* [PATCH net-next-2.6] ipv6: adding ip_nonlocal_bind option from ipv4
@ 2010-07-03 20:38 Michal Humpula
2010-07-05 2:03 ` Simon Horman
2010-07-05 10:13 ` YOSHIFUJI Hideaki
0 siblings, 2 replies; 5+ messages in thread
From: Michal Humpula @ 2010-07-03 20:38 UTC (permalink / raw)
To: netdev
Adds ability to bind non-local IPv6 address the same way as for IPv4
Signed-off-by: Michal Humpula <michal.humpula@web4u.cz>
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index f350c69..27fa09a 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -962,6 +962,10 @@ bindv6only - BOOLEAN
FALSE: enable IPv4-mapped address feature
Default: FALSE (as specified in RFC2553bis)
+ipv6_nonlocal_bind - BOOLEAN
+ If set, allows processes to bind() to non-local IPv6 addresses,
+ which can be quite useful - but may break some applications.
+ Default: 0
IPv6 Fragmentation:
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 7bb5cb6..8957ead 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -528,6 +528,7 @@ enum {
NET_IPV6_IP6FRAG_TIME=23,
NET_IPV6_IP6FRAG_SECRET_INTERVAL=24,
NET_IPV6_MLD_MAX_MSF=25,
+ NET_IPV6_NONLOCAL_BIND=26
};
enum {
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 1f84124..f459fcb 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -641,6 +641,8 @@ static inline int snmp6_unregister_dev(struct inet6_dev *idev) { return 0; }
#endif
#ifdef CONFIG_SYSCTL
+extern int sysctl_ipv6_nonlocal_bind;
+
extern ctl_table ipv6_route_table_template[];
extern ctl_table ipv6_icmp_table_template[];
diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c
index 1357c57..525edae 100644
--- a/kernel/sysctl_binary.c
+++ b/kernel/sysctl_binary.c
@@ -559,6 +559,7 @@ static const struct bin_table bin_net_ipv6_table[] = {
{ CTL_DIR, NET_IPV6_ROUTE, "route", bin_net_ipv6_route_table },
{ CTL_DIR, NET_IPV6_ICMP, "icmp", bin_net_ipv6_icmp_table },
{ CTL_INT, NET_IPV6_BINDV6ONLY, "bindv6only" },
+ { CTL_INT, NET_IPV6_NONLOCAL_BIND, "ipv6_nonlocal_bind" },
{ CTL_INT, NET_IPV6_IP6FRAG_HIGH_THRESH, "ip6frag_high_thresh" },
{ CTL_INT, NET_IPV6_IP6FRAG_LOW_THRESH, "ip6frag_low_thresh" },
{ CTL_INT, NET_IPV6_IP6FRAG_TIME, "ip6frag_time" },
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index e830cd4..55b3552 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -252,6 +252,8 @@ out_rcu_unlock:
goto out;
}
+int sysctl_ipv6_nonlocal_bind __read_mostly;
+EXPORT_SYMBOL(sysctl_ipv6_nonlocal_bind);
/* bind for INET6 API */
int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
@@ -345,8 +347,10 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
if (!(addr_type & IPV6_ADDR_MULTICAST)) {
if (!ipv6_chk_addr(net, &addr->sin6_addr,
dev, 0)) {
- err = -EADDRNOTAVAIL;
- goto out_unlock;
+ if (!sysctl_ipv6_nonlocal_bind) {
+ err = -EADDRNOTAVAIL;
+ goto out_unlock;
+ }
}
}
rcu_read_unlock();
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
index fa1d8f4..56bfe76 100644
--- a/net/ipv6/sysctl_net_ipv6.c
+++ b/net/ipv6/sysctl_net_ipv6.c
@@ -35,6 +35,13 @@ static ctl_table ipv6_table_template[] = {
.mode = 0644,
.proc_handler = proc_dointvec
},
+ {
+ .procname = "ipv6_nonlocal_bind",
+ .data = &sysctl_ipv6_nonlocal_bind,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec
+ },
{ }
};
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH net-next-2.6] ipv6: adding ip_nonlocal_bind option from ipv4
2010-07-03 20:38 [PATCH net-next-2.6] ipv6: adding ip_nonlocal_bind option from ipv4 Michal Humpula
@ 2010-07-05 2:03 ` Simon Horman
2010-07-05 6:56 ` Michal Humpula
2010-07-05 10:13 ` YOSHIFUJI Hideaki
1 sibling, 1 reply; 5+ messages in thread
From: Simon Horman @ 2010-07-05 2:03 UTC (permalink / raw)
To: Michal Humpula; +Cc: netdev
On Sat, Jul 03, 2010 at 10:38:28PM +0200, Michal Humpula wrote:
> Adds ability to bind non-local IPv6 address the same way as for IPv4
>
> Signed-off-by: Michal Humpula <michal.humpula@web4u.cz>
>
> diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
> index f350c69..27fa09a 100644
> --- a/Documentation/networking/ip-sysctl.txt
> +++ b/Documentation/networking/ip-sysctl.txt
> @@ -962,6 +962,10 @@ bindv6only - BOOLEAN
> FALSE: enable IPv4-mapped address feature
>
> Default: FALSE (as specified in RFC2553bis)
I think a blank line here would be nice.
> +ipv6_nonlocal_bind - BOOLEAN
> + If set, allows processes to bind() to non-local IPv6 addresses,
> + which can be quite useful - but may break some applications.
> + Default: 0
>
> IPv6 Fragmentation:
>
> diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
> index 7bb5cb6..8957ead 100644
> --- a/include/linux/sysctl.h
> +++ b/include/linux/sysctl.h
> @@ -528,6 +528,7 @@ enum {
> NET_IPV6_IP6FRAG_TIME=23,
> NET_IPV6_IP6FRAG_SECRET_INTERVAL=24,
> NET_IPV6_MLD_MAX_MSF=25,
> + NET_IPV6_NONLOCAL_BIND=26
> };
>
> enum {
> diff --git a/include/net/ipv6.h b/include/net/ipv6.h
> index 1f84124..f459fcb 100644
> --- a/include/net/ipv6.h
> +++ b/include/net/ipv6.h
> @@ -641,6 +641,8 @@ static inline int snmp6_unregister_dev(struct inet6_dev *idev) { return 0; }
> #endif
>
> #ifdef CONFIG_SYSCTL
> +extern int sysctl_ipv6_nonlocal_bind;
> +
> extern ctl_table ipv6_route_table_template[];
> extern ctl_table ipv6_icmp_table_template[];
>
> diff --git a/kernel/sysctl_binary.c b/kernel/sysctl_binary.c
> index 1357c57..525edae 100644
> --- a/kernel/sysctl_binary.c
> +++ b/kernel/sysctl_binary.c
> @@ -559,6 +559,7 @@ static const struct bin_table bin_net_ipv6_table[] = {
> { CTL_DIR, NET_IPV6_ROUTE, "route", bin_net_ipv6_route_table },
> { CTL_DIR, NET_IPV6_ICMP, "icmp", bin_net_ipv6_icmp_table },
> { CTL_INT, NET_IPV6_BINDV6ONLY, "bindv6only" },
> + { CTL_INT, NET_IPV6_NONLOCAL_BIND, "ipv6_nonlocal_bind" },
> { CTL_INT, NET_IPV6_IP6FRAG_HIGH_THRESH, "ip6frag_high_thresh" },
> { CTL_INT, NET_IPV6_IP6FRAG_LOW_THRESH, "ip6frag_low_thresh" },
> { CTL_INT, NET_IPV6_IP6FRAG_TIME, "ip6frag_time" },
> diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
> index e830cd4..55b3552 100644
> --- a/net/ipv6/af_inet6.c
> +++ b/net/ipv6/af_inet6.c
> @@ -252,6 +252,8 @@ out_rcu_unlock:
> goto out;
> }
>
> +int sysctl_ipv6_nonlocal_bind __read_mostly;
> +EXPORT_SYMBOL(sysctl_ipv6_nonlocal_bind);
>
> /* bind for INET6 API */
> int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
> @@ -345,8 +347,10 @@ int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int addr_len)
> if (!(addr_type & IPV6_ADDR_MULTICAST)) {
> if (!ipv6_chk_addr(net, &addr->sin6_addr,
> dev, 0)) {
> - err = -EADDRNOTAVAIL;
> - goto out_unlock;
> + if (!sysctl_ipv6_nonlocal_bind) {
> + err = -EADDRNOTAVAIL;
> + goto out_unlock;
> + }
> }
> }
> rcu_read_unlock();
Perhaps the inner two if statements could be combined to remove
unnecessary nesting? And perhaps check for sysctl_ipv6_nonlocal_bind first,
as presumably its a cheaper, though less likely to succeed check.
