From patchwork Tue May 9 14:42:34 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98923 Delivered-To: patch@linaro.org Received: by 10.140.96.100 with SMTP id j91csp1857461qge; Tue, 9 May 2017 07:43:19 -0700 (PDT) X-Received: by 10.84.217.28 with SMTP id o28mr662625pli.37.1494340999115; Tue, 09 May 2017 07:43:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1494340999; cv=none; d=google.com; s=arc-20160816; b=Uqu1cwB5cB6at79G9WQUy6r0tiY6B77tcqtoR3s0gIp0dtpy+W8+Ao8quk2vfpU4pd Xuwhll6mde0qnrbQiSJPQoJV1P2a1ed6w/RGONtDiKsVTGLj9VAJ5DRJThw4tGuNXs5j XXDIBv9Tb8/k4oP8bdcvM8x69MkBRejKaywEYEHunHI8PEhaDJm9opDtmV2Pd0QqAX4/ xy3T1gCcuvQjbFJSbV2MQMHecHRegw6TLxUicd6HfbD6xMldPTXmi4q2L/bthTkL5qEA 9lvgt26hORp7I4Ph/dNQmF4PIAaMrnANW3HZnANaV+zJ7hLjr8uSbtUQv1ZKaOT+NMv6 zXMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=HQRQ986RD7/60gyp8W6gN9qWP+Mvt6BcZB/RnRsvtAM=; b=p2+6Go3hWzRfGP9hbGFTjoPyACRCJMa8XjQL2oGsT+Z9cWE4lYNS4o0qXQuBqiI4by uw+l9QDsBsbFUUpYof1b3WlLkoj082WO9zP9Zst2imVZbjBSNVW6qT5skxuP2Dndt4n7 lAFrixQyL9q0WPjeumJRHTM1G/17YR07S6CUWrMJJlbxdcesESiaK9HcCVAJ0tT92qLL fHiH08tWqnliNYPUpJrQXm3MY8HZ0Ir6Pm6LIXpfauEMY4SVl4a6LgZ8jfB11bLDo96l 7IiP1Ur+arBO5eLa3dqEfpz6fyOtLSGAaM73iOGCGnF9xUcYKwkqC6SyHlK9hretB7lX F6nw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w34si113540pla.121.2017.05.09.07.43.18; Tue, 09 May 2017 07:43:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754050AbdEIOnS (ORCPT + 6 others); Tue, 9 May 2017 10:43:18 -0400 Received: from mail-pf0-f182.google.com ([209.85.192.182]:33540 "EHLO mail-pf0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753957AbdEIOnR (ORCPT ); Tue, 9 May 2017 10:43:17 -0400 Received: by mail-pf0-f182.google.com with SMTP id e193so1204873pfh.0 for ; Tue, 09 May 2017 07:43:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=HQRQ986RD7/60gyp8W6gN9qWP+Mvt6BcZB/RnRsvtAM=; b=NDADwKe9Lvxz7Xg3znjjJ7JYH/tMV3Qt12x4CvqVfLC5XyD7UvXoEgNL4sOOIPTWCP mW4iKmHkKVrv2Vn0QiEXTIvnD9uuqMh1hnMhVn+7cirkN2f924I9Ap3Wj/4BOY2dSC76 k9rapFSGjgAzgfeBROOf3PFmveF/u5t4JH/Os= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=HQRQ986RD7/60gyp8W6gN9qWP+Mvt6BcZB/RnRsvtAM=; b=koN8fu5ACxthAEpRxNTULW5dz0hZYlaj25jyhUombZ5lsPib3fkwszrtTV30c3wgT/ s8cG9YmL10vakIvL4bqPHXPyjAINz2IST2s9xLcC6Vs8S11gArpNsj1woWET6naW7+R0 FB3c7Aqp/A2BW1OtzkEMzDy39W/ZUtOmhyVv8YtcByirmbR6EDKDZ6Of54L+JT8q5s9a qldyJ8wKHAvNWAPF2CP9ZPNYHqHblExeChvOu0drSFMaLiPl/JBxH0IhJlUBS/ENl/z2 I01/ODFcoNZ6UBmqZVvcdD8UvndKPhv5jTRkM474oj1scnQtBqL0NO5x4DrPwB68/Gh7 iLyQ== X-Gm-Message-State: AODbwcBXmSjCQQMQexT4VrxiH/I/qd2H3jQd14976BR9XNqfAG0WgUy8 bbphV7JuDxl1NsWd X-Received: by 10.98.220.201 with SMTP id c70mr284193pfl.230.1494340996891; Tue, 09 May 2017 07:43:16 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id 11sm341811pfj.59.2017.05.09.07.43.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 09 May 2017 07:43:16 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Hangbin Liu , "David S . Miller" Subject: [PATCH for-3.18 10/24] net/ipv6: add sysctl option accept_ra_min_hop_limit Date: Tue, 9 May 2017 20:12:34 +0530 Message-Id: <1494340968-17152-11-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> References: <1494340968-17152-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Hangbin Liu commit 8013d1d7eafb0589ca766db6b74026f76b7f5cb4 upstream. Commit 6fd99094de2b ("ipv6: Don't reduce hop limit for an interface") disabled accept hop limit from RA if it is smaller than the current hop limit for security stuff. But this behavior kind of break the RFC definition. RFC 4861, 6.3.4. Processing Received Router Advertisements A Router Advertisement field (e.g., Cur Hop Limit, Reachable Time, and Retrans Timer) may contain a value denoting that it is unspecified. In such cases, the parameter should be ignored and the host should continue using whatever value it is already using. If the received Cur Hop Limit value is non-zero, the host SHOULD set its CurHopLimit variable to the received value. So add sysctl option accept_ra_min_hop_limit to let user choose the minimum hop limit value they can accept from RA. And set default to 1 to meet RFC standards. Signed-off-by: Hangbin Liu Acked-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller