All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net-next 0/2] do not allow to add routes if disable_ipv6 is enabled
@ 2018-03-27 17:11 Lorenzo Bianconi
  2018-03-27 17:11 ` [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled Lorenzo Bianconi
  2018-03-27 17:11 ` [PATCH net-next 2/2] Documentation: ip-sysctl.txt: clarify disable_ipv6 Lorenzo Bianconi
  0 siblings, 2 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2018-03-27 17:11 UTC (permalink / raw)
  To: davem; +Cc: netdev

Do not allow userspace to add static ipv6 routes if disable_ipv6 is enabled.
Update disable_ipv6 documentation according to that change

Lorenzo Bianconi (2):
  ipv6: do not set routes if disable_ipv6 has been enabled
  Documentation: ip-sysctl.txt: clarify disable_ipv6

 Documentation/networking/ip-sysctl.txt | 4 +++-
 net/ipv6/route.c                       | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

-- 
2.14.3

^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled
  2018-03-27 17:11 [PATCH net-next 0/2] do not allow to add routes if disable_ipv6 is enabled Lorenzo Bianconi
@ 2018-03-27 17:11 ` Lorenzo Bianconi
  2018-03-28 19:12   ` David Ahern
  2018-03-27 17:11 ` [PATCH net-next 2/2] Documentation: ip-sysctl.txt: clarify disable_ipv6 Lorenzo Bianconi
  1 sibling, 1 reply; 5+ messages in thread
From: Lorenzo Bianconi @ 2018-03-27 17:11 UTC (permalink / raw)
  To: davem; +Cc: netdev

Do not allow to set ipv6 routes from userspace if disable_ipv6 has been
enabled. The issue can be triggered using the following reproducer:

- sysctl net.ipv6.conf.all.disable_ipv6=1
- ip -6 route add a:b:c:d::/64 dev em1
- ip -6 route show
  a:b:c:d::/64 dev em1 metric 1024 pref medium

Fix it checking disable_ipv6 value in ip6_route_info_create routine

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
 net/ipv6/route.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 1d0eaa69874d..672fd7fdb037 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2917,6 +2917,11 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg,
 	if (!dev)
 		goto out;
 
+	if (idev->cnf.disable_ipv6) {
+		err = -EACCES;
+		goto out;
+	}
+
 	if (!(dev->flags & IFF_UP)) {
 		NL_SET_ERR_MSG(extack, "Nexthop device is not up");
 		err = -ENETDOWN;
-- 
2.14.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH net-next 2/2] Documentation: ip-sysctl.txt: clarify disable_ipv6
  2018-03-27 17:11 [PATCH net-next 0/2] do not allow to add routes if disable_ipv6 is enabled Lorenzo Bianconi
  2018-03-27 17:11 ` [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled Lorenzo Bianconi
@ 2018-03-27 17:11 ` Lorenzo Bianconi
  1 sibling, 0 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2018-03-27 17:11 UTC (permalink / raw)
  To: davem; +Cc: netdev

Clarify that when disable_ipv6 is enabled even the ipv6 routes
are deleted for the selected interface and from now it will not
be possible to add addresses/routes to that interface

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
 Documentation/networking/ip-sysctl.txt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 1d1120753ae8..33f35f049ad5 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1703,7 +1703,9 @@ disable_ipv6 - BOOLEAN
 	interface and start Duplicate Address Detection, if necessary.
 
 	When this value is changed from 0 to 1 (IPv6 is being disabled),
-	it will dynamically delete all address on the given interface.
+	it will dynamically delete all addresses and routes on the given
+	interface. From now on it will not possible to add addresses/routes
+	to the selected interface.
 
 accept_dad - INTEGER
 	Whether to accept DAD (Duplicate Address Detection).
-- 
2.14.3

^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled
  2018-03-27 17:11 ` [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled Lorenzo Bianconi
@ 2018-03-28 19:12   ` David Ahern
  2018-03-29  8:19     ` Lorenzo Bianconi
  0 siblings, 1 reply; 5+ messages in thread
From: David Ahern @ 2018-03-28 19:12 UTC (permalink / raw)
  To: Lorenzo Bianconi, davem; +Cc: netdev

On 3/27/18 11:11 AM, Lorenzo Bianconi wrote:
> Do not allow to set ipv6 routes from userspace if disable_ipv6 has been
> enabled. The issue can be triggered using the following reproducer:
> 
> - sysctl net.ipv6.conf.all.disable_ipv6=1
> - ip -6 route add a:b:c:d::/64 dev em1
> - ip -6 route show
>   a:b:c:d::/64 dev em1 metric 1024 pref medium
> 
> Fix it checking disable_ipv6 value in ip6_route_info_create routine
> 
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
> ---
>  net/ipv6/route.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index 1d0eaa69874d..672fd7fdb037 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -2917,6 +2917,11 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg,
>  	if (!dev)
>  		goto out;
>  
> +	if (idev->cnf.disable_ipv6) {
> +		err = -EACCES;

you need an extack message telling the user that IPv6 is disabled on the
nexthop device.

> +		goto out;
> +	}
> +
>  	if (!(dev->flags & IFF_UP)) {
>  		NL_SET_ERR_MSG(extack, "Nexthop device is not up");
>  		err = -ENETDOWN;
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled
  2018-03-28 19:12   ` David Ahern
@ 2018-03-29  8:19     ` Lorenzo Bianconi
  0 siblings, 0 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2018-03-29  8:19 UTC (permalink / raw)
  To: David Ahern; +Cc: davem, netdev

> On 3/27/18 11:11 AM, Lorenzo Bianconi wrote:
> > Do not allow to set ipv6 routes from userspace if disable_ipv6 has been
> > enabled. The issue can be triggered using the following reproducer:
> > 
> > - sysctl net.ipv6.conf.all.disable_ipv6=1
> > - ip -6 route add a:b:c:d::/64 dev em1
> > - ip -6 route show
> >   a:b:c:d::/64 dev em1 metric 1024 pref medium
> > 
> > Fix it checking disable_ipv6 value in ip6_route_info_create routine
> > 
> > Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
> > ---
> >  net/ipv6/route.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> > 
> > diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> > index 1d0eaa69874d..672fd7fdb037 100644
> > --- a/net/ipv6/route.c
> > +++ b/net/ipv6/route.c
> > @@ -2917,6 +2917,11 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg,
> >  	if (!dev)
> >  		goto out;
> >  
> > +	if (idev->cnf.disable_ipv6) {
> > +		err = -EACCES;
> 
> you need an extack message telling the user that IPv6 is disabled on the
> nexthop device.
> 

Ack, will do in v2.

Regards,
Lorenzo

> > +		goto out;
> > +	}
> > +
> >  	if (!(dev->flags & IFF_UP)) {
> >  		NL_SET_ERR_MSG(extack, "Nexthop device is not up");
> >  		err = -ENETDOWN;
> > 
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-03-29  8:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-27 17:11 [PATCH net-next 0/2] do not allow to add routes if disable_ipv6 is enabled Lorenzo Bianconi
2018-03-27 17:11 ` [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled Lorenzo Bianconi
2018-03-28 19:12   ` David Ahern
2018-03-29  8:19     ` Lorenzo Bianconi
2018-03-27 17:11 ` [PATCH net-next 2/2] Documentation: ip-sysctl.txt: clarify disable_ipv6 Lorenzo Bianconi

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.