From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9A117C10F13 for ; Wed, 17 Apr 2019 00:31:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 5DF2521773 for ; Wed, 17 Apr 2019 00:31:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555461070; bh=hypRvQ1yMGos1c3OWiV6/ssWh9kdj6gHZdUqCIdYr0Q=; h=From:To:Cc:Subject:Date:List-ID:From; b=gEia6Tv8kRmHvPSlOmfUsN0hMXOKayVXvCawKvdvGuteFoExrO456bMWGkQItxE/q PZ3ZGG21zZ1B6SR+xZ30+gSg6NtRusQBPKoMfsy+CRzWPQGU1KGULxhpXIgvTvodwY tmYIcainCkmbchaV8NInhCXGNSDe/YQFF/36ZVx0= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729272AbfDQAbJ (ORCPT ); Tue, 16 Apr 2019 20:31:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:55210 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728856AbfDQAbJ (ORCPT ); Tue, 16 Apr 2019 20:31:09 -0400 Received: from kenny.it.cumulusnetworks.com. (fw.cumulusnetworks.com [216.129.126.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A399921773; Wed, 17 Apr 2019 00:31:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555461067; bh=hypRvQ1yMGos1c3OWiV6/ssWh9kdj6gHZdUqCIdYr0Q=; h=From:To:Cc:Subject:Date:From; b=Cq6ip9HzaxTxDIjhuhB4tq4BilJuS5n3tbzjIlBOB4outOlB7Rj/OgC5QPF1K9R6C nt5cMvqYSPX4OUMR/nUBKs8Gvh9+wJMAsLQbjtaUWq9xJRw2UbHsgGPtcSa7xROoQ2 ROlHx/91W9uAty3EbLznXgMrX23tyYZtwoUa0WHo= From: David Ahern To: davem@davemloft.net Cc: netdev@vger.kernel.org, roopa@cumulusnetworks.com, David Ahern Subject: [PATCH net-next] net ipv6: Prevent neighbor add if protocol is disabled on device Date: Tue, 16 Apr 2019 17:31:43 -0700 Message-Id: <20190417003143.16560-1-dsahern@kernel.org> X-Mailer: git-send-email 2.11.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: David Ahern Disabling IPv6 on an interface removes existing entries but nothing prevents new entries from being manually added. To that end, add a new neigh_table operation, allow_add, that is called on RTM_NEWNEIGH to see if neighbor entries are allowed on a given device. If IPv6 is disabled on the device, allow_add returns false and passes a message back to the user via extack. $ echo 1 > /proc/sys/net/ipv6/conf/eth1/disable_ipv6 $ ip -6 neigh add fe80::4c88:bff:fe21:2704 dev eth1 lladdr de:ad:be:ef:01:01 Error: IPv6 is disabled on this device. Signed-off-by: David Ahern --- include/net/neighbour.h | 2 ++ net/core/neighbour.c | 5 +++++ net/ipv6/ndisc.c | 17 +++++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/include/net/neighbour.h b/include/net/neighbour.h index 3e5438bd0101..50a67bd6a434 100644 --- a/include/net/neighbour.h +++ b/include/net/neighbour.h @@ -205,6 +205,8 @@ struct neigh_table { int (*pconstructor)(struct pneigh_entry *); void (*pdestructor)(struct pneigh_entry *); void (*proxy_redo)(struct sk_buff *skb); + bool (*allow_add)(const struct net_device *dev, + struct netlink_ext_ack *extack); char *id; struct neigh_parms parms; struct list_head parms_list; diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 30f6fd8f68e0..997cfa8f99ba 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1920,6 +1920,11 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, goto out; } + if (tbl->allow_add && !tbl->allow_add(dev, extack)) { + err = -EINVAL; + goto out; + } + neigh = neigh_lookup(tbl, dst, dev); if (neigh == NULL) { bool exempt_from_gc; diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 66c8b294e02b..4c8e2ea8bf19 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -77,6 +77,8 @@ static u32 ndisc_hash(const void *pkey, const struct net_device *dev, __u32 *hash_rnd); static bool ndisc_key_eq(const struct neighbour *neigh, const void *pkey); +static bool ndisc_allow_add(const struct net_device *dev, + struct netlink_ext_ack *extack); static int ndisc_constructor(struct neighbour *neigh); static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb); static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb); @@ -117,6 +119,7 @@ struct neigh_table nd_tbl = { .pconstructor = pndisc_constructor, .pdestructor = pndisc_destructor, .proxy_redo = pndisc_redo, + .allow_add = ndisc_allow_add, .id = "ndisc_cache", .parms = { .tbl = &nd_tbl, @@ -392,6 +395,20 @@ static void pndisc_destructor(struct pneigh_entry *n) ipv6_dev_mc_dec(dev, &maddr); } +/* called with rtnl held */ +static bool ndisc_allow_add(const struct net_device *dev, + struct netlink_ext_ack *extack) +{ + struct inet6_dev *idev = __in6_dev_get(dev); + + if (!idev || idev->cnf.disable_ipv6) { + NL_SET_ERR_MSG(extack, "IPv6 is disabled on this device"); + return false; + } + + return true; +} + static struct sk_buff *ndisc_alloc_skb(struct net_device *dev, int len) { -- 2.11.0