Message ID | 1437709989-30041-1-git-send-email-liuhangbin@gmail.com |
---|---|
State | Changes Requested, archived |
Delegated to: | David Miller |
Headers | show |
Hi, Hangbin Liu wrote: > Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface") > disabled accept hop limit from RA if it is higher than the current hop > limit for security stuff. But this behavior kind of break the RFC definition. > > RFC 4861, 6.3.4. Processing Received Router Advertisements > If the received Cur Hop Limit value is non-zero, the host SHOULD set > its CurHopLimit variable to the received value. > > So add sysctl option accept_ra_hop_limit to let user choose whether accept > hop limit info in RA. > > Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> > Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> > --- > Documentation/networking/ip-sysctl.txt | 11 +++++++++++ > include/linux/ipv6.h | 1 + > include/uapi/linux/ipv6.h | 1 + > net/ipv6/addrconf.c | 10 ++++++++++ > net/ipv6/ndisc.c | 17 +++++++++++------ > 5 files changed, 34 insertions(+), 6 deletions(-) > : > diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h > index 5efa54a..9f40ac9 100644 > --- a/include/uapi/linux/ipv6.h > +++ b/include/uapi/linux/ipv6.h > @@ -153,6 +153,7 @@ enum { > DEVCONF_FORCE_MLD_VERSION, > DEVCONF_ACCEPT_RA_DEFRTR, > DEVCONF_ACCEPT_RA_PINFO, > + DEVCONF_ACCEPT_RA_HOP_LIMIT, > DEVCONF_ACCEPT_RA_RTR_PREF, > DEVCONF_RTR_PROBE_INTERVAL, > DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN, No, you cannot add new one in the middle of these since values are exported to userspace. --yoshfuji -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
2015-07-24 12:48 GMT+08:00 YOSHIFUJI Hideaki <hideaki.yoshifuji@miraclelinux.com>: > Hi, > > Hangbin Liu wrote: >> Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface") >> disabled accept hop limit from RA if it is higher than the current hop >> limit for security stuff. But this behavior kind of break the RFC definition. >> >> RFC 4861, 6.3.4. Processing Received Router Advertisements >> If the received Cur Hop Limit value is non-zero, the host SHOULD set >> its CurHopLimit variable to the received value. >> >> So add sysctl option accept_ra_hop_limit to let user choose whether accept >> hop limit info in RA. >> >> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> >> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> >> --- >> Documentation/networking/ip-sysctl.txt | 11 +++++++++++ >> include/linux/ipv6.h | 1 + >> include/uapi/linux/ipv6.h | 1 + >> net/ipv6/addrconf.c | 10 ++++++++++ >> net/ipv6/ndisc.c | 17 +++++++++++------ >> 5 files changed, 34 insertions(+), 6 deletions(-) >> > : >> diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h >> index 5efa54a..9f40ac9 100644 >> --- a/include/uapi/linux/ipv6.h >> +++ b/include/uapi/linux/ipv6.h >> @@ -153,6 +153,7 @@ enum { >> DEVCONF_FORCE_MLD_VERSION, >> DEVCONF_ACCEPT_RA_DEFRTR, >> DEVCONF_ACCEPT_RA_PINFO, >> + DEVCONF_ACCEPT_RA_HOP_LIMIT, >> DEVCONF_ACCEPT_RA_RTR_PREF, >> DEVCONF_RTR_PROBE_INTERVAL, >> DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN, > > No, you cannot add new one in the middle of these since > values are exported to userspace. > Hi Yoshfuji-san, Thanks for the reminding, should I also move the value in struct ipv6_devconf to the end or just leave after accept_ra_pinfo? Thanks Hangbin -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index 5fae770..778c479 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -1346,6 +1346,17 @@ accept_ra_pinfo - BOOLEAN Functional default: enabled if accept_ra is enabled. disabled if accept_ra is disabled. +accept_ra_hop_limit - INTEGER + Learn hop limit in Router Advertisement. + + Possible values are: + 0 Do not accept hop limit in Router Advertisements. + 1 Accept hop limit in Router Advertisements if it is higher + than the current hop limit. + 2 Accept hop limit in Router Advertisements anyway. + + Default: 1 + accept_ra_rt_info_max_plen - INTEGER Maximum prefix length of Route Information in RA. diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index 82806c6..a21a9c6 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h @@ -30,6 +30,7 @@ struct ipv6_devconf { __s32 max_addresses; __s32 accept_ra_defrtr; __s32 accept_ra_pinfo; + __s32 accept_ra_hop_limit; #ifdef CONFIG_IPV6_ROUTER_PREF __s32 accept_ra_rtr_pref; __s32 rtr_probe_interval; diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h index 5efa54a..9f40ac9 100644 --- a/include/uapi/linux/ipv6.h +++ b/include/uapi/linux/ipv6.h @@ -153,6 +153,7 @@ enum { DEVCONF_FORCE_MLD_VERSION, DEVCONF_ACCEPT_RA_DEFRTR, DEVCONF_ACCEPT_RA_PINFO, + DEVCONF_ACCEPT_RA_HOP_LIMIT, DEVCONF_ACCEPT_RA_RTR_PREF, DEVCONF_RTR_PROBE_INTERVAL, DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN, diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 21c2c81..486a7a5 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -196,6 +196,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { .accept_ra_defrtr = 1, .accept_ra_from_local = 0, .accept_ra_pinfo = 1, + .accept_ra_hop_limit = 1, #ifdef CONFIG_IPV6_ROUTER_PREF .accept_ra_rtr_pref = 1, .rtr_probe_interval = 60 * HZ, @@ -237,6 +238,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { .accept_ra_defrtr = 1, .accept_ra_from_local = 0, .accept_ra_pinfo = 1, + .accept_ra_hop_limit = 1, #ifdef CONFIG_IPV6_ROUTER_PREF .accept_ra_rtr_pref = 1, .rtr_probe_interval = 60 * HZ, @@ -4561,6 +4563,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf, array[DEVCONF_MAX_ADDRESSES] = cnf->max_addresses; array[DEVCONF_ACCEPT_RA_DEFRTR] = cnf->accept_ra_defrtr; array[DEVCONF_ACCEPT_RA_PINFO] = cnf->accept_ra_pinfo; + array[DEVCONF_ACCEPT_RA_HOP_LIMIT] = cnf->accept_ra_hop_limit; #ifdef CONFIG_IPV6_ROUTER_PREF array[DEVCONF_ACCEPT_RA_RTR_PREF] = cnf->accept_ra_rtr_pref; array[DEVCONF_RTR_PROBE_INTERVAL] = @@ -5462,6 +5465,13 @@ static struct addrconf_sysctl_table .mode = 0644, .proc_handler = proc_dointvec, }, + { + .procname = "accept_ra_hop_limit", + .data = &ipv6_devconf.accept_ra_hop_limit, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, #ifdef CONFIG_IPV6_ROUTER_PREF { .procname = "accept_ra_rtr_pref", diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 0a05b35..aca67da 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -1226,13 +1226,18 @@ static void ndisc_router_discovery(struct sk_buff *skb) if (rt) rt6_set_expires(rt, jiffies + (HZ * lifetime)); if (ra_msg->icmph.icmp6_hop_limit) { - /* Only set hop_limit on the interface if it is higher than - * the current hop_limit. - */ - if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { + switch (in6_dev->cnf.accept_ra_hop_limit) { + case 0: + break; + case 1: + if (in6_dev->cnf.hop_limit > ra_msg->icmph.icmp6_hop_limit) { + ND_PRINTK(2, warn, + "RA: Got route advertisement with lower hop_limit than current\n"); + break; + } + default: in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; - } else { - ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n"); + break; } if (rt) dst_metric_set(&rt->dst, RTAX_HOPLIMIT,