Patchwork route: fix ICMP secure_redirects

login
register
mail settings
Submitter Flavio Leitner
Date Nov. 7, 2011, 3:41 p.m.
Message ID <1320680505-26367-1-git-send-email-fbl@redhat.com>
Download mbox | patch
Permalink /patch/124111/
State Rejected
Delegated to: David Miller
Headers show

Comments

Flavio Leitner - Nov. 7, 2011, 3:41 p.m.
It should accept ICMP redirects from any host and not
just from gateways when secure_redirects is disabled.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
---
 net/ipv4/route.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
David Miller - Nov. 7, 2011, 6:35 p.m.
From: Flavio Leitner <fbl@redhat.com>
Date: Mon,  7 Nov 2011 13:41:45 -0200

> It should accept ICMP redirects from any host and not
> just from gateways when secure_redirects is disabled.
> 
> Signed-off-by: Flavio Leitner <fbl@redhat.com>

This is changing the default behavior, and could break things for people.

We have sort-of discussed this already, and agreed that the tests made in
this code before my inetpeer reworking had to be reinstated exactly as it
was.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Flavio Leitner - Nov. 7, 2011, 7:05 p.m.
On Mon, 07 Nov 2011 13:35:41 -0500 (EST)
David Miller <davem@davemloft.net> wrote:

> From: Flavio Leitner <fbl@redhat.com>
> Date: Mon,  7 Nov 2011 13:41:45 -0200
> 
> > It should accept ICMP redirects from any host and not
> > just from gateways when secure_redirects is disabled.
> > 
> > Signed-off-by: Flavio Leitner <fbl@redhat.com>
> 
> This is changing the default behavior, and could break things for
> people.
> 
> We have sort-of discussed this already, and agreed that the tests
> made in this code before my inetpeer reworking had to be reinstated
> exactly as it was.

Right, so I cannot change either values 0 or 1 then. For some
reason I thought I couldn't change only the default behavior.
I will think on something else then.
thanks,
fbl

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 155138d..dd6937ec 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1347,7 +1347,8 @@  void ip_rt_redirect(__be32 old_gw, __be32 daddr, __be32 new_gw,
 				continue;
 
 			if (rt->dst.error || rt->dst.dev != dev ||
-			    rt->rt_gateway != old_gw) {
+			    (IN_DEV_SEC_REDIRECTS(in_dev) &&
+			    rt->rt_gateway != old_gw)) {
 				ip_rt_put(rt);
 				continue;
 			}