[PATCH] [IPv6] Do not use loopback as source address on other interfaces

[PATCH] [IPv6] Do not use loopback as source address on other interfaces

[Karsten Keil]

RFC 4291 forbit the use of the loopback address as source outside a node
(paragraph 2.5.3).

The latest TAHI test release 4.0.1 does have a check for this (ICMPv6 test
v6LC.5.1.2 Part F), so it fails currently on Linux.

Signed-off-by: Sergey Mironov <Mironov_Sergey@emc.com>
Signed-off-by: Karsten Keil <kkeil@suse.de>
---
 net/ipv6/icmp.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index d42dd16..a571437 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -698,7 +698,10 @@ static int icmpv6_rcv(struct sk_buff *skb)
 
 	switch (type) {
 	case ICMPV6_ECHO_REQUEST:
-		icmpv6_echo_reply(skb);
+		/* check that the query is not for loopback address (PSE SPB) */
+		if (!(ipv6_addr_type(daddr) & IPV6_ADDR_LOOPBACK) ||
+		    (dev->flags & IFF_LOOPBACK))
+			icmpv6_echo_reply(skb);
 		break;
 
 	case ICMPV6_ECHO_REPLY:


-- 
Karsten Keil
SuSE Labs
ISDN and VOIP development
SUSE LINUX Products GmbH, Maxfeldstr.5 90409 Nuernberg, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Re: [PATCH] [IPv6] Do not use loopback as source address on other interfaces

[YOSHIFUJI Hideaki / 吉藤英明]

In article <20080618132312.GA25004@pingi.kke.suse.de> (at Wed, 18 Jun 2008 15:23:12 +0200), Karsten Keil <kkeil@suse.de> says:

> RFC 4291 forbit the use of the loopback address as source outside a node
> (paragraph 2.5.3).
> 
> The latest TAHI test release 4.0.1 does have a check for this (ICMPv6 test
> v6LC.5.1.2 Part F), so it fails currently on Linux.
> 
> Signed-off-by: Sergey Mironov <Mironov_Sergey@emc.com>
> Signed-off-by: Karsten Keil <kkeil@suse.de>

I disagree this approach - too ad-hoc fix just to pass the tests.

--yoshfuji

Re: [PATCH] [IPv6] Do not use loopback as source address on other interfaces

[Karsten Keil]

On Wed, Jun 18, 2008 at 10:36:00PM +0900, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> In article <20080618132312.GA25004@pingi.kke.suse.de> (at Wed, 18 Jun 2008 15:23:12 +0200), Karsten Keil <kkeil@suse.de> says:
> 
> > RFC 4291 forbit the use of the loopback address as source outside a node
> > (paragraph 2.5.3).
> > 
> > The latest TAHI test release 4.0.1 does have a check for this (ICMPv6 test
> > v6LC.5.1.2 Part F), so it fails currently on Linux.
> > 
> > Signed-off-by: Sergey Mironov <Mironov_Sergey@emc.com>
> > Signed-off-by: Karsten Keil <kkeil@suse.de>
> 
> I disagree this approach - too ad-hoc fix just to pass the tests.
> 

So you would prefer a more general test in some common place (like
__ip6_local_out() ) to avoid any packets with ::1 on other devices as
loopback ?

-- 
Karsten Keil
SuSE Labs
ISDN and VOIP development
SUSE LINUX Products GmbH, Maxfeldstr.5 90409 Nuernberg, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Re: [PATCH] [IPv6] Do not use loopback as source address on other interfaces

[Karsten Keil]

On Wed, Jun 18, 2008 at 04:05:58PM +0200, Karsten Keil wrote:
> On Wed, Jun 18, 2008 at 10:36:00PM +0900, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> > In article <20080618132312.GA25004@pingi.kke.suse.de> (at Wed, 18 Jun 2008 15:23:12 +0200), Karsten Keil <kkeil@suse.de> says:
> > 
> > > RFC 4291 forbit the use of the loopback address as source outside a node
> > > (paragraph 2.5.3).
> > > 
> > > The latest TAHI test release 4.0.1 does have a check for this (ICMPv6 test
> > > v6LC.5.1.2 Part F), so it fails currently on Linux.
> > > 
> > > Signed-off-by: Sergey Mironov <Mironov_Sergey@emc.com>
> > > Signed-off-by: Karsten Keil <kkeil@suse.de>
> > 
> > I disagree this approach - too ad-hoc fix just to pass the tests.
> > 
> 
> So you would prefer a more general test in some common place (like
> __ip6_local_out() ) to avoid any packets with ::1 on other devices as
> loopback ?
> 

I think that dropping pakets with destination ::1 in ipv6_rcv() for devices
!= loopback would be better reflect what RFC 4291 2.5.3 says.

