| Message ID | 20100403232922.489187907@vyatta.com |
|---|---|
| State | RFC, archived |
| Delegated to: | David Miller |
| Headers | show |
Hi, (2010/04/04 8:21), Stephen Hemminger wrote: > The original proposed code; the IPV6 and IPV4 socket options are seperate. > With this method, the server does have to deal with both IPv4 and IPv6 > socket options and the client has to handle the different for each > family. I am for 1/3 (original), not for 2/3, 3/3. Because we should allow users to set respective value for IPv4 and IPv6, as we allow users to do so for TTL and hoplimit itself. --yoshfuji -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 05/04/2010 05:48, YOSHIFUJI Hideaki wrote: > I am for 1/3 (original), not for 2/3, 3/3. > > Because we should allow users to set respective value > for IPv4 and IPv6, as we allow users to do so for TTL > and hoplimit itself. <non-linux-user> I concur. ipv4 mapped addresses need special handling in lots of cases, and I don't believe that patch 2/3 adds anything here - except possibly confusion. Regarding case 3/3, ipv4 and ipv6 are separate protocols. Treating them as the same from the setsockopt() point of view is a clear case of the Wrong Thing. </non-linux-user> Case 1/3 is IMO a better approach. It satisfies both KISS (keep it simple...) and POLA (principle of least astonishment). Nick -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, 03 Apr 2010 16:21:04 -0700 Stephen Hemminger <shemminger@vyatta.com> wrote: > This patch adds IPv6 support for RFC5082 Generalized TTL > Security Mechanism. > > The original proposed code; the IPV6 and IPV4 socket options are seperate. > With this method, the server does have to deal with both IPv4 and IPv6 > socket options and the client has to handle the different for each > family. > > On client: > int ttl = 255; > getaddrinfo(argv[1], argv[2], &hint, &result); > > for (rp = result; rp != NULL; rp = rp->ai_next) { > s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); > if (s < 0) continue; > > if (rp->ai_family == AF_INET) { > setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl)); > } else if (rp->ai_family == AF_INET6) { > setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS, > &ttl, sizeof(ttl))) > } > > if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) { > ... > > On server: > int minttl = 255 - maxhops; > > getaddrinfo(NULL, port, &hints, &result); > for (rp = result; rp != NULL; rp = rp->ai_next) { > s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); > if (s < 0) continue; > > if (rp->ai_family == AF_INET6) > setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT, > &minttl, sizeof(minttl)); > setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl)); > > if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0) > break > .. > > > Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Dave: Yoshifuji and I agree this is the best solution, how come the patch hasn't been applied? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Stephen Hemminger <shemminger@vyatta.com> Date: Thu, 22 Apr 2010 09:23:05 -0700 > Dave: Yoshifuji and I agree this is the best solution, how come the patch > hasn't been applied? You supplied 3 different implementations, that puts all of them into "RFC" state in patchwork. When you figure out which one is best you make a new explicit submission of the implementation you think should actually go into the tree. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- a/net/ipv6/tcp_ipv6.c 2010-04-03 16:04:01.159412921 -0700 +++ b/net/ipv6/tcp_ipv6.c 2010-04-03 16:05:15.749413056 -0700 @@ -349,6 +349,11 @@ static void tcp_v6_err(struct sk_buff *s if (sk->sk_state == TCP_CLOSE) goto out; + if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) { + NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); + goto out; + } + tp = tcp_sk(sk); seq = ntohl(th->seq); if (sk->sk_state != TCP_LISTEN && @@ -1675,6 +1680,7 @@ ipv6_pktoptions: static int tcp_v6_rcv(struct sk_buff *skb) { struct tcphdr *th; + struct ipv6hdr *hdr; struct sock *sk; int ret; struct net *net = dev_net(skb->dev); @@ -1701,12 +1707,13 @@ static int tcp_v6_rcv(struct sk_buff *sk goto bad_packet; th = tcp_hdr(skb); + hdr = ipv6_hdr(skb); TCP_SKB_CB(skb)->seq = ntohl(th->seq); TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin + skb->len - th->doff*4); TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq); TCP_SKB_CB(skb)->when = 0; - TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb)); + TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(hdr); TCP_SKB_CB(skb)->sacked = 0; sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest); @@ -1717,6 +1724,11 @@ process: if (sk->sk_state == TCP_TIME_WAIT) goto do_time_wait; + if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) { + NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP); + goto discard_and_relse; + } + if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) goto discard_and_relse; --- a/include/linux/in6.h 2010-04-02 21:16:07.461701802 -0700 +++ b/include/linux/in6.h 2010-04-03 16:05:15.749413056 -0700 @@ -265,6 +265,9 @@ struct in6_flowlabel_req { #define IPV6_PREFER_SRC_CGA 0x0008 #define IPV6_PREFER_SRC_NONCGA 0x0800 +/* RFC5082: Generalized Ttl Security Mechanism */ +#define IPV6_MINHOPCOUNT 73 + /* * Multicast Routing: * see include/linux/mroute6.h. --- a/include/linux/ipv6.h 2010-04-02 21:16:04.122638936 -0700 +++ b/include/linux/ipv6.h 2010-04-03 16:05:15.769412669 -0700 @@ -348,6 +348,7 @@ struct ipv6_pinfo { * 010: prefer public address * 100: prefer care-of address */ + __u8 min_hopcount; __u8 tclass; __u32 dst_cookie; --- a/net/ipv6/ipv6_sockglue.c 2010-04-02 21:15:26.071389733 -0700 +++ b/net/ipv6/ipv6_sockglue.c 2010-04-03 16:05:15.789412706 -0700 @@ -766,6 +766,14 @@ pref_skip_coa: break; } + case IPV6_MINHOPCOUNT: + if (optlen < sizeof(int)) + goto e_inval; + if (val < 0 || val > 255) + goto e_inval; + np->min_hopcount = val; + retv = 0; + break; } release_sock(sk); @@ -1114,6 +1122,10 @@ static int do_ipv6_getsockopt(struct soc val |= IPV6_PREFER_SRC_HOME; break; + case IPV6_MINHOPCOUNT: + val = np->min_hopcount; + break; + default: return -ENOPROTOOPT; }
This patch adds IPv6 support for RFC5082 Generalized TTL Security Mechanism. The original proposed code; the IPV6 and IPV4 socket options are seperate. With this method, the server does have to deal with both IPv4 and IPv6 socket options and the client has to handle the different for each family. On client: int ttl = 255; getaddrinfo(argv[1], argv[2], &hint, &result); for (rp = result; rp != NULL; rp = rp->ai_next) { s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); if (s < 0) continue; if (rp->ai_family == AF_INET) { setsockopt(s, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl)); } else if (rp->ai_family == AF_INET6) { setsockopt(s, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl))) } if (connect(s, rp->ai_addr, rp->ai_addrlen) == 0) { ... On server: int minttl = 255 - maxhops; getaddrinfo(NULL, port, &hints, &result); for (rp = result; rp != NULL; rp = rp->ai_next) { s = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol); if (s < 0) continue; if (rp->ai_family == AF_INET6) setsockopt(s, IPPROTO_IPV6, IPV6_MINHOPCOUNT, &minttl, sizeof(minttl)); setsockopt(s, IPPROTO_IP, IP_MINTTL, &minttl, sizeof(minttl)); if (bind(s, rp->ai_addr, rp->ai_addrlen) == 0) break .. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> --- include/linux/in6.h | 3 +++ include/linux/ipv6.h | 1 + net/ipv6/ipv6_sockglue.c | 12 ++++++++++++ net/ipv6/tcp_ipv6.c | 14 +++++++++++++- 4 files changed, 29 insertions(+), 1 deletion(-)