if (!(addr_type & IPV6_ADDR_MULTICAST)) {
if (!sysctl_ipv6_nonlocal_bind &&
!ipv6_chk_addr(net, &addr->sin6_addr,
dev, 0)) {
err = -EADDRNOTAVAIL;
goto out_unlock;
}
}
Actually, I wonder if all three if statements could be combined.
if (!(addr_type & IPV6_ADDR_MULTICAST) &&
!sysctl_ipv6_nonlocal_bind &&
!ipv6_chk_addr(net, &addr->sin6_addr, dev, 0)) {
err = -EADDRNOTAVAIL;
goto out_unlock;
}
> diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
> index fa1d8f4..56bfe76 100644
> --- a/net/ipv6/sysctl_net_ipv6.c
> +++ b/net/ipv6/sysctl_net_ipv6.c
> @@ -35,6 +35,13 @@ static ctl_table ipv6_table_template[] = {
> .mode = 0644,
> .proc_handler = proc_dointvec
> },
> + {
> + .procname = "ipv6_nonlocal_bind",
> + .data = &sysctl_ipv6_nonlocal_bind,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec
> + },
> { }
> };
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH net-next-2.6] ipv6: adding ip_nonlocal_bind option from ipv4
2010-07-05 2:03 ` Simon Horman
@ 2010-07-05 6:56 ` Michal Humpula
0 siblings, 0 replies; 5+ messages in thread
From: Michal Humpula @ 2010-07-05 6:56 UTC (permalink / raw)
To: Simon Horman; +Cc: netdev
On Monday 05 of July 2010 04:03:36 Simon Horman wrote:
> On Sat, Jul 03, 2010 at 10:38:28PM +0200, Michal Humpula wrote:
> > Adds ability to bind non-local IPv6 address the same way as for IPv4
> >
> > Signed-off-by: Michal Humpula <michal.humpula@web4u.cz>
> >
> > diff --git a/Documentation/networking/ip-sysctl.txt
> > b/Documentation/networking/ip-sysctl.txt index f350c69..27fa09a 100644
> > --- a/Documentation/networking/ip-sysctl.txt
> > +++ b/Documentation/networking/ip-sysctl.txt
> > @@ -962,6 +962,10 @@ bindv6only - BOOLEAN
> >
> > FALSE: enable IPv4-mapped address feature
> >
> > Default: FALSE (as specified in RFC2553bis)
>
> I think a blank line here would be nice.
>
> > +ipv6_nonlocal_bind - BOOLEAN
> > + If set, allows processes to bind() to non-local IPv6 addresses,
> > + which can be quite useful - but may break some applications.
