| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 16 Sep 2016 10:48:10 +0100 From: Mike Manning <mmanning@...cade.com> To: <netdev@...r.kernel.org> Subject: [PATCH] net: ipv6: Failure to disable forwarding per interface via sysctl Disabling forwarding per interface via sysctl continues to allow forwarding. This is contrary to the sysctl documentation stating that the forwarding sysctl is per interface, whereas currently it is only the sysctl for all interfaces that has an effect on forwarding. The solution is to drop any received packets instead of forwarding them if the ingress device has a per-device forwarding sysctl that is unset. Signed-off-by: Mike Manning <mmanning@...cade.com> --- net/ipv6/ip6_output.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 1dfc402..37cd1d0 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -380,11 +380,15 @@ int ip6_forward(struct sk_buff *skb) struct ipv6hdr *hdr = ipv6_hdr(skb); struct inet6_skb_parm *opt = IP6CB(skb); struct net *net = dev_net(dst->dev); + struct inet6_dev *idev = __in6_dev_get(skb->dev); u32 mtu; if (net->ipv6.devconf_all->forwarding == 0) goto error; + if (idev && !idev->cnf.forwarding) + goto error; + if (skb->pkt_type != PACKET_HOST) goto drop; -- 1.7.10.4
Powered by blists - more mailing lists