tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

net: ipv6: Add sysctl for minimum prefix len acceptable in RIOs.

This commit adds a new sysctl accept_ra_rt_info_min_plen that
defines the minimum acceptable prefix length of Route Information
Options. The new sysctl is intended to be used together with
accept_ra_rt_info_max_plen to configure a range of acceptable
prefix lengths. It is useful to prevent misconfigurations from
unintentionally blackholing too much of the IPv6 address space
(e.g., home routers announcing RIOs for fc00::/7, which is
incorrect).

Signed-off-by: Joel Scherpelz <jscherpelz@google.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Joel Scherpelz and committed by
David S. Miller bbea124b 0e4c9f13

+26 -2
+11 -2
Documentation/networking/ip-sysctl.txt
··· 1461 1461 Functional default: enabled if accept_ra is enabled. 1462 1462 disabled if accept_ra is disabled. 1463 1463 1464 + accept_ra_rt_info_min_plen - INTEGER 1465 + Minimum prefix length of Route Information in RA. 1466 + 1467 + Route Information w/ prefix smaller than this variable shall 1468 + be ignored. 1469 + 1470 + Functional default: 0 if accept_ra_rtr_pref is enabled. 1471 + -1 if accept_ra_rtr_pref is disabled. 1472 + 1464 1473 accept_ra_rt_info_max_plen - INTEGER 1465 1474 Maximum prefix length of Route Information in RA. 1466 1475 1467 - Route Information w/ prefix larger than or equal to this 1468 - variable shall be ignored. 1476 + Route Information w/ prefix larger than this variable shall 1477 + be ignored. 1469 1478 1470 1479 Functional default: 0 if accept_ra_rtr_pref is enabled. 1471 1480 -1 if accept_ra_rtr_pref is disabled.
+1
include/linux/ipv6.h
··· 37 37 __s32 accept_ra_rtr_pref; 38 38 __s32 rtr_probe_interval; 39 39 #ifdef CONFIG_IPV6_ROUTE_INFO 40 + __s32 accept_ra_rt_info_min_plen; 40 41 __s32 accept_ra_rt_info_max_plen; 41 42 #endif 42 43 #endif
+1
include/uapi/linux/ipv6.h
··· 184 184 DEVCONF_ENHANCED_DAD, 185 185 DEVCONF_ADDR_GEN_MODE, 186 186 DEVCONF_DISABLE_POLICY, 187 + DEVCONF_ACCEPT_RA_RT_INFO_MIN_PLEN, 187 188 DEVCONF_MAX 188 189 }; 189 190
+1
include/uapi/linux/sysctl.h
··· 568 568 NET_IPV6_PROXY_NDP=23, 569 569 NET_IPV6_ACCEPT_SOURCE_ROUTE=25, 570 570 NET_IPV6_ACCEPT_RA_FROM_LOCAL=26, 571 + NET_IPV6_ACCEPT_RA_RT_INFO_MIN_PLEN=27, 571 572 __NET_IPV6_MAX 572 573 }; 573 574
+10
net/ipv6/addrconf.c
··· 224 224 .accept_ra_rtr_pref = 1, 225 225 .rtr_probe_interval = 60 * HZ, 226 226 #ifdef CONFIG_IPV6_ROUTE_INFO 227 + .accept_ra_rt_info_min_plen = 0, 227 228 .accept_ra_rt_info_max_plen = 0, 228 229 #endif 229 230 #endif ··· 278 277 .accept_ra_rtr_pref = 1, 279 278 .rtr_probe_interval = 60 * HZ, 280 279 #ifdef CONFIG_IPV6_ROUTE_INFO 280 + .accept_ra_rt_info_min_plen = 0, 281 281 .accept_ra_rt_info_max_plen = 0, 282 282 #endif 283 283 #endif ··· 4981 4979 array[DEVCONF_RTR_PROBE_INTERVAL] = 4982 4980 jiffies_to_msecs(cnf->rtr_probe_interval); 4983 4981 #ifdef CONFIG_IPV6_ROUTE_INFO 4982 + array[DEVCONF_ACCEPT_RA_RT_INFO_MIN_PLEN] = cnf->accept_ra_rt_info_min_plen; 4984 4983 array[DEVCONF_ACCEPT_RA_RT_INFO_MAX_PLEN] = cnf->accept_ra_rt_info_max_plen; 4985 4984 #endif 4986 4985 #endif ··· 6124 6121 .proc_handler = proc_dointvec_jiffies, 6125 6122 }, 6126 6123 #ifdef CONFIG_IPV6_ROUTE_INFO 6124 + { 6125 + .procname = "accept_ra_rt_info_min_plen", 6126 + .data = &ipv6_devconf.accept_ra_rt_info_min_plen, 6127 + .maxlen = sizeof(int), 6128 + .mode = 0644, 6129 + .proc_handler = proc_dointvec, 6130 + }, 6127 6131 { 6128 6132 .procname = "accept_ra_rt_info_max_plen", 6129 6133 .data = &ipv6_devconf.accept_ra_rt_info_max_plen,
+2
net/ipv6/ndisc.c
··· 1418 1418 if (ri->prefix_len == 0 && 1419 1419 !in6_dev->cnf.accept_ra_defrtr) 1420 1420 continue; 1421 + if (ri->prefix_len < in6_dev->cnf.accept_ra_rt_info_min_plen) 1422 + continue; 1421 1423 if (ri->prefix_len > in6_dev->cnf.accept_ra_rt_info_max_plen) 1422 1424 continue; 1423 1425 rt6_route_rcv(skb->dev, (u8 *)p, (p->nd_opt_len) << 3,