

[David Miller]

From: Maciej Żenczykowski <zenczykowski@gmail.com>
Date: Fri, 26 Aug 2011 14:56:28 -0700

> diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
> index f3caf1b..a896987 100644
> --- a/net/ipv6/ip6_flowlabel.c
> +++ b/net/ipv6/ip6_flowlabel.c
> @@ -360,7 +360,7 @@ fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
>  		msg.msg_control = (void*)(fl->opt+1);
>  		memset(&flowi6, 0, sizeof(flowi6));
>  
> -		err = datagram_send_ctl(net, &msg, &flowi6, fl->opt, &junk,
> +		err = datagram_send_ctl(net, NULL, &msg, &flowi6, fl->opt, &junk,
>  					&junk, &junk);
>  		if (err)
>  			goto done;

There is a socket associated with this fl_create() request, please
pass it into fl_create() from it's caller, and thus down into
datagram_send_ctl(), instead of just passing NULL.

Then, since a valid sk is always passed in, you can elide the NULL
check on 'sk' down at the bottom of these code paths.

Thanks.

[PATCH] net: relax PKTINFO non local ipv6 udp xmit check

[Maciej Żenczykowski]

From: Maciej Żenczykowski <maze@google.com>

Allow transparent sockets to be less restrictive about
the source ip of ipv6 udp packets being sent.

Google-Bug-Id: 5018138
Signed-off-by: Maciej Żenczykowski <maze@google.com>
CC: "Erik Kline" <ek@google.com>
CC: "Lorenzo Colitti" <lorenzo@google.com>
---
 include/net/transp_v6.h  |    1 +
 net/ipv6/datagram.c      |    5 +++--
 net/ipv6/ip6_flowlabel.c |    8 ++++----
 net/ipv6/ipv6_sockglue.c |    2 +-
 net/ipv6/raw.c           |    4 ++--
 net/ipv6/udp.c           |    4 ++--
 6 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/include/net/transp_v6.h b/include/net/transp_v6.h
index 5271a74..498433d 100644
--- a/include/net/transp_v6.h
+++ b/include/net/transp_v6.h
@@ -39,6 +39,7 @@ extern int			datagram_recv_ctl(struct sock *sk,
 						  struct sk_buff *skb);
 
 extern int			datagram_send_ctl(struct net *net,
+						  struct sock *sk,
 						  struct msghdr *msg,
 						  struct flowi6 *fl6,
 						  struct ipv6_txoptions *opt,
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 9ef1831..b46e9f8 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -599,7 +599,7 @@ int datagram_recv_ctl(struct sock *sk, struct msghdr *msg, struct sk_buff *skb)
 	return 0;
 }
 
-int datagram_send_ctl(struct net *net,
+int datagram_send_ctl(struct net *net, struct sock *sk,
 		      struct msghdr *msg, struct flowi6 *fl6,
 		      struct ipv6_txoptions *opt,
 		      int *hlimit, int *tclass, int *dontfrag)
@@ -658,7 +658,8 @@ int datagram_send_ctl(struct net *net,
 
 			if (addr_type != IPV6_ADDR_ANY) {
 				int strict = __ipv6_addr_src_scope(addr_type) <= IPV6_ADDR_SCOPE_LINKLOCAL;
-				if (!ipv6_chk_addr(net, &src_info->ipi6_addr,
+				if (!inet_sk(sk)->transparent &&
+				    !ipv6_chk_addr(net, &src_info->ipi6_addr,
 						   strict ? dev : NULL, 0))
 					err = -EINVAL;
 				else
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index f3caf1b..5430394 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -322,8 +322,8 @@ static int fl6_renew(struct ip6_flowlabel *fl, unsigned long linger, unsigned lo
 }
 
 static struct ip6_flowlabel *
-fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
-	  int optlen, int *err_p)
+fl_create(struct net *net, struct sock *sk, struct in6_flowlabel_req *freq,
+	  char __user *optval, int optlen, int *err_p)
 {
 	struct ip6_flowlabel *fl = NULL;
 	int olen;
@@ -360,7 +360,7 @@ fl_create(struct net *net, struct in6_flowlabel_req *freq, char __user *optval,
 		msg.msg_control = (void*)(fl->opt+1);
 		memset(&flowi6, 0, sizeof(flowi6));
 
