lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Jun 2014 09:31:00 -0700 From: Ben Greear <greearb@...delatech.com> To: Hannes Frederic Sowa <hannes@...essinduktion.org> CC: netdev@...r.kernel.org Subject: Re: [PATCH 2/2] ipv6: Allow accepting RA from local IP addresses. On 06/20/2014 08:40 AM, Hannes Frederic Sowa wrote: > On Mi, 2014-06-18 at 10:50 -0700, greearb@...delatech.com wrote: >> From: Ben Greear <greearb@...delatech.com> >> >> This can be used in virtual networking applications, and >> may have other uses as well. The option is disabled by >> default, so no change to current operating behaviour >> without the user explicitly changing the behaviour. > > Can you give a specific example for its use case? I currently don't see > the need for such an option. I put radvd on one veth endpoint, and use other veth endpoint to act as normal-ish endpoint with IPv6. The one with radvd enables routing, using specific rules so that it can only route to a few other interfaces. Basically, I can emulate multi-hop routed and bridged networks, including with OSPF and such on a single machine without the use of network namespaces or virtual machines. We use this to make network testing products, but I figure someone somewhere will find a different reason to want this. As far as I know, this used to work w/out any kernel hacks, though I have not specifically verified this. It did show up as a regression in our testing, but possibly we failed to test it properly years ago... >> - if (ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr, >> + if (!(in6_dev->cnf.accept_ra_from_local || >> + dev_net(in6_dev->dev)->ipv6.devconf_all->accept_ra_from_local) && >> + ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr, >> NULL, 0)) { >> ND_PRINTK(2, info, >> "RA: %s, chk_addr failed for dev: %s\n", >> @@ -1293,7 +1295,9 @@ skip_linkparms: >> } >> >> #ifdef CONFIG_IPV6_ROUTE_INFO >> - if (ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr, >> + if (!(in6_dev->cnf.accept_ra_from_local || >> + dev_net(in6_dev->dev)->ipv6.devconf_all->accept_ra_from_local) && >> + ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr, >> NULL, 0)) { >> ND_PRINTK(2, info, >> "RA: %s, chk-addr (route info) is false for dev: %s\n", > > Maybe ipv6_accept_ra_local() like ipv6_accept_ra() static local to the > file? I don't have a preference either way, but will make the change if it helps upstream acceptance. > Also I am not sure if we want to provide an devconf_all for this setting > at all, like we don't evaluate it for accept_ra, too. At least I > wouldn't do so with the current state of ipv6/conf/{all,default}. We often have thousands of interfaces on a system, it saves effort to set this globally. Note that it will not over-ride any other restraints, so a routed interface will still not accept RA unless additional existing procfs config changes are made, etc. Both global and per-interface default to disabling this new feature, so I think it is safe as I have written it. Thanks, Ben > > Bye, > Hannes > > -- Ben Greear <greearb@...delatech.com> Candela Technologies Inc http://www.candelatech.com -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists