* [PATCH net-next 0/2] do not allow to add routes if disable_ipv6 is enabled
@ 2018-03-27 17:11 Lorenzo Bianconi
2018-03-27 17:11 ` [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled Lorenzo Bianconi
2018-03-27 17:11 ` [PATCH net-next 2/2] Documentation: ip-sysctl.txt: clarify disable_ipv6 Lorenzo Bianconi
0 siblings, 2 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2018-03-27 17:11 UTC (permalink / raw)
To: davem; +Cc: netdev
Do not allow userspace to add static ipv6 routes if disable_ipv6 is enabled.
Update disable_ipv6 documentation according to that change
Lorenzo Bianconi (2):
ipv6: do not set routes if disable_ipv6 has been enabled
Documentation: ip-sysctl.txt: clarify disable_ipv6
Documentation/networking/ip-sysctl.txt | 4 +++-
net/ipv6/route.c | 5 +++++
2 files changed, 8 insertions(+), 1 deletion(-)
--
2.14.3
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled
2018-03-27 17:11 [PATCH net-next 0/2] do not allow to add routes if disable_ipv6 is enabled Lorenzo Bianconi
@ 2018-03-27 17:11 ` Lorenzo Bianconi
2018-03-28 19:12 ` David Ahern
2018-03-27 17:11 ` [PATCH net-next 2/2] Documentation: ip-sysctl.txt: clarify disable_ipv6 Lorenzo Bianconi
1 sibling, 1 reply; 5+ messages in thread
From: Lorenzo Bianconi @ 2018-03-27 17:11 UTC (permalink / raw)
To: davem; +Cc: netdev
Do not allow to set ipv6 routes from userspace if disable_ipv6 has been
enabled. The issue can be triggered using the following reproducer:
- sysctl net.ipv6.conf.all.disable_ipv6=1
- ip -6 route add a:b:c:d::/64 dev em1
- ip -6 route show
a:b:c:d::/64 dev em1 metric 1024 pref medium
Fix it checking disable_ipv6 value in ip6_route_info_create routine
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
net/ipv6/route.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 1d0eaa69874d..672fd7fdb037 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2917,6 +2917,11 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg,
if (!dev)
goto out;
+ if (idev->cnf.disable_ipv6) {
+ err = -EACCES;
+ goto out;
+ }
+
if (!(dev->flags & IFF_UP)) {
NL_SET_ERR_MSG(extack, "Nexthop device is not up");
err = -ENETDOWN;
--
2.14.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net-next 2/2] Documentation: ip-sysctl.txt: clarify disable_ipv6
2018-03-27 17:11 [PATCH net-next 0/2] do not allow to add routes if disable_ipv6 is enabled Lorenzo Bianconi
2018-03-27 17:11 ` [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled Lorenzo Bianconi
@ 2018-03-27 17:11 ` Lorenzo Bianconi
1 sibling, 0 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2018-03-27 17:11 UTC (permalink / raw)
To: davem; +Cc: netdev
Clarify that when disable_ipv6 is enabled even the ipv6 routes
are deleted for the selected interface and from now it will not
be possible to add addresses/routes to that interface
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
Documentation/networking/ip-sysctl.txt | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 1d1120753ae8..33f35f049ad5 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1703,7 +1703,9 @@ disable_ipv6 - BOOLEAN
interface and start Duplicate Address Detection, if necessary.
When this value is changed from 0 to 1 (IPv6 is being disabled),
- it will dynamically delete all address on the given interface.
+ it will dynamically delete all addresses and routes on the given
+ interface. From now on it will not possible to add addresses/routes
+ to the selected interface.
accept_dad - INTEGER
Whether to accept DAD (Duplicate Address Detection).
--
2.14.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled
2018-03-27 17:11 ` [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled Lorenzo Bianconi
@ 2018-03-28 19:12 ` David Ahern
2018-03-29 8:19 ` Lorenzo Bianconi
0 siblings, 1 reply; 5+ messages in thread
From: David Ahern @ 2018-03-28 19:12 UTC (permalink / raw)
To: Lorenzo Bianconi, davem; +Cc: netdev
On 3/27/18 11:11 AM, Lorenzo Bianconi wrote:
> Do not allow to set ipv6 routes from userspace if disable_ipv6 has been
> enabled. The issue can be triggered using the following reproducer:
>
> - sysctl net.ipv6.conf.all.disable_ipv6=1
> - ip -6 route add a:b:c:d::/64 dev em1
> - ip -6 route show
> a:b:c:d::/64 dev em1 metric 1024 pref medium
>
> Fix it checking disable_ipv6 value in ip6_route_info_create routine
>
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
> ---
> net/ipv6/route.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index 1d0eaa69874d..672fd7fdb037 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -2917,6 +2917,11 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg,
> if (!dev)
> goto out;
>
> + if (idev->cnf.disable_ipv6) {
> + err = -EACCES;
you need an extack message telling the user that IPv6 is disabled on the
nexthop device.
> + goto out;
> + }
> +
> if (!(dev->flags & IFF_UP)) {
> NL_SET_ERR_MSG(extack, "Nexthop device is not up");
> err = -ENETDOWN;
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled
2018-03-28 19:12 ` David Ahern
@ 2018-03-29 8:19 ` Lorenzo Bianconi
0 siblings, 0 replies; 5+ messages in thread
From: Lorenzo Bianconi @ 2018-03-29 8:19 UTC (permalink / raw)
To: David Ahern; +Cc: davem, netdev
> On 3/27/18 11:11 AM, Lorenzo Bianconi wrote:
> > Do not allow to set ipv6 routes from userspace if disable_ipv6 has been
> > enabled. The issue can be triggered using the following reproducer:
> >
> > - sysctl net.ipv6.conf.all.disable_ipv6=1
> > - ip -6 route add a:b:c:d::/64 dev em1
> > - ip -6 route show
> > a:b:c:d::/64 dev em1 metric 1024 pref medium
> >
> > Fix it checking disable_ipv6 value in ip6_route_info_create routine
> >
> > Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
> > ---
> > net/ipv6/route.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> > index 1d0eaa69874d..672fd7fdb037 100644
> > --- a/net/ipv6/route.c
> > +++ b/net/ipv6/route.c
> > @@ -2917,6 +2917,11 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg,
> > if (!dev)
> > goto out;
> >
> > + if (idev->cnf.disable_ipv6) {
> > + err = -EACCES;
>
> you need an extack message telling the user that IPv6 is disabled on the
> nexthop device.
>
Ack, will do in v2.
Regards,
Lorenzo
> > + goto out;
> > + }
> > +
> > if (!(dev->flags & IFF_UP)) {
> > NL_SET_ERR_MSG(extack, "Nexthop device is not up");
> > err = -ENETDOWN;
> >
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-03-29 8:19 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-27 17:11 [PATCH net-next 0/2] do not allow to add routes if disable_ipv6 is enabled Lorenzo Bianconi
2018-03-27 17:11 ` [PATCH net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled Lorenzo Bianconi
2018-03-28 19:12 ` David Ahern
2018-03-29 8:19 ` Lorenzo Bianconi
2018-03-27 17:11 ` [PATCH net-next 2/2] Documentation: ip-sysctl.txt: clarify disable_ipv6 Lorenzo Bianconi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.