> > + Default: 0
> >
> > IPv6 Fragmentation:
> >
> > diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
> > index e830cd4..55b3552 100644
> > --- a/net/ipv6/af_inet6.c
> > +++ b/net/ipv6/af_inet6.c
> >
> > @@ -345,8 +347,10 @@ int inet6_bind(struct socket *sock, struct sockaddr
> > *uaddr, int addr_len)
> >
> > if (!(addr_type & IPV6_ADDR_MULTICAST)) {
> >
> > if (!ipv6_chk_addr(net, &addr->sin6_addr,
> >
> > dev, 0)) {
> >
> > - err = -EADDRNOTAVAIL;
> > - goto out_unlock;
> > + if (!sysctl_ipv6_nonlocal_bind) {
> > + err = -EADDRNOTAVAIL;
> > + goto out_unlock;
> > + }
> >
> > }
> >
> > }
> > rcu_read_unlock();
>
> Perhaps the inner two if statements could be combined to remove
> unnecessary nesting? And perhaps check for sysctl_ipv6_nonlocal_bind first,
> as presumably its a cheaper, though less likely to succeed check.
>
> if (!(addr_type & IPV6_ADDR_MULTICAST)) {
> if (!sysctl_ipv6_nonlocal_bind &&
> !ipv6_chk_addr(net, &addr->sin6_addr,
> dev, 0)) {
> err = -EADDRNOTAVAIL;
> goto out_unlock;
> }
> }
>
> Actually, I wonder if all three if statements could be combined.
>
> if (!(addr_type & IPV6_ADDR_MULTICAST) &&
> !sysctl_ipv6_nonlocal_bind &&
> !ipv6_chk_addr(net, &addr->sin6_addr, dev, 0)) {
> err = -EADDRNOTAVAIL;
> goto out_unlock;
> }
>
Thanks you for review, I agree with the objections. I'll send a corrected version.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net-next-2.6] ipv6: adding ip_nonlocal_bind option from ipv4
2010-07-03 20:38 [PATCH net-next-2.6] ipv6: adding ip_nonlocal_bind option from ipv4 Michal Humpula
2010-07-05 2:03 ` Simon Horman
@ 2010-07-05 10:13 ` YOSHIFUJI Hideaki
2010-07-05 12:26 ` Michal Humpula
1 sibling, 1 reply; 5+ messages in thread
From: YOSHIFUJI Hideaki @ 2010-07-05 10:13 UTC (permalink / raw)
To: Michal Humpula, netdev, yoshfuji
Hello.
Michal Humpula wrote:
> Adds ability to bind non-local IPv6 address the same way as for IPv4
>
> Signed-off-by: Michal Humpula <michal.humpula@web4u.cz>
>
> diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
> index e830cd4..55b3552 100644
> --- a/net/ipv6/af_inet6.c
> +++ b/net/ipv6/af_inet6.c
> @@ -252,6 +252,8 @@ out_rcu_unlock:
> goto out;
> }
>
> +int sysctl_ipv6_nonlocal_bind __read_mostly;
> +EXPORT_SYMBOL(sysctl_ipv6_nonlocal_bind);
>
> /* bind for INET6 API */
> int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int
> addr_len)
> @@ -345,8 +347,10 @@ int inet6_bind(struct socket *sock, struct
> sockaddr *uaddr, int addr_len)
> if (!(addr_type &I do think i IPV6_ADDR_MULTICAST)) {
> if (!ipv6_chk_addr(net, &addr->sin6_addr,
> dev, 0)) {
> - err = -EADDRNOTAVAIL;
> - goto out_unlock;
> + if (!sysctl_ipv6_nonlocal_bind) {
> + err = -EADDRNOTAVAIL;
> + goto out_unlock;
> + }
> }
> }
> rcu_read_unlock();
> diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
> index fa1d8f4..56bfe76 100644
> --- a/net/ipv6/sysctl_net_ipv6.c
> +++ b/net/ipv6/sysctl_net_ipv6.c
> @@ -35,6 +35,13 @@ static ctl_table ipv6_table_template[] = {
> .mode = 0644,When you try to send packets / connect to
remote address,
> .proc_handler = proc_dointvec
> }, so far.
> + {
> + .procname = "ipv6_nonlocal_bind",
> + .data = &sysctl_ipv6_nonlocal_bind,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = proc_dointvec
> + },
> { }
> };
This is not sufficient.
In IPv4, even if you do non-local bind, you cannot connect/send
packets from that address until the admin really assigns that
address on the node. Local address is checked when you try to
connect (or to send), and this is important thing to do.
But in IPv6, it is not checked, and it is very bad to open
this "hole".
--yoshfuji
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH net-next-2.6] ipv6: adding ip_nonlocal_bind option from ipv4
2010-07-05 10:13 ` YOSHIFUJI Hideaki
@ 2010-07-05 12:26 ` Michal Humpula
0 siblings, 0 replies; 5+ messages in thread
From: Michal Humpula @ 2010-07-05 12:26 UTC (permalink / raw)
To: YOSHIFUJI Hideaki; +Cc: netdev
On Monday 05 of July 2010 12:13:42 YOSHIFUJI Hideaki wrote:
> Hello.
>
> Michal Humpula wrote:
> > Adds ability to bind non-local IPv6 address the same way as for IPv4
> >
> > Signed-off-by: Michal Humpula <michal.humpula@web4u.cz>
> >
> > diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
> > index e830cd4..55b3552 100644
> > --- a/net/ipv6/af_inet6.c
> > +++ b/net/ipv6/af_inet6.c
> >
> > @@ -252,6 +252,8 @@ out_rcu_unlock:
> > goto out;
> >
> > }
> >
> > +int sysctl_ipv6_nonlocal_bind __read_mostly;
> > +EXPORT_SYMBOL(sysctl_ipv6_nonlocal_bind);
> >
> > /* bind for INET6 API */
> > int inet6_bind(struct socket *sock, struct sockaddr *uaddr, int
> >
> > addr_len)
> > @@ -345,8 +347,10 @@ int inet6_bind(struct socket *sock, struct
> > sockaddr *uaddr, int addr_len)
> >
> > if (!(addr_type &I do think i IPV6_ADDR_MULTICAST)) {
> >
> > if (!ipv6_chk_addr(net, &addr->sin6_addr,
> >
> > dev, 0)) {
> >
> > - err = -EADDRNOTAVAIL;
> > - goto out_unlock;
> > + if (!sysctl_ipv6_nonlocal_bind) {
> > + err = -EADDRNOTAVAIL;
> > + goto out_unlock;
> > + }
> >
> > }
> >
> > }
> > rcu_read_unlock();
> >
> > diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
> > index fa1d8f4..56bfe76 100644
> > --- a/net/ipv6/sysctl_net_ipv6.c
> > +++ b/net/ipv6/sysctl_net_ipv6.c
> > @@ -35,6 +35,13 @@ static ctl_table ipv6_table_template[] = {
> >
> > .mode = 0644,When you try to send packets / connect to
>
> remote address,
>
> > .proc_handler = proc_dointvec
> >
> > }, so far.
> >
> > + {
> > + .procname = "ipv6_nonlocal_bind",
> > + .data = &sysctl_ipv6_nonlocal_bind,
> > + .maxlen = sizeof(int),
> > + .mode = 0644,
> > + .proc_handler = proc_dointvec
> > + },
> >
> > { }
> >
> > };
>
> This is not sufficient.
>
> In IPv4, even if you do non-local bind, you cannot connect/send
> packets from that address until the admin really assigns that
> address on the node. Local address is checked when you try to
> connect (or to send), and this is important thing to do.
>
> But in IPv6, it is not checked, and it is very bad to open
> this "hole".
>
> --yoshfuji
Thanks again for review. Could you please point me to part, where the check is done?
Is there a reason why is the check not done in IPv6 too?
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-07-05 12:26 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-03 20:38 [PATCH net-next-2.6] ipv6: adding ip_nonlocal_bind option from ipv4 Michal Humpula
2010-07-05 2:03 ` Simon Horman
2010-07-05 6:56 ` Michal Humpula
2010-07-05 10:13 ` YOSHIFUJI Hideaki
2010-07-05 12:26 ` Michal Humpula
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).