lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 20 Jun 2014 09:31:00 -0700
From:	Ben Greear <>
To:	Hannes Frederic Sowa <>
Subject: Re: [PATCH 2/2] ipv6:  Allow accepting RA from local IP addresses.

On 06/20/2014 08:40 AM, Hannes Frederic Sowa wrote:
> On Mi, 2014-06-18 at 10:50 -0700, wrote:
>> From: Ben Greear <>
>> This can be used in virtual networking applications, and
>> may have other uses as well.  The option is disabled by
>> default, so no change to current operating behaviour
>> without the user explicitly changing the behaviour.
> Can you give a specific example for its use case? I currently don't see
> the need for such an option.

I put radvd on one veth endpoint, and use other veth endpoint to act
as normal-ish endpoint with IPv6.

The one with radvd enables routing, using specific rules so that it
can only route to a few other interfaces.

Basically, I can emulate multi-hop routed and bridged networks, including with
OSPF and such on a single machine without the use of network
namespaces or virtual machines.

We use this to make network testing products, but I figure someone somewhere
will find a different reason to want this.  As far as I know, this used to
work w/out any kernel hacks, though I have not specifically verified
this.  It did show up as a regression in our testing, but possibly we
failed to test it properly years ago...

>> -	if (ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
>> +	if (!(in6_dev->cnf.accept_ra_from_local ||
>> +	      dev_net(in6_dev->dev)->ipv6.devconf_all->accept_ra_from_local) &&
>> +	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
>>  			  NULL, 0)) {
>>  		ND_PRINTK(2, info,
>>  			  "RA: %s, chk_addr failed for dev: %s\n",
>> @@ -1293,7 +1295,9 @@ skip_linkparms:
>>  	}
>> -	if (ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
>> +	if (!(in6_dev->cnf.accept_ra_from_local ||
>> +	      dev_net(in6_dev->dev)->ipv6.devconf_all->accept_ra_from_local) &&
>> +	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
>>  			  NULL, 0)) {
>>  		ND_PRINTK(2, info,
>>  			  "RA: %s, chk-addr (route info) is false for dev: %s\n",
> Maybe ipv6_accept_ra_local() like ipv6_accept_ra() static local to the
> file?

I don't have a preference either way, but will make the change if it helps
upstream acceptance.

> Also I am not sure if we want to provide an devconf_all for this setting
> at all, like we don't evaluate it for accept_ra, too. At least I
> wouldn't do so with the current state of ipv6/conf/{all,default}.

We often have thousands of interfaces on a system, it saves effort to
set this globally.  Note that it will not over-ride any other restraints,
so a routed interface will still not accept RA unless additional
existing procfs config changes are made, etc.

Both global and per-interface default to disabling this new feature,
so I think it is safe as I have written it.


> Bye,
> Hannes

Ben Greear <>
Candela Technologies Inc

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists