lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <f29babd921a1842b7f953c56175cf2cd2abe7bc8.1673483994.git.lucien.xin@gmail.com>
Date:   Wed, 11 Jan 2023 19:41:56 -0500
From:   Xin Long <lucien.xin@...il.com>
To:     network dev <netdev@...r.kernel.org>
Cc:     davem@...emloft.net, kuba@...nel.org,
        Eric Dumazet <edumazet@...gle.com>,
        Paolo Abeni <pabeni@...hat.com>, Jiri Pirko <jiri@...nulli.us>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>
Subject: [PATCHv2 net 1/2] ipv6: prevent only DAD and RS sending for IFF_NO_ADDRCONF

Currently IFF_NO_ADDRCONF is used to prevent all ipv6 addrconf for the
slave ports of team, bonding and failover devices and it means no ipv6
packets can be sent out through these slave ports. However, for team
device, "nsna_ping" link_watch requires ipv6 addrconf. Otherwise, the
link will be marked failure.

The orginal issue fixed by IFF_NO_ADDRCONF was caused by DAD and RS
packets sent by slave ports in commit c2edacf80e15 ("bonding / ipv6: no
addrconf for slaves separately from master") where it's using IFF_SLAVE
and later changed to IFF_NO_ADDRCONF in commit 8a321cf7becc ("net: add
IFF_NO_ADDRCONF and use it in bonding to prevent ipv6 addrconf").

So instead of preventing all the ipv6 addrconf, it makes more sense to
only prevent DAD and RS sending for the slave ports: Firstly, check
IFF_NO_ADDRCONF in addrconf_dad_completed() to prevent RS as it did in
commit b52e1cce31ca ("ipv6: Don't send rs packets to the interface of
ARPHRD_TUNNEL"), and then also check IFF_NO_ADDRCONF where IFA_F_NODAD
is checked to prevent DAD.

Note that the check for flags & IFA_F_NODAD in addrconf_dad_begin() is
not necessary, as with IFA_F_NODAF, flags & IFA_F_TENTATIVE is always
false, so there's no need to add IFF_NO_ADDRCONF check there either.

Fixes: 0aa64df30b38 ("net: team: use IFF_NO_ADDRCONF flag to prevent ipv6 addrconf")
Reported-by: Liang Li <liali@...hat.com>
Signed-off-by: Xin Long <lucien.xin@...il.com>
---
 net/ipv6/addrconf.c | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index f7a84a4acffc..de4186e5349c 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -1124,7 +1124,8 @@ ipv6_add_addr(struct inet6_dev *idev, struct ifa6_config *cfg,
 	ifa->flags = cfg->ifa_flags;
 	ifa->ifa_proto = cfg->ifa_proto;
 	/* No need to add the TENTATIVE flag for addresses with NODAD */
-	if (!(cfg->ifa_flags & IFA_F_NODAD))
+	if (!(cfg->ifa_flags & IFA_F_NODAD) &&
+	    !(idev->dev->priv_flags & IFF_NO_ADDRCONF))
 		ifa->flags |= IFA_F_TENTATIVE;
 	ifa->valid_lft = cfg->valid_lft;
 	ifa->prefered_lft = cfg->preferred_lft;
@@ -3319,10 +3320,6 @@ static void addrconf_addr_gen(struct inet6_dev *idev, bool prefix_route)
 	if (netif_is_l3_master(idev->dev))
 		return;
 
-	/* no link local addresses on devices flagged as slaves */
-	if (idev->dev->priv_flags & IFF_NO_ADDRCONF)
-		return;
-
 	ipv6_addr_set(&addr, htonl(0xFE800000), 0, 0, 0);
 
 	switch (idev->cnf.addr_gen_mode) {
@@ -3564,7 +3561,6 @@ static int addrconf_notify(struct notifier_block *this, unsigned long event,
 			if (event == NETDEV_UP && !IS_ERR_OR_NULL(idev) &&
 			    dev->flags & IFF_UP && dev->flags & IFF_MULTICAST)
 				ipv6_mc_up(idev);
-			break;
 		}
 
 		if (event == NETDEV_UP) {
@@ -3855,7 +3851,8 @@ static int addrconf_ifdown(struct net_device *dev, bool unregister)
 			/* set state to skip the notifier below */
 			state = INET6_IFADDR_STATE_DEAD;
 			ifa->state = INET6_IFADDR_STATE_PREDAD;
-			if (!(ifa->flags & IFA_F_NODAD))
+			if (!(ifa->flags & IFA_F_NODAD) &&
+			    !(dev->priv_flags & IFF_NO_ADDRCONF))
 				ifa->flags |= IFA_F_TENTATIVE;
 
 			rt = ifa->rt;
@@ -4218,6 +4215,7 @@ static void addrconf_dad_completed(struct inet6_ifaddr *ifp, bool bump_id,
 		  ipv6_accept_ra(ifp->idev) &&
 		  ifp->idev->cnf.rtr_solicits != 0 &&
 		  (dev->flags & IFF_LOOPBACK) == 0 &&
+		  (dev->priv_flags & IFF_NO_ADDRCONF) == 0 &&
 		  (dev->type != ARPHRD_TUNNEL);
 	read_unlock_bh(&ifp->idev->lock);
 
-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