| Message ID | 20190319124548.21382-1-ssuryaextr@gmail.com |
|---|---|
| State | Changes Requested |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net-next] ipv6: Add icmp_echo_ignore_multicast support for ICMPv6 | expand |
On 03/19/2019 05:45 AM, Stephen Suryaputra wrote: > IPv4 has icmp_echo_ignore_broadcast to prevent responding to broadcast pings. > IPv6 needs a similar mechanism. > ... > diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h > index 87aa2a6d9125..bd83ddedc014 100644 > --- a/include/uapi/linux/sysctl.h > +++ b/include/uapi/linux/sysctl.h > @@ -577,7 +577,8 @@ enum { > /* /proc/sys/net/ipv6/icmp */ > enum { > NET_IPV6_ICMP_RATELIMIT = 1, > - NET_IPV6_ICMP_ECHO_IGNORE_ALL = 2 > + NET_IPV6_ICMP_ECHO_IGNORE_ALL = 2, > + NET_IPV6_ICMP_ECHO_IGNORE_MULTICAST = 3 > }; > > /* /proc/sys/net/<protocol>/neigh/<dev> */ This part is probably not needed.
I wondered why NET_IPV6_ICMP_ECHO_IGNORE_ALL isn't being referenced.
Your comment made me probe further. Apparently, commit
e6f86b0f7ae473969a3301b74bf98af9e42ecd0e didn't add it to:
static const struct bin_table bin_net_ipv6_icmp_table[] = {
{ CTL_INT, NET_IPV6_ICMP_RATELIMIT, "ratelimit" },
{}
};
I will fix that as well.
Thanks.
On Tue, Mar 19, 2019 at 9:10 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
>
>
> On 03/19/2019 05:45 AM, Stephen Suryaputra wrote:
> > IPv4 has icmp_echo_ignore_broadcast to prevent responding to broadcast pings.
> > IPv6 needs a similar mechanism.
> >
>
>
> ...
>
> > diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h
> > index 87aa2a6d9125..bd83ddedc014 100644
> > --- a/include/uapi/linux/sysctl.h
> > +++ b/include/uapi/linux/sysctl.h
> > @@ -577,7 +577,8 @@ enum {
> > /* /proc/sys/net/ipv6/icmp */
> > enum {
> > NET_IPV6_ICMP_RATELIMIT = 1,
> > - NET_IPV6_ICMP_ECHO_IGNORE_ALL = 2
> > + NET_IPV6_ICMP_ECHO_IGNORE_ALL = 2,
> > + NET_IPV6_ICMP_ECHO_IGNORE_MULTICAST = 3
> > };
> >
> > /* /proc/sys/net/<protocol>/neigh/<dev> */
>
> This part is probably not needed.
>
On 03/19/2019 07:10 AM, Stephen Suryaputra wrote: > I wondered why NET_IPV6_ICMP_ECHO_IGNORE_ALL isn't being referenced. > Your comment made me probe further. Apparently, commit > e6f86b0f7ae473969a3301b74bf98af9e42ecd0e didn't add it to: > > static const struct bin_table bin_net_ipv6_icmp_table[] = { > { CTL_INT, NET_IPV6_ICMP_RATELIMIT, "ratelimit" }, > {} > }; > > I will fix that as well. > No you do not want to 'fix' this. We no longer add binary syctls (in kernel/sysctl_binary.c) , they are deprecated. > Thanks. > > On Tue, Mar 19, 2019 at 9:10 AM Eric Dumazet <eric.dumazet@gmail.com> wrote: >> >> >> >> On 03/19/2019 05:45 AM, Stephen Suryaputra wrote: >>> IPv4 has icmp_echo_ignore_broadcast to prevent responding to broadcast pings. >>> IPv6 needs a similar mechanism. >>> >> >> >> ... >> >>> diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h >>> index 87aa2a6d9125..bd83ddedc014 100644 >>> --- a/include/uapi/linux/sysctl.h >>> +++ b/include/uapi/linux/sysctl.h >>> @@ -577,7 +577,8 @@ enum { >>> /* /proc/sys/net/ipv6/icmp */ >>> enum { >>> NET_IPV6_ICMP_RATELIMIT = 1, >>> - NET_IPV6_ICMP_ECHO_IGNORE_ALL = 2 >>> + NET_IPV6_ICMP_ECHO_IGNORE_ALL = 2, >>> + NET_IPV6_ICMP_ECHO_IGNORE_MULTICAST = 3 >>> }; >>> >>> /* /proc/sys/net/<protocol>/neigh/<dev> */ >> >> This part is probably not needed. >>
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index acdfb5d2bcaa..55ea7def46be 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -1918,6 +1918,11 @@ echo_ignore_all - BOOLEAN requests sent to it over the IPv6 protocol. Default: 0 +echo_ignore_multicast - BOOLEAN + If set non-zero, then the kernel will ignore all ICMP ECHO + requests sent to it over the IPv6 protocol via multicast. + Default: 0 + xfrm6_gc_thresh - INTEGER The threshold at which we will start garbage collecting for IPv6 destination cache entries. At twice this value the system will diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h index b028a1dc150d..e29aff15acc9 100644 --- a/include/net/netns/ipv6.h +++ b/include/net/netns/ipv6.h @@ -33,6 +33,7 @@ struct netns_sysctl_ipv6 { int auto_flowlabels; int icmpv6_time; int icmpv6_echo_ignore_all; + int icmpv6_echo_ignore_multicast; int anycast_src_echo_reply; int ip_nonlocal_bind; int fwmark_reflect; diff --git a/include/uapi/linux/sysctl.h b/include/uapi/linux/sysctl.h index 87aa2a6d9125..bd83ddedc014 100644 --- a/include/uapi/linux/sysctl.h +++ b/include/uapi/linux/sysctl.h @@ -577,7 +577,8 @@ enum { /* /proc/sys/net/ipv6/icmp */ enum { NET_IPV6_ICMP_RATELIMIT = 1, - NET_IPV6_ICMP_ECHO_IGNORE_ALL = 2 + NET_IPV6_ICMP_ECHO_IGNORE_ALL = 2, + NET_IPV6_ICMP_ECHO_IGNORE_MULTICAST = 3 }; /* /proc/sys/net/<protocol>/neigh/<dev> */ diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index 2f45d2a3e3a3..fdc117de849c 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -847,6 +847,7 @@ static int __net_init inet6_net_init(struct net *net) net->ipv6.sysctl.bindv6only = 0; net->ipv6.sysctl.icmpv6_time = 1*HZ; net->ipv6.sysctl.icmpv6_echo_ignore_all = 0; + net->ipv6.sysctl.icmpv6_echo_ignore_multicast = 0; net->ipv6.sysctl.flowlabel_consistency = 1; net->ipv6.sysctl.auto_flowlabels = IP6_DEFAULT_AUTO_FLOW_LABELS; net->ipv6.sysctl.idgen_retries = 3; diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 802faa2fcc0e..0907bcede5e5 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -684,6 +684,10 @@ static void icmpv6_echo_reply(struct sk_buff *skb) struct ipcm6_cookie ipc6; u32 mark = IP6_REPLY_MARK(net, skb->mark); + if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) && + net->ipv6.sysctl.icmpv6_echo_ignore_multicast) + return; + saddr = &ipv6_hdr(skb)->daddr; if (!ipv6_unicast_destination(skb) && @@ -1115,6 +1119,13 @@ static struct ctl_table ipv6_icmp_table_template[] = { .mode = 0644, .proc_handler = proc_dointvec, }, + { + .procname = "echo_ignore_multicast", + .data = &init_net.ipv6.sysctl.icmpv6_echo_ignore_multicast, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, { }, }; @@ -1129,6 +1140,7 @@ struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net) if (table) { table[0].data = &net->ipv6.sysctl.icmpv6_time; table[1].data = &net->ipv6.sysctl.icmpv6_echo_ignore_all; + table[2].data = &net->ipv6.sysctl.icmpv6_echo_ignore_multicast; } return table; }
IPv4 has icmp_echo_ignore_broadcast to prevent responding to broadcast pings. IPv6 needs a similar mechanism. Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com> --- Documentation/networking/ip-sysctl.txt | 5 +++++ include/net/netns/ipv6.h | 1 + include/uapi/linux/sysctl.h | 3 ++- net/ipv6/af_inet6.c | 1 + net/ipv6/icmp.c | 12 ++++++++++++ 5 files changed, 21 insertions(+), 1 deletion(-)