-		err = datagram_send_ctl(net, &msg, &flowi6, fl->opt, &junk,
+		err = datagram_send_ctl(net, sk, &msg, &flowi6, fl->opt, &junk,
 					&junk, &junk);
 		if (err)
 			goto done;
@@ -528,7 +528,7 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
 		if (freq.flr_label & ~IPV6_FLOWLABEL_MASK)
 			return -EINVAL;
 
-		fl = fl_create(net, &freq, optval, optlen, &err);
+		fl = fl_create(net, sk, &freq, optval, optlen, &err);
 		if (fl == NULL)
 			return err;
 		sfl1 = kmalloc(sizeof(*sfl1), GFP_KERNEL);
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 147ede38..2fbda5f 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -475,7 +475,7 @@ sticky_done:
 		msg.msg_controllen = optlen;
 		msg.msg_control = (void*)(opt+1);
 
-		retv = datagram_send_ctl(net, &msg, &fl6, opt, &junk, &junk,
+		retv = datagram_send_ctl(net, sk, &msg, &fl6, opt, &junk, &junk,
 					 &junk);
 		if (retv)
 			goto done;
diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
index f34902f..3486f62 100644
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -817,8 +817,8 @@ static int rawv6_sendmsg(struct kiocb *iocb, struct sock *sk,
 		memset(opt, 0, sizeof(struct ipv6_txoptions));
 		opt->tot_len = sizeof(struct ipv6_txoptions);
 
-		err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
-					&tclass, &dontfrag);
+		err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
+					&hlimit, &tclass, &dontfrag);
 		if (err < 0) {
 			fl6_sock_release(flowlabel);
 			return err;
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 35bbdc4..f4ca0a5 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1090,8 +1090,8 @@ do_udp_sendmsg:
 		memset(opt, 0, sizeof(struct ipv6_txoptions));
 		opt->tot_len = sizeof(*opt);
 
-		err = datagram_send_ctl(sock_net(sk), msg, &fl6, opt, &hlimit,
-					&tclass, &dontfrag);
+		err = datagram_send_ctl(sock_net(sk), sk, msg, &fl6, opt,
+					&hlimit, &tclass, &dontfrag);
 		if (err < 0) {
 			fl6_sock_release(flowlabel);
 			return err;
-- 
1.7.3.1

Re: [PATCH] net: relax PKTINFO non local ipv6 udp xmit check

[David Miller]

From: Maciej Żenczykowski <zenczykowski@gmail.com>
Date: Sun, 28 Aug 2011 15:35:31 -0700

> From: Maciej Żenczykowski <maze@google.com>
> 
> Allow transparent sockets to be less restrictive about
> the source ip of ipv6 udp packets being sent.
> 
> Google-Bug-Id: 5018138
> Signed-off-by: Maciej Żenczykowski <maze@google.com>

Applied, thanks a lot.

Re: [PATCH] net: relax PKTINFO non local ipv6 udp xmit check

[Maciej Żenczykowski]

On Sun, Aug 28, 2011 at 6:06 PM, David Miller <davem@davemloft.net> wrote:
> > Allow transparent sockets to be less restrictive about
> > the source ip of ipv6 udp packets being sent.
>
> Applied, thanks a lot.

FYI, I don't see this in either git repository:

http://git.kernel.org/?p=linux/kernel/git/davem/net.git;a=shortlog
http://git.kernel.org/?p=linux/kernel/git/davem/net-next.git;a=shortlog

I'd expect it to have shown up in net-next by now.

I'm also curious whether anyone knows of any good reason why
transparent sockets require CAP_NET_ADMIN instead of CAP_NET_RAW (or
either one of CAP_NET_{RAW|ADMIN}).

Maciej

Re: [PATCH] net: relax PKTINFO non local ipv6 udp xmit check

[David Miller]

From: Maciej Żenczykowski <zenczykowski@gmail.com>
Date: Tue, 30 Aug 2011 11:50:43 -0700

> On Sun, Aug 28, 2011 at 6:06 PM, David Miller <davem@davemloft.net> wrote:
> 
>> > Allow transparent sockets to be less restrictive about
>> > the source ip of ipv6 udp packets being sent.
>>
>> Applied, thanks a lot.
>>
> 
> FYI, I don't see this in either git repository:

It's in a repo on my machine at home, I'll push it out to 'net' when I
get home later today :-)