[PATCH v2 net-next 0/2] do not allow adding routes if disable_ipv6 is enabled

[PATCH v2 net-next 0/2] do not allow adding routes if disable_ipv6 is enabled

[Lorenzo Bianconi]

Do not allow userspace to add static ipv6 routes if disable_ipv6 is enabled.
Update disable_ipv6 documentation according to that change

Changes since v1:
- added an extack message telling the user that IPv6 is disabled on the nexthop
  device
- rebased on-top of net-next

Lorenzo Bianconi (2):
  ipv6: do not set routes if disable_ipv6 has been enabled
  Documentation: ip-sysctl.txt: clarify disable_ipv6

 Documentation/networking/ip-sysctl.txt | 4 +++-
 net/ipv6/route.c                       | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

-- 
2.14.3

[PATCH v2 net-next 1/2] ipv6: do not set routes if disable_ipv6 has been enabled

[Lorenzo Bianconi]

Do not allow setting ipv6 routes from userspace if disable_ipv6 has been
enabled. The issue can be triggered using the following reproducer:

- sysctl net.ipv6.conf.all.disable_ipv6=1
- ip -6 route add a:b:c:d::/64 dev em1
- ip -6 route show
  a:b:c:d::/64 dev em1 metric 1024 pref medium

Fix it checking disable_ipv6 value in ip6_route_info_create routine

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
 net/ipv6/route.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index ba8d5df50ebe..e461ef1158b6 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2917,6 +2917,12 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg,
 	if (!dev)
 		goto out;
 
+	if (idev->cnf.disable_ipv6) {
+		NL_SET_ERR_MSG(extack, "IPv6 is disabled on nexthop device");
+		err = -EACCES;
+		goto out;
+	}
+
 	if (!(dev->flags & IFF_UP)) {
 		NL_SET_ERR_MSG(extack, "Nexthop device is not up");
 		err = -ENETDOWN;
-- 
2.14.3

[PATCH v2 net-next 2/2] Documentation: ip-sysctl.txt: clarify disable_ipv6

[Lorenzo Bianconi]

Clarify that when disable_ipv6 is enabled even the ipv6 routes
are deleted for the selected interface and from now it will not
be possible to add addresses/routes to that interface

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
---
 Documentation/networking/ip-sysctl.txt | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 1d1120753ae8..33f35f049ad5 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1703,7 +1703,9 @@ disable_ipv6 - BOOLEAN
 	interface and start Duplicate Address Detection, if necessary.
 
 	When this value is changed from 0 to 1 (IPv6 is being disabled),
-	it will dynamically delete all address on the given interface.
+	it will dynamically delete all addresses and routes on the given
+	interface. From now on it will not possible to add addresses/routes
+	to the selected interface.
 
 accept_dad - INTEGER
 	Whether to accept DAD (Duplicate Address Detection).
-- 
2.14.3

Re: [PATCH v2 net-next 0/2] do not allow adding routes if disable_ipv6 is enabled

[David Miller]

From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Date: Thu, 29 Mar 2018 11:02:23 +0200

> Do not allow userspace to add static ipv6 routes if disable_ipv6 is enabled.
> Update disable_ipv6 documentation according to that change
> 
> Changes since v1:
> - added an extack message telling the user that IPv6 is disabled on the nexthop
>   device
> - rebased on-top of net-next

Series applied, thanks Lorenzo.