ipv6: add flowlabel_consistency sysctl

With the introduction of IPV6_FL_F_REFLECT, there is no guarantee of flow label unicity. This patch introduces a new sysctl to protect the old behaviour, enable by default. Changelog of V3: * rename ip6_flowlabel_consistency to flowlabel_consistency * use net_info_ratelimited() * checkpatch cleanups Signed-off-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Florent Fourcot <florent.fourcot@enst-bretagne.fr> 2014-01-17 11:15:05 -0500
committer: David S. Miller <davem@davemloft.net> 2014-01-19 20:12:31 -0500
commit: 6444f72b4b74f627c51891101e93ba2b94078b0a (patch)
tree: d5aa20605d13fa3e222e7e1bf1b7b678a295f398 /net/ipv6
parent: 46e5f401762c639e38eea350d335c0f54ec2442f (diff)
3 files changed, 16 insertions, 0 deletions
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index c921d5d38831..d935889f1008 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -775,6 +775,7 @@ static int __net_init inet6_net_init(struct net *net)
        net->ipv6.sysctl.bindv6only = 0;
        net->ipv6.sysctl.icmpv6_time = 1*HZ;
+        net->ipv6.sysctl.flowlabel_consistency = 1;
        atomic_set(&net->ipv6.rt_genid, 0);
        err = ipv6_init_mibs(net);
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 01bf2524c72a..dfa41bb4e0dc 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -588,8 +588,15 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
        case IPV6_FL_A_GET:
                if (freq.flr_flags & IPV6_FL_F_REFLECT) {
+                        struct net *net = sock_net(sk);
+                        if (net->ipv6.sysctl.flowlabel_consistency) {
+                                net_info_ratelimited("Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable\n");
+                                return -EPERM;
+                        }
                        if (sk->sk_protocol != IPPROTO_TCP)
                                return -ENOPROTOOPT;
                        np->repflow = 1;
                        return 0;
                }
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
index b51b2688102c..7f405a168822 100644
--- a/net/ipv6/sysctl_net_ipv6.c
+++ b/net/ipv6/sysctl_net_ipv6.c
@@ -31,6 +31,13 @@ static struct ctl_table ipv6_table_template[] = {
                .mode           = 0644,
                .proc_handler   = proc_dointvec
        },
+        {
+                .procname       = "flowlabel_consistency",
+                .data           = &init_net.ipv6.sysctl.flowlabel_consistency,
+                .maxlen         = sizeof(int),
+                .mode           = 0644,
+                .proc_handler   = proc_dointvec
+        },
        { }
 };
@@ -59,6 +66,7 @@ static int __net_init ipv6_sysctl_net_init(struct net *net)
                goto out;
        ipv6_table[0].data = &net->ipv6.sysctl.bindv6only;
        ipv6_table[1].data = &net->ipv6.sysctl.anycast_src_echo_reply;
+        ipv6_table[2].data = &net->ipv6.sysctl.flowlabel_consistency;
        ipv6_route_table = ipv6_route_sysctl_init(net);
        if (!ipv6_route_table)
author	Florent Fourcot <florent.fourcot@enst-bretagne.fr>	2014-01-17 11:15:05 -0500
committer	David S. Miller <davem@davemloft.net>	2014-01-19 20:12:31 -0500
commit	6444f72b4b74f627c51891101e93ba2b94078b0a (patch)
tree	d5aa20605d13fa3e222e7e1bf1b7b678a295f398 /net/ipv6
parent	46e5f401762c639e38eea350d335c0f54ec2442f (diff)