diff options
| author | Joel Scherpelz <jscherpelz@google.com> | 2017-03-22 05:19:04 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-03-22 17:20:54 -0400 |
| commit | bbea124bc99df968011e76eba105fe964a4eceab (patch) | |
| tree | ec41e6976abf168397615c51eb4a676b37f5bb5e | |
| parent | 0e4c9f13da28990064c958839e85c565f6adcbf5 (diff) | |
net: ipv6: Add sysctl for minimum prefix len acceptable in RIOs.
This commit adds a new sysctl accept_ra_rt_info_min_plen that
defines the minimum acceptable prefix length of Route Information
Options. The new sysctl is intended to be used together with
accept_ra_rt_info_max_plen to configure a range of acceptable
prefix lengths. It is useful to prevent misconfigurations from
unintentionally blackholing too much of the IPv6 address space
(e.g., home routers announcing RIOs for fc00::/7, which is
incorrect).
Signed-off-by: Joel Scherpelz <jscherpelz@google.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | Documentation/networking/ip-sysctl.txt | 13 | ||||
| -rw-r--r-- | include/linux/ipv6.h | 1 | ||||
| -rw-r--r-- | include/uapi/linux/ipv6.h | 1 | ||||
| -rw-r--r-- | include/uapi/linux/sysctl.h | 1 | ||||
| -rw-r--r-- | net/ipv6/addrconf.c | 10 | ||||
| -rw-r--r-- | net/ipv6/ndisc.c | 2 |
6 files changed, 26 insertions, 2 deletions
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index b57308e76b1d..eaee2c8d4c00 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt | |||
| @@ -1461,11 +1461,20 @@ accept_ra_pinfo - BOOLEAN | |||
| 1461 | Functional default: enabled if accept_ra is enabled. | 1461 | Functional default: enabled if accept_ra is enabled. |
| 1462 | disabled if accept_ra is disabled. | 1462 | disabled if accept_ra is disabled. |
| 1463 | 1463 | ||
| 1464 | accept_ra_rt_info_min_plen - INTEGER | ||
| 1465 | Minimum prefix length of Route Information in RA. | ||
| 1466 | |||
| 1467 | Route Information w/ prefix smaller than this variable shall | ||
| 1468 | be ignored. | ||
| 1469 | |||
| 1470 | Functional default: 0 if accept_ra_rtr_pref is enabled. | ||
| 1471 | -1 if accept_ra_rtr_pref is disabled. | ||
| 1472 | |||
| 1464 | accept_ra_rt_info_max_plen - INTEGER | 1473 | accept_ra_rt_info_max_plen - INTEGER |
| 1465 | Maximum prefix length of Route Information in RA. | 1474 | Maximum prefix length of Route Information in RA. |
| 1466 | 1475 | ||
| 1467 | Route Information w/ prefix larger than or equal to this | 1476 | Route Information w/ prefix larger than this variable shall |
| 1468 | variable shall be ignored. | 1477 | be ignored. |
| 1469 | 1478 | ||
| 1470 | Functional default: 0 if accept_ra_rtr_pref is enabled. | 1479 | Functional default: 0 if accept_ra_rtr_pref is enabled. |
| 1471 | -1 if accept_ra_rtr_pref is disabled. | 1480 | -1 if accept_ra_rtr_pref is disabled. |
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index f0d79bd054ca..e1b442996f81 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h | |||
| @@ -37,6 +37,7 @@ struct ipv6_devconf { | |||
| 37 | __s32 accept_ra_rtr_pref; | 37 | __s32 accept_ra_rtr_pref; |
| 38 | __s32 rtr_probe_interval; | 38 | __s32 rtr_probe_interval; |
| 39 | #ifdef CONFIG_IPV6_ROUTE_INFO | 39 | #ifdef CONFIG_IPV6_ROUTE_INFO |
| 40 | __s32 accept_ra_rt_info_min_plen; | ||
| 40 | __s32 accept_ra_rt_info_max_plen; | 41 | __s32 accept_ra_rt_info_max_plen; |
| 41 | #endif | 42 | #endif |
| 42 | #endif | 43 | #endif |
diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h index d8f6a1ac9af4..2ae59178189d 100644 --- a/include/uapi/linux/ipv6.h +++ b/include/uapi/linux/ipv6.h | |||
| @@ -184,6 +184,7 @@ enum { | |||
| 184 | DEVCONF_ENHANCED_DAD, | 184 | DEVCONF_ENHANCED_DAD, |
| 185 | DEVCONF_ADDR_GEN_MODE, | 185 | DEVCONF_ADDR_GEN_MODE, |
| 186 | DEVCONF_DISABLE_POLICY, | 186 | DEVCONF_DISABLE_POLICY, |
| 187 | DEVCONF_ACCEPT_RA_RT_INFO_MIN_PLEN, | ||
| 187 | DEVCONF_MAX | 188 | DEVCONF_MAX |
| 188 | }; | 189 | }; |
| 189 | 190 | ||
diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h index d2b12152e358..e13d48058b8d 100644 --- a/include/uapi/linux/sysctl.h +++ b/include/uapi/linux/sysctl.h | |||
| @@ -568,6 +568,7 @@ enum { | |||
| 568 | NET_IPV6_PROXY_NDP=23, | 568 | NET_IPV6_PROXY_NDP=23, |
| 569 | NET_IPV6_ACCEPT_SOURCE_ROUTE=25, | 569 | NET_IPV6_ACCEPT_SOURCE_ROUTE=25, |
| 570 | NET_IPV6_ACCEPT_RA_FROM_LOCAL=26, | 570 | NET_IPV6_ACCEPT_RA_FROM_LOCAL=26, |
| 571 | NET_IPV6_ACCEPT_RA_RT_INFO_MIN_PLEN=27, | ||
| 571 | __NET_IPV6_MAX | 572 | __NET_IPV6_MAX |
| 572 | }; | 573 | }; |
| 573 | 574 | ||
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 8c69768a5c46..dff5beb26a01 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c | |||
| @@ -224,6 +224,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { | |||
| 224 | .accept_ra_rtr_pref = 1, | 224 | .accept_ra_rtr_pref = 1, |
| 225 | .rtr_probe_interval = 60 * HZ, | 225 | .rtr_probe_interval = 60 * HZ, |
| 226 | #ifdef CONFIG_IPV6_ROUTE_INFO | 226 | #ifdef CONFIG_IPV6_ROUTE_INFO |
| 227 | .accept_ra_rt_info_min_plen = 0, | ||
| 227 | .accept_ra_rt_info_max_plen = 0, | 228 | .accept_ra_rt_info_max_plen = 0, |
| 228 | #endif | 229 | #endif |
| 229 | #endif | 230 | #endif |
| @@ -277,6 +278,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { | |||
| 277 | .accept_ra_rtr_pref = 1, | 278 | .accept_ra_rtr_pref = 1, |
| 278 | .rtr_probe_interval = 60 * HZ, | 279 | .rtr_probe_interval = 60 * HZ, |
| 279 | #ifdef CONFIG_IPV6_ROUTE_INFO | 280 | #ifdef CONFIG_IPV6_ROUTE_INFO |
| 281 | .accept_ra_rt_info_min_plen = 0, | ||
| 280 | .accept_ra_rt_info_max_plen = 0, | 282 | .accept_ra_rt_info_max_plen = 0, |
| 281 | #endif | 283 | #endif |
| 282 | #endif | 284 | #endif |
| @@ -4979,6 +4981,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf, | |||
| 4979 | array[DEVCONF_RTR_PROBE_INTERVAL] = | 4981 | array[DEVCONF_RTR_PROBE_INTERVAL] = |
| 4980 | jiffies_to_msecs(cnf->rtr_probe_interval); | 4982 | jiffies_to_msecs(cnf->rtr_probe_interval); |
| 4981 | #ifdef CONFIG_IPV6_ROUTE_INFO | 4983 | #ifdef CONFIG_IPV6_ROUTE_INFO |
| 4984 | array[DEVCONF_ACCEPT_RA_RT_INFO_MIN_PLEN] = cnf->accept_ra_rt_info_min_plen; | ||
| 4982 | array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen; | 4985 | array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen; |
| 4983 | #endif | 4986 | #endif |
| 4984 | #endif | 4987 | #endif |
| @@ -6122,6 +6125,13 @@ static const struct ctl_table addrconf_sysctl[] = { | |||
| 6122 | }, | 6125 | }, |
| 6123 | #ifdef CONFIG_IPV6_ROUTE_INFO | 6126 | #ifdef CONFIG_IPV6_ROUTE_INFO |
| 6124 | { | 6127 | { |
| 6128 | .procname = "accept_ra_rt_info_min_plen", | ||
| 6129 | .data = &ipv6_devconf.accept_ra_rt_info_min_plen, | ||
| 6130 | .maxlen = sizeof(int), | ||
| 6131 | .mode = 0644, | ||
| 6132 | .proc_handler = proc_dointvec, | ||
| 6133 | }, | ||
| 6134 | { | ||
| 6125 | .procname = "accept_ra_rt_info_max_plen", | 6135 | .procname = "accept_ra_rt_info_max_plen", |
| 6126 | .data = &ipv6_devconf.accept_ra_rt_info_max_plen, | 6136 | .data = &ipv6_devconf.accept_ra_rt_info_max_plen, |
| 6127 | .maxlen = sizeof(int), | 6137 | .maxlen = sizeof(int), |
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 112ccbc0a8ac..b5812b3f7539 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c | |||
| @@ -1418,6 +1418,8 @@ skip_linkparms: | |||
| 1418 | if (ri->prefix_len == 0 && | 1418 | if (ri->prefix_len == 0 && |
| 1419 | !in6_dev->cnf.accept_ra_defrtr) | 1419 | !in6_dev->cnf.accept_ra_defrtr) |
| 1420 | continue; | 1420 | continue; |
| 1421 | if (ri->prefix_len < in6_dev->cnf.accept_ra_rt_info_min_plen) | ||
| 1422 | continue; | ||
| 1421 | if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen) | 1423 | if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen) |
| 1422 | continue; | 1424 | continue; |
| 1423 | rt6_route_rcv(skb->dev, (u8 *)p, (p->nd_opt_len) << 3, | 1425 | rt6_route_rcv(skb->dev, (u8 *)p, (p->nd_opt_len) << 3, |