| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Jul 2022 13:51:17 -0400
From: Jaehee Park <jhpark1013@...il.com>
To: netdev@...r.kernel.org
Cc: davem@...emloft.net, yoshfuji@...ux-ipv6.org, dsahern@...nel.org,
edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
shuah@...nel.org, linux-kernel@...r.kernel.org, aajith@...sta.com,
roopa@...dia.com, aroulin@...dia.com, sbrivio@...hat.com,
jhpark1013@...il.com
Subject: [PATCH net-next 2/3] net: ipv6: new accept_untracked_na option to accept na only if in-network
This patch adds a third knob, '2', which extends the
accept_untracked_na option to learn a neighbor only if the src ip is
in the same subnet of addresses configured on the interfaces. This is
similar to the arp_accept configuration for ipv4.
Signed-off-by: Jaehee Park <jhpark1013@...il.com>
Suggested-by: Roopa Prabhu <roopa@...dia.com>
---
Documentation/networking/ip-sysctl.rst | 50 +++++++++++++++-----------
net/ipv6/addrconf.c | 2 +-
net/ipv6/ndisc.c | 29 ++++++++++++---
3 files changed, 55 insertions(+), 26 deletions(-)
diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index 599373601a2b..2ee32224cae8 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -2482,27 +2482,36 @@ drop_unsolicited_na - BOOLEAN
By default this is turned off.
-accept_untracked_na - BOOLEAN
- Add a new neighbour cache entry in STALE state for routers on receiving a
- neighbour advertisement (either solicited or unsolicited) with target
- link-layer address option specified if no neighbour entry is already
- present for the advertised IPv6 address. Without this knob, NAs received
- for untracked addresses (absent in neighbour cache) are silently ignored.
-
- This is as per router-side behaviour documented in RFC9131.
-
- This has lower precedence than drop_unsolicited_na.
-
- This will optimize the return path for the initial off-link communication
- that is initiated by a directly connected host, by ensuring that
- the first-hop router which turns on this setting doesn't have to
- buffer the initial return packets to do neighbour-solicitation.
- The prerequisite is that the host is configured to send
- unsolicited neighbour advertisements on interface bringup.
- This setting should be used in conjunction with the ndisc_notify setting
- on the host to satisfy this prerequisite.
+accept_untracked_na - INTEGER
+ Define behavior for accepting neighbor advertisements from devices that
+ are absent in the neighbor cache:
- By default this is turned off.
+ - 0 - (default) Do not accept unsolicited and untracked neighbor
+ advertisements.
+
+ - 1 - Add a new neighbor cache entry in STALE state for routers on
+ receiving a neighbor advertisement (either solicited or unsolicited)
+ with target link-layer address option specified if no neighbor entry
+ is already present for the advertised IPv6 address. Without this knob,
+ NAs received for untracked addresses (absent in neighbor cache) are
+ silently ignored.
+
+ This is as per router-side behavior documented in RFC9131.
+
+ This has lower precedence than drop_unsolicited_na.
+
+ This will optimize the return path for the initial off-link
+ communication that is initiated by a directly connected host, by
+ ensuring that the first-hop router which turns on this setting doesn't
+ have to buffer the initial return packets to do neighbor-solicitation.
+ The prerequisite is that the host is configured to send unsolicited
+ neighbor advertisements on interface bringup. This setting should be
+ used in conjunction with the ndisc_notify setting on the host to
+ satisfy this prerequisite.
+
+ - 2 - Extend option (1) to add a new neighbor cache entry only if the
+ source IP is in the same subnet as the configured address on the
+ received interface.
enhanced_dad - BOOLEAN
Include a nonce option in the IPv6 neighbor solicitation messages used for
@@ -2984,4 +2993,3 @@ max_dgram_qlen - INTEGER
The maximum length of dgram socket receive queue
Default: 10
-
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 88becb037eb6..6ed807b6c647 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -7042,7 +7042,7 @@ static const struct ctl_table addrconf_sysctl[] = {
.data = &ipv6_devconf.accept_untracked_na,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = proc_dointvec_minmax,
+ .proc_handler = proc_dointvec,
.extra1 = (void *)SYSCTL_ZERO,
.extra2 = (void *)SYSCTL_ONE,
},
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index cd84cbdac0a2..57b0b1c9123a 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -967,6 +967,26 @@ static void ndisc_recv_ns(struct sk_buff *skb)
in6_dev_put(idev);
}
+static int accept_untracked_na(struct net_device *dev, struct in6_addr *saddr)
+{
+ struct inet6_dev *idev = __in6_dev_get(dev);
+
+ switch (idev->cnf.accept_untracked_na) {
+ case 0: /* don't accept untracked (absent in neighbor cache) */
+ return 0;
+ case 1: /* create new entries if entry currently untracked */
+ return 1;
+ case 2: /*
+ * create new entries from untracked only if saddr is in the
+ * same subnet as an address configured on the incoming
+ * interface
+ */
+ return ipv6_chk_prefix(saddr, dev) ? 1 : 0;
+ default:
+ return 0;
+ }
+}
+
static void ndisc_recv_na(struct sk_buff *skb)
{
struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
@@ -1062,10 +1082,11 @@ static void ndisc_recv_na(struct sk_buff *skb)
*/
new_state = msg->icmph.icmp6_solicited ? NUD_REACHABLE : NUD_STALE;
if (!neigh && lladdr &&
- idev && idev->cnf.forwarding &&
- idev->cnf.accept_untracked_na) {
- neigh = neigh_create(&nd_tbl, &msg->target, dev);
- new_state = NUD_STALE;
+ idev && idev->cnf.forwarding) {
+ if (accept_untracked_na(dev, saddr)) {
+ neigh = neigh_create(&nd_tbl, &msg->target, dev);
+ new_state = NUD_STALE;
+ }
}
if (neigh && !IS_ERR(neigh)) {
--
2.30.2
Powered by blists - more mailing lists