Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b8fb1ab4 authored by David Ahern's avatar David Ahern Committed by David S. Miller
Browse files

net ipv6: Prevent neighbor add if protocol is disabled on device 



Disabling IPv6 on an interface removes existing entries but nothing prevents
new entries from being manually added. To that end, add a new neigh_table
operation, allow_add, that is called on RTM_NEWNEIGH to see if neighbor
entries are allowed on a given device. If IPv6 is disabled on the device,
allow_add returns false and passes a message back to the user via extack.

  $ echo 1 > /proc/sys/net/ipv6/conf/eth1/disable_ipv6
  $ ip -6 neigh add fe80::4c88:bff:fe21:2704 dev eth1 lladdr de:ad:be:ef:01:01
  Error: IPv6 is disabled on this device.

Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent cea29a70

include/net/neighbour.h

+2 −0
Original line number Original line Diff line number Diff line
@@ -205,6 +205,8 @@ struct neigh_table { 
	int			(*pconstructor)(struct pneigh_entry *);

	int			(*pconstructor)(struct pneigh_entry *);

	void			(*pdestructor)(struct pneigh_entry *);

	void			(*pdestructor)(struct pneigh_entry *);

	void			(*proxy_redo)(struct sk_buff *skb);

	void			(*proxy_redo)(struct sk_buff *skb);

	bool			(*allow_add)(const struct net_device *dev,

					     struct netlink_ext_ack *extack);

	char			*id;

	char			*id;

	struct neigh_parms	parms;

	struct neigh_parms	parms;

	struct list_head	parms_list;

	struct list_head	parms_list;

net/core/neighbour.c

+5 −0
Original line number Original line Diff line number Diff line
@@ -1920,6 +1920,11 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh, 
		goto out;

		goto out;

	}

	}





	if (tbl->allow_add && !tbl->allow_add(dev, extack)) {

		err = -EINVAL;

		goto out;

	}



	neigh = neigh_lookup(tbl, dst, dev);

	neigh = neigh_lookup(tbl, dst, dev);

	if (neigh == NULL) {

	if (neigh == NULL) {

		bool exempt_from_gc;

		bool exempt_from_gc;

net/ipv6/ndisc.c

+17 −0
Original line number Original line Diff line number Diff line
@@ -77,6 +77,8 @@ static u32 ndisc_hash(const void *pkey, 
		      const struct net_device *dev,

		      const struct net_device *dev,

		      __u32 *hash_rnd);

		      __u32 *hash_rnd);

static bool ndisc_key_eq(const struct neighbour *neigh, const void *pkey);

static bool ndisc_key_eq(const struct neighbour *neigh, const void *pkey);

static bool ndisc_allow_add(const struct net_device *dev,

			    struct netlink_ext_ack *extack);

static int ndisc_constructor(struct neighbour *neigh);

static int ndisc_constructor(struct neighbour *neigh);

static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);

static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);

static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);

static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);
@@ -117,6 +119,7 @@ struct neigh_table nd_tbl = { 
	.pconstructor =	pndisc_constructor,

	.pconstructor =	pndisc_constructor,

	.pdestructor =	pndisc_destructor,

	.pdestructor =	pndisc_destructor,

	.proxy_redo =	pndisc_redo,

	.proxy_redo =	pndisc_redo,

	.allow_add  =   ndisc_allow_add,

	.id =		"ndisc_cache",

	.id =		"ndisc_cache",

	.parms = {

	.parms = {

		.tbl			= &nd_tbl,

		.tbl			= &nd_tbl,
@@ -392,6 +395,20 @@ static void pndisc_destructor(struct pneigh_entry *n) 
	ipv6_dev_mc_dec(dev, &maddr);

	ipv6_dev_mc_dec(dev, &maddr);

}

}





/* called with rtnl held */

static bool ndisc_allow_add(const struct net_device *dev,

			    struct netlink_ext_ack *extack)

{

	struct inet6_dev *idev = __in6_dev_get(dev);



	if (!idev || idev->cnf.disable_ipv6) {

		NL_SET_ERR_MSG(extack, "IPv6 is disabled on this device");

		return false;

	}



	return true;

}



static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,

static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,

				       int len)

				       int len)

{

{