Signed-off-by: Amit Pundir --- Documentation/networking/ip-sysctl.txt | 8 ++++++++ include/linux/ipv6.h | 1 + include/uapi/linux/ipv6.h | 1 + net/ipv6/addrconf.c | 10 ++++++++++ net/ipv6/ndisc.c | 16 +++++++--------- 5 files changed, 27 insertions(+), 9 deletions(-) -- 2.7.4 diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt index a476b08a43e0..628d342a806f 100644 --- a/Documentation/networking/ip-sysctl.txt +++ b/Documentation/networking/ip-sysctl.txt @@ -1256,6 +1256,14 @@ accept_ra_from_local - BOOLEAN disabled if accept_ra_from_local is disabled on a specific interface. +accept_ra_min_hop_limit - INTEGER + Minimum hop limit Information in Router Advertisement. + + Hop limit Information in Router Advertisement less than this + variable shall be ignored. + + Default: 1 + accept_ra_pinfo - BOOLEAN Learn Prefix Information in Router Advertisement. diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index 2725b03b4ae2..5b8ffda9b668 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h @@ -29,6 +29,7 @@ struct ipv6_devconf { __s32 max_desync_factor; __s32 max_addresses; __s32 accept_ra_defrtr; + __s32 accept_ra_min_hop_limit; __s32 accept_ra_pinfo; #ifdef CONFIG_IPV6_ROUTER_PREF __s32 accept_ra_rtr_pref; diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h index efa2666f4b8a..ea3a39c0ac5d 100644 --- a/include/uapi/linux/ipv6.h +++ b/include/uapi/linux/ipv6.h @@ -164,6 +164,7 @@ enum { DEVCONF_MLDV2_UNSOLICITED_REPORT_INTERVAL, DEVCONF_SUPPRESS_FRAG_NDISC, DEVCONF_ACCEPT_RA_FROM_LOCAL, + DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT, DEVCONF_MAX }; diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 4cc14452d5cc..43840e080d85 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -188,6 +188,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = { .max_addresses = IPV6_MAX_ADDRESSES, .accept_ra_defrtr = 1, .accept_ra_from_local = 0, + .accept_ra_min_hop_limit= 1, .accept_ra_pinfo = 1, #ifdef CONFIG_IPV6_ROUTER_PREF .accept_ra_rtr_pref = 1, @@ -225,6 +226,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = { .max_addresses = IPV6_MAX_ADDRESSES, .accept_ra_defrtr = 1, .accept_ra_from_local = 0, + .accept_ra_min_hop_limit= 1, .accept_ra_pinfo = 1, #ifdef CONFIG_IPV6_ROUTER_PREF .accept_ra_rtr_pref = 1, @@ -4320,6 +4322,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf, array[DEVCONF_MAX_DESYNC_FACTOR] = cnf->max_desync_factor; array[DEVCONF_MAX_ADDRESSES] = cnf->max_addresses; array[DEVCONF_ACCEPT_RA_DEFRTR] = cnf->accept_ra_defrtr; + array[DEVCONF_ACCEPT_RA_MIN_HOP_LIMIT] = cnf->accept_ra_min_hop_limit; array[DEVCONF_ACCEPT_RA_PINFO] = cnf->accept_ra_pinfo; #ifdef CONFIG_IPV6_ROUTER_PREF array[DEVCONF_ACCEPT_RA_RTR_PREF] = cnf->accept_ra_rtr_pref; @@ -5136,6 +5139,13 @@ static struct addrconf_sysctl_table .proc_handler = proc_dointvec, }, { + .procname = "accept_ra_min_hop_limit", + .data = &ipv6_devconf.accept_ra_min_hop_limit, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = proc_dointvec, + }, + { .procname = "accept_ra_pinfo", .data = &ipv6_devconf.accept_ra_pinfo, .maxlen = sizeof(int), diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index a46c50423aec..6e7bf721840e 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -1214,18 +1214,16 @@ static void ndisc_router_discovery(struct sk_buff *skb) if (rt) rt6_set_expires(rt, jiffies + (HZ * lifetime)); - if (ra_msg->icmph.icmp6_hop_limit) { - /* Only set hop_limit on the interface if it is higher than - * the current hop_limit. - */ - if (in6_dev->cnf.hop_limit < ra_msg->icmph.icmp6_hop_limit) { + if (in6_dev->cnf.accept_ra_min_hop_limit < 256 && + ra_msg->icmph.icmp6_hop_limit) { + if (in6_dev->cnf.accept_ra_min_hop_limit <= ra_msg->icmph.icmp6_hop_limit) { in6_dev->cnf.hop_limit = ra_msg->icmph.icmp6_hop_limit; + if (rt) + dst_metric_set(&rt->dst, RTAX_HOPLIMIT, + ra_msg->icmph.icmp6_hop_limit); } else { - ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than current\n"); + ND_PRINTK(2, warn, "RA: Got route advertisement with lower hop_limit than minimum\n"); } - if (rt) - dst_metric_set(&rt->dst, RTAX_HOPLIMIT, - ra_msg->icmph.icmp6_hop_limit); } skip_defrtr: