lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Jul 2022 13:51:17 -0400 From: Jaehee Park <jhpark1013@...il.com> To: netdev@...r.kernel.org Cc: davem@...emloft.net, yoshfuji@...ux-ipv6.org, dsahern@...nel.org, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, shuah@...nel.org, linux-kernel@...r.kernel.org, aajith@...sta.com, roopa@...dia.com, aroulin@...dia.com, sbrivio@...hat.com, jhpark1013@...il.com Subject: [PATCH net-next 2/3] net: ipv6: new accept_untracked_na option to accept na only if in-network This patch adds a third knob, '2', which extends the accept_untracked_na option to learn a neighbor only if the src ip is in the same subnet of addresses configured on the interfaces. This is similar to the arp_accept configuration for ipv4. Signed-off-by: Jaehee Park <jhpark1013@...il.com> Suggested-by: Roopa Prabhu <roopa@...dia.com> --- Documentation/networking/ip-sysctl.rst | 50 +++++++++++++++----------- net/ipv6/addrconf.c | 2 +- net/ipv6/ndisc.c | 29 ++++++++++++--- 3 files changed, 55 insertions(+), 26 deletions(-) diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst index 599373601a2b..2ee32224cae8 100644 --- a/Documentation/networking/ip-sysctl.rst +++ b/Documentation/networking/ip-sysctl.rst @@ -2482,27 +2482,36 @@ drop_unsolicited_na - BOOLEAN By default this is turned off. -accept_untracked_na - BOOLEAN - Add a new neighbour cache entry in STALE state for routers on receiving a - neighbour advertisement (either solicited or unsolicited) with target - link-layer address option specified if no neighbour entry is already - present for the advertised IPv6 address. Without this knob, NAs received - for untracked addresses (absent in neighbour cache) are silently ignored. - - This is as per router-side behaviour documented in RFC9131. - - This has lower precedence than drop_unsolicited_na. - - This will optimize the return path for the initial off-link communication - that is initiated by a directly connected host, by ensuring that - the first-hop router which turns on this setting doesn't have to - buffer the initial return packets to do neighbour-solicitation. - The prerequisite is that the host is configured to send - unsolicited neighbour advertisements on interface bringup. - This setting should be used in conjunction with the ndisc_notify setting - on the host to satisfy this prerequisite. +accept_untracked_na - INTEGER + Define behavior for accepting neighbor advertisements from devices that + are absent in the neighbor cache: - By default this is turned off. + - 0 - (default) Do not accept unsolicited and untracked neighbor + advertisements. + + - 1 - Add a new neighbor cache entry in STALE state for routers on + receiving a neighbor advertisement (either solicited or unsolicited) + with target link-layer address option specified if no neighbor entry + is already present for the advertised IPv6 address. Without this knob, + NAs received for untracked addresses (absent in neighbor cache) are + silently ignored. + + This is as per router-side behavior documented in RFC9131. + + This has lower precedence than drop_unsolicited_na. + + This will optimize the return path for the initial off-link + communication that is initiated by a directly connected host, by + ensuring that the first-hop router which turns on this setting doesn't + have to buffer the initial return packets to do neighbor-solicitation. + The prerequisite is that the host is configured to send unsolicited + neighbor advertisements on interface bringup. This setting should be + used in conjunction with the ndisc_notify setting on the host to + satisfy this prerequisite. + + - 2 - Extend option (1) to add a new neighbor cache entry only if the + source IP is in the same subnet as the configured address on the + received interface. enhanced_dad - BOOLEAN Include a nonce option in the IPv6 neighbor solicitation messages used for @@ -2984,4 +2993,3 @@ max_dgram_qlen - INTEGER The maximum length of dgram socket receive queue Default: 10 - diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index 88becb037eb6..6ed807b6c647 100644 --- a/net/ipv6/addrconf.c +++ b/net/ipv6/addrconf.c @@ -7042,7 +7042,7 @@ static const struct ctl_table addrconf_sysctl[] = { .data = &ipv6_devconf.accept_untracked_na, .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec_minmax, + .proc_handler = proc_dointvec, .extra1 = (void *)SYSCTL_ZERO, .extra2 = (void *)SYSCTL_ONE, }, diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index cd84cbdac0a2..57b0b1c9123a 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c @@ -967,6 +967,26 @@ static void ndisc_recv_ns(struct sk_buff *skb) in6_dev_put(idev); } +static int accept_untracked_na(struct net_device *dev, struct in6_addr *saddr) +{ + struct inet6_dev *idev = __in6_dev_get(dev); + + switch (idev->cnf.accept_untracked_na) { + case 0: /* don't accept untracked (absent in neighbor cache) */ + return 0; + case 1: /* create new entries if entry currently untracked */ + return 1; + case 2: /* + * create new entries from untracked only if saddr is in the + * same subnet as an address configured on the incoming + * interface + */ + return ipv6_chk_prefix(saddr, dev) ? 1 : 0; + default: + return 0; + } +} + static void ndisc_recv_na(struct sk_buff *skb) { struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb); @@ -1062,10 +1082,11 @@ static void ndisc_recv_na(struct sk_buff *skb) */ new_state = msg->icmph.icmp6_solicited ? NUD_REACHABLE : NUD_STALE; if (!neigh && lladdr && - idev && idev->cnf.forwarding && - idev->cnf.accept_untracked_na) { - neigh = neigh_create(&nd_tbl, &msg->target, dev); - new_state = NUD_STALE; + idev && idev->cnf.forwarding) { + if (accept_untracked_na(dev, saddr)) { + neigh = neigh_create(&nd_tbl, &msg->target, dev); + new_state = NUD_STALE; + } } if (neigh && !IS_ERR(neigh)) { -- 2.30.2
Powered by blists - more mailing lists