-- 
Karsten Keil
SuSE Labs
ISDN and VOIP development
SUSE LINUX Products GmbH, Maxfeldstr.5 90409 Nuernberg, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Re: [PATCH] [IPv6] Do not use loopback as source address on other interfaces

[YOSHIFUJI Hideaki / 吉藤英明]

In article <20080618140558.GB25004@pingi.kke.suse.de> (at Wed, 18 Jun 2008 16:05:58 +0200), Karsten Keil <kkeil@suse.de> says:

> On Wed, Jun 18, 2008 at 10:36:00PM +0900, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> > In article <20080618132312.GA25004@pingi.kke.suse.de> (at Wed, 18 Jun 2008 15:23:12 +0200), Karsten Keil <kkeil@suse.de> says:
> > 
> > > RFC 4291 forbit the use of the loopback address as source outside a node
> > > (paragraph 2.5.3).
> > > 
> > > The latest TAHI test release 4.0.1 does have a check for this (ICMPv6 test
> > > v6LC.5.1.2 Part F), so it fails currently on Linux.
> > > 
> > > Signed-off-by: Sergey Mironov <Mironov_Sergey@emc.com>
> > > Signed-off-by: Karsten Keil <kkeil@suse.de>
> > 
> > I disagree this approach - too ad-hoc fix just to pass the tests.
> > 
> 
> So you would prefer a more general test in some common place (like
> __ip6_local_out() ) to avoid any packets with ::1 on other devices as
> loopback ?

No, we should not even accept packets for ::1 from outside of the box.
Something like this.

---
ipv6: Drop packets for loopback address from outside of the box.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

-- 
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index e0a612b..f422f72 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -367,6 +367,12 @@ static inline int ipv6_addr_any(const struct in6_addr *a)
 		 a->s6_addr32[2] | a->s6_addr32[3] ) == 0); 
 }
 
+static inline int ipv6_addr_loopback(const struct in6_addr *a)
+{
+	return ((a->s6_addr32[0] | a->s6_addr32[1] |
+		 a->s6_addr32[2] | (a->s6_addr32[3] ^ htonl(1))) == 0);
+}
+
 static inline int ipv6_addr_v4mapped(const struct in6_addr *a)
 {
 	return ((a->s6_addr32[0] | a->s6_addr32[1] |
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 4e5c861..17eb48b 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -102,6 +102,15 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
 	if (hdr->version != 6)
 		goto err;
 
+	/*
+	 * RFC4291 2.5.3
+	 * A packet received on an interface with a destination address
+	 * of loopback must be dropped.
+	 */
+	if (!(dev->flags & IFF_LOOPBACK) &&
+	    ipv6_addr_loopback(&hdr->daddr))
+		goto err;
+
 	skb->transport_header = skb->network_header + sizeof(*hdr);
 	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
 


--yoshfuji

Re: [PATCH] [IPv6] Do not use loopback as source address on other interfaces

[Karsten Keil]

On Wed, Jun 18, 2008 at 11:36:07PM +0900, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> In article <20080618140558.GB25004@pingi.kke.suse.de> (at Wed, 18 Jun 2008 16:05:58 +0200), Karsten Keil <kkeil@suse.de> says:
> 
> > On Wed, Jun 18, 2008 at 10:36:00PM +0900, YOSHIFUJI Hideaki / 吉藤英明 wrote:
> > > In article <20080618132312.GA25004@pingi.kke.suse.de> (at Wed, 18 Jun 2008 15:23:12 +0200), Karsten Keil <kkeil@suse.de> says:
> > > 
> > > > RFC 4291 forbit the use of the loopback address as source outside a node
> > > > (paragraph 2.5.3).
> > > > 
> > > > The latest TAHI test release 4.0.1 does have a check for this (ICMPv6 test
> > > > v6LC.5.1.2 Part F), so it fails currently on Linux.
> > > > 
> > > > Signed-off-by: Sergey Mironov <Mironov_Sergey@emc.com>
> > > > Signed-off-by: Karsten Keil <kkeil@suse.de>
> > > 
> > > I disagree this approach - too ad-hoc fix just to pass the tests.
> > > 
> > 
> > So you would prefer a more general test in some common place (like
> > __ip6_local_out() ) to avoid any packets with ::1 on other devices as
> > loopback ?
> 
> No, we should not even accept packets for ::1 from outside of the box.
> Something like this.
> 

Yes I was thinking about nearly the same patch now :-)

> ---
> ipv6: Drop packets for loopback address from outside of the box.
> 
> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
> 
> -- 
> diff --git a/include/net/ipv6.h b/include/net/ipv6.h
> index e0a612b..f422f72 100644
> --- a/include/net/ipv6.h
> +++ b/include/net/ipv6.h
> @@ -367,6 +367,12 @@ static inline int ipv6_addr_any(const struct in6_addr *a)
>  		 a->s6_addr32[2] | a->s6_addr32[3] ) == 0); 
>  }
>  
> +static inline int ipv6_addr_loopback(const struct in6_addr *a)
> +{
> +	return ((a->s6_addr32[0] | a->s6_addr32[1] |
> +		 a->s6_addr32[2] | (a->s6_addr32[3] ^ htonl(1))) == 0);
> +}
> +
>  static inline int ipv6_addr_v4mapped(const struct in6_addr *a)
>  {
>  	return ((a->s6_addr32[0] | a->s6_addr32[1] |
> diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
> index 4e5c861..17eb48b 100644
> --- a/net/ipv6/ip6_input.c
> +++ b/net/ipv6/ip6_input.c
> @@ -102,6 +102,15 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
>  	if (hdr->version != 6)
>  		goto err;
>  
> +	/*
> +	 * RFC4291 2.5.3
> +	 * A packet received on an interface with a destination address
> +	 * of loopback must be dropped.
> +	 */
> +	if (!(dev->flags & IFF_LOOPBACK) &&
> +	    ipv6_addr_loopback(&hdr->daddr))
> +		goto err;
> +
>  	skb->transport_header = skb->network_header + sizeof(*hdr);
>  	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
>  
> 
> 
> --yoshfuji

-- 
Karsten Keil
SuSE Labs
ISDN and VOIP development
SUSE LINUX Products GmbH, Maxfeldstr.5 90409 Nuernberg, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Re: [PATCH] [IPv6] Do not use loopback as source address on other interfaces

[Karsten Keil]

Hi Yoshfuji,

On Wed, Jun 18, 2008 at 11:36:07PM +0900, YOSHIFUJI Hideaki / 吉藤英明 wrote:

Verified that this patch fix the TAHI issue and that ping6 ::1 still works.
So this should go in.

...

> ipv6: Drop packets for loopback address from outside of the box.
> 
> Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
> 
> -- 
> diff --git a/include/net/ipv6.h b/include/net/ipv6.h
> index e0a612b..f422f72 100644
> --- a/include/net/ipv6.h
> +++ b/include/net/ipv6.h
> @@ -367,6 +367,12 @@ static inline int ipv6_addr_any(const struct in6_addr *a)
>  		 a->s6_addr32[2] | a->s6_addr32[3] ) == 0); 
>  }
>  
> +static inline int ipv6_addr_loopback(const struct in6_addr *a)
> +{
> +	return ((a->s6_addr32[0] | a->s6_addr32[1] |
> +		 a->s6_addr32[2] | (a->s6_addr32[3] ^ htonl(1))) == 0);
> +}
> +
>  static inline int ipv6_addr_v4mapped(const struct in6_addr *a)
>  {
>  	return ((a->s6_addr32[0] | a->s6_addr32[1] |
> diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
> index 4e5c861..17eb48b 100644
> --- a/net/ipv6/ip6_input.c
> +++ b/net/ipv6/ip6_input.c
> @@ -102,6 +102,15 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
>  	if (hdr->version != 6)
>  		goto err;
>  
> +	/*
> +	 * RFC4291 2.5.3
> +	 * A packet received on an interface with a destination address
> +	 * of loopback must be dropped.
> +	 */
> +	if (!(dev->flags & IFF_LOOPBACK) &&
> +	    ipv6_addr_loopback(&hdr->daddr))
> +		goto err;
> +
>  	skb->transport_header = skb->network_header + sizeof(*hdr);
>  	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
>  
> 
> 
> --yoshfuji
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Karsten Keil
SuSE Labs
ISDN and VOIP development
SUSE LINUX Products GmbH, Maxfeldstr.5 90409 Nuernberg, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Re: [PATCH] [IPv6] Do not use loopback as source address on other interfaces

[David Miller]

From: Karsten Keil <kkeil@suse.de>
Date: Wed, 18 Jun 2008 19:49:07 +0200

> Verified that this patch fix the TAHI issue and that ping6 ::1 still works.
> So this should go in.

I've added the patch to net-2.6, as below.  Thanks everyone!

ipv6: Drop packets for loopback address from outside of the box.

[ Based upon original report and patch by Karsten Keil.  Karsten
  has verified that this fixes the TAHI test case "ICMPv6 test
  v6LC.5.1.2 Part F". -DaveM ]

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 include/net/ipv6.h   |    6 ++++++
 net/ipv6/ip6_input.c |    9 +++++++++
 2 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index e0a612b..f422f72 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -367,6 +367,12 @@ static inline int ipv6_addr_any(const struct in6_addr *a)
 		 a->s6_addr32[2] | a->s6_addr32[3] ) == 0); 
 }
 
+static inline int ipv6_addr_loopback(const struct in6_addr *a)
+{
+	return ((a->s6_addr32[0] | a->s6_addr32[1] |
+		 a->s6_addr32[2] | (a->s6_addr32[3] ^ htonl(1))) == 0);
+}
+
 static inline int ipv6_addr_v4mapped(const struct in6_addr *a)
 {
 	return ((a->s6_addr32[0] | a->s6_addr32[1] |
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 4e5c861..17eb48b 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -102,6 +102,15 @@ int ipv6_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt
 	if (hdr->version != 6)
 		goto err;
 
+	/*
+	 * RFC4291 2.5.3
+	 * A packet received on an interface with a destination address
+	 * of loopback must be dropped.
+	 */
+	if (!(dev->flags & IFF_LOOPBACK) &&
+	    ipv6_addr_loopback(&hdr->daddr))
+		goto err;
+
 	skb->transport_header = skb->network_header + sizeof(*hdr);
 	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
 
-- 
1.5.6.rc3.21.g8c6b5