| From e0622e1971e0b3143e7ab8fc9653379d16fd981a Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Tue, 6 Jul 2021 11:13:35 +0200 |
| Subject: ipv6: fix 'disable_policy' for fwd packets |
| |
| From: Nicolas Dichtel <nicolas.dichtel@6wind.com> |
| |
| [ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ] |
| |
| The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of |
| "disable_policy" sysctl") was to have the disable_policy from ipv4 |
| available on ipv6. |
| However, it's not exactly the same mechanism. On IPv4, all packets coming |
| from an interface, which has disable_policy set, bypass the policy check. |
| For ipv6, this is done only for local packets, ie for packets destinated to |
| an address configured on the incoming interface. |
| |
| Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same |
| effect for both protocols. |
| |
| My first approach was to create a new kind of route cache entries, to be |
| able to set DST_NOPOLICY without modifying routes. This would have added a |
| lot of code. Because the local delivery path is already handled, I choose |
| to focus on the forwarding path to minimize code churn. |
| |
| Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") |
| Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/ipv6/ip6_output.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c |
| index 497974b4372a..b7ffb4f227a4 100644 |
| --- a/net/ipv6/ip6_output.c |
| +++ b/net/ipv6/ip6_output.c |
| @@ -479,7 +479,9 @@ int ip6_forward(struct sk_buff *skb) |
| if (skb_warn_if_lro(skb)) |
| goto drop; |
| |
| - if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { |
| + if (!net->ipv6.devconf_all->disable_policy && |
| + !idev->cnf.disable_policy && |
| + !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { |
| __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); |
| goto drop; |
| } |
| -- |
| 2.30.2 |
| |