1 From 1b5aaa4b16f6e6471ab1c07b38068197a1b4c395 Mon Sep 17 00:00:00 2001
2 From: Jonas Gorski <jogo@openwrt.org>
3 Date: Fri, 24 May 2013 14:40:54 +0200
4 Subject: [PATCH 1/2] ipv6: allow rejecting with "source address failed policy"
6 RFC6204 L-14 requires rejecting traffic from invalid addresses with
7 ICMPv6 Destination Unreachable, Code 5 (Source address failed ingress/
8 egress policy) on the LAN side, so add an appropriate rule for that.
10 Signed-off-by: Jonas Gorski <jogo@openwrt.org>
12 include/net/netns/ipv6.h | 1 +
13 include/uapi/linux/fib_rules.h | 4 +++
14 include/uapi/linux/rtnetlink.h | 1 +
15 net/ipv4/fib_semantics.c | 4 +++
16 net/ipv4/fib_trie.c | 1 +
18 net/ipv6/fib6_rules.c | 4 +++
19 net/ipv6/ip6mr.c | 2 ++
20 net/ipv6/route.c | 58 +++++++++++++++++++++++++++++++++++++++++-
21 9 files changed, 75 insertions(+), 1 deletion(-)
23 --- a/include/net/netns/ipv6.h
24 +++ b/include/net/netns/ipv6.h
25 @@ -59,6 +59,7 @@ struct netns_ipv6 {
26 unsigned long ip6_rt_last_gc;
27 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
28 struct rt6_info *ip6_prohibit_entry;
29 + struct rt6_info *ip6_policy_failed_entry;
30 struct rt6_info *ip6_blk_hole_entry;
31 struct fib6_table *fib6_local_tbl;
32 struct fib_rules_ops *fib6_rules_ops;
33 --- a/include/uapi/linux/fib_rules.h
34 +++ b/include/uapi/linux/fib_rules.h
35 @@ -64,6 +64,10 @@ enum {
36 FR_ACT_BLACKHOLE, /* Drop without notification */
37 FR_ACT_UNREACHABLE, /* Drop with ENETUNREACH */
38 FR_ACT_PROHIBIT, /* Drop with EACCES */
42 + FR_ACT_POLICY_FAILED, /* Drop with EACCES */
46 --- a/include/uapi/linux/rtnetlink.h
47 +++ b/include/uapi/linux/rtnetlink.h
48 @@ -203,6 +203,7 @@ enum {
49 RTN_THROW, /* Not in this table */
50 RTN_NAT, /* Translate this address */
51 RTN_XRESOLVE, /* Use external resolver */
52 + RTN_POLICY_FAILED, /* Failed ingress/egress policy */
56 --- a/net/ipv4/fib_semantics.c
57 +++ b/net/ipv4/fib_semantics.c
58 @@ -138,6 +138,10 @@ const struct fib_prop fib_props[RTN_MAX
60 .scope = RT_SCOPE_NOWHERE,
62 + [RTN_POLICY_FAILED] = {
64 + .scope = RT_SCOPE_UNIVERSE,
68 static void rt_fibinfo_free(struct rtable __rcu **rtp)
69 --- a/net/ipv4/fib_trie.c
70 +++ b/net/ipv4/