diff options
| author | Florent Fourcot <florent.fourcot@enst-bretagne.fr> | 2014-01-17 11:15:05 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-01-19 20:12:31 -0500 |
| commit | 6444f72b4b74f627c51891101e93ba2b94078b0a (patch) | |
| tree | d5aa20605d13fa3e222e7e1bf1b7b678a295f398 | |
| parent | 46e5f401762c639e38eea350d335c0f54ec2442f (diff) | |
ipv6: add flowlabel_consistency sysctl
With the introduction of IPV6_FL_F_REFLECT, there is no guarantee of
flow label unicity. This patch introduces a new sysctl to protect the old
behaviour, enable by default.
Changelog of V3:
* rename ip6_flowlabel_consistency to flowlabel_consistency
* use net_info_ratelimited()
* checkpatch cleanups
Signed-off-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | Documentation/networking/ip-sysctl.txt | 8 | ||||
| -rw-r--r-- | include/net/netns/ipv6.h | 1 | ||||
| -rw-r--r-- | net/ipv6/af_inet6.c | 1 | ||||
| -rw-r--r-- | net/ipv6/ip6_flowlabel.c | 7 | ||||
| -rw-r--r-- | net/ipv6/sysctl_net_ipv6.c | 8 |
5 files changed, 25 insertions, 0 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index c97932c88ea3..5de03740cdd5 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt | |||
| @@ -1118,6 +1118,14 @@ bindv6only - BOOLEAN | |||
| 1118 | 1118 | ||
| 1119 | Default: FALSE (as specified in RFC3493) | 1119 | Default: FALSE (as specified in RFC3493) |
| 1120 | 1120 | ||
| 1121 | flowlabel_consistency - BOOLEAN | ||
| 1122 | Protect the consistency (and unicity) of flow label. | ||
| 1123 | You have to disable it to use IPV6_FL_F_REFLECT flag on the | ||
| 1124 | flow label manager. | ||
| 1125 | TRUE: enabled | ||
| 1126 | FALSE: disabled | ||
| 1127 | Default: TRUE | ||
| 1128 | |||
| 1121 | anycast_src_echo_reply - BOOLEAN | 1129 | anycast_src_echo_reply - BOOLEAN |
| 1122 | Controls the use of anycast addresses as source addresses for ICMPv6 | 1130 | Controls the use of anycast addresses as source addresses for ICMPv6 |
| 1123 | echo reply | 1131 | echo reply |
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h index 592fecd2e59e..21edaf1f7916 100644 --- a/include/net/netns/ipv6.h +++ b/include/net/netns/ipv6.h | |||
| @@ -27,6 +27,7 @@ struct netns_sysctl_ipv6 { | |||
| 27 | int ip6_rt_gc_elasticity; | 27 | int ip6_rt_gc_elasticity; |
| 28 | int ip6_rt_mtu_expires; | 28 | int ip6_rt_mtu_expires; |
| 29 | int ip6_rt_min_advmss; | 29 | int ip6_rt_min_advmss; |
| 30 | int flowlabel_consistency; | ||
| 30 | int icmpv6_time; | 31 | int icmpv6_time; |
| 31 | int anycast_src_echo_reply; | 32 | int anycast_src_echo_reply; |
| 32 | }; | 33 | }; |
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index c921d5d38831..d935889f1008 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c | |||
| @@ -775,6 +775,7 @@ static int __net_init inet6_net_init(struct net *net) | |||
| 775 | 775 | ||
| 776 | net->ipv6.sysctl.bindv6only = 0; | 776 | net->ipv6.sysctl.bindv6only = 0; |
| 777 | net->ipv6.sysctl.icmpv6_time = 1*HZ; | 777 | net->ipv6.sysctl.icmpv6_time = 1*HZ; |
| 778 | net->ipv6.sysctl.flowlabel_consistency = 1; | ||
| 778 | atomic_set(&net->ipv6.rt_genid, 0); | 779 | atomic_set(&net->ipv6.rt_genid, 0); |
| 779 | 780 | ||
| 780 | err = ipv6_init_mibs(net); | 781 | err = ipv6_init_mibs(net); |
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c index 01bf2524c72a..dfa41bb4e0dc 100644 --- a/net/ipv6/ip6_flowlabel.c +++ b/net/ipv6/ip6_flowlabel.c | |||
| @@ -588,8 +588,15 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen) | |||
| 588 | 588 | ||
| 589 | case IPV6_FL_A_GET: | 589 | case IPV6_FL_A_GET: |
| 590 | if (freq.flr_flags & IPV6_FL_F_REFLECT) { | 590 | if (freq.flr_flags & IPV6_FL_F_REFLECT) { |
| 591 | struct net *net = sock_net(sk); | ||
| 592 | if (net->ipv6.sysctl.flowlabel_consistency) { | ||
| 593 | net_info_ratelimited("Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable\n"); | ||
| 594 | return -EPERM; | ||
| 595 | } | ||
| 596 | |||
| 591 | if (sk->sk_protocol != IPPROTO_TCP) | 597 | if (sk->sk_protocol != IPPROTO_TCP) |
| 592 | return -ENOPROTOOPT; | 598 | return -ENOPROTOOPT; |
| 599 | |||
| 593 | np->repflow = 1; | 600 | np->repflow = 1; |
| 594 | return 0; | 601 | return 0; |
| 595 | } | 602 | } |
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c index b51b2688102c..7f405a168822 100644 --- a/net/ipv6/sysctl_net_ipv6.c +++ b/net/ipv6/sysctl_net_ipv6.c | |||
| @@ -31,6 +31,13 @@ static struct ctl_table ipv6_table_template[] = { | |||
| 31 | .mode = 0644, | 31 | .mode = 0644, |
| 32 | .proc_handler = proc_dointvec | 32 | .proc_handler = proc_dointvec |
| 33 | }, | 33 | }, |
| 34 | { | ||
| 35 | .procname = "flowlabel_consistency", | ||
| 36 | .data = &init_net.ipv6.sysctl.flowlabel_consistency, | ||
| 37 | .maxlen = sizeof(int), | ||
| 38 | .mode = 0644, | ||
| 39 | .proc_handler = proc_dointvec | ||
| 40 | }, | ||
| 34 | { } | 41 | { } |
| 35 | }; | 42 | }; |
| 36 | 43 | ||
| @@ -59,6 +66,7 @@ static int __net_init ipv6_sysctl_net_init(struct net *net) | |||
| 59 | goto out; | 66 | goto out; |
| 60 | ipv6_table[0].data = &net->ipv6.sysctl.bindv6only; | 67 | ipv6_table[0].data = &net->ipv6.sysctl.bindv6only; |
| 61 | ipv6_table[1].data = &net->ipv6.sysctl.anycast_src_echo_reply; | 68 | ipv6_table[1].data = &net->ipv6.sysctl.anycast_src_echo_reply; |
| 69 | ipv6_table[2].data = &net->ipv6.sysctl.flowlabel_consistency; | ||
| 62 | 70 | ||
| 63 | ipv6_route_table = ipv6_route_sysctl_init(net); | 71 | ipv6_route_table = ipv6_route_sysctl_init(net); |
| 64 | if (!ipv6_route_table) | 72 | if (!ipv6_route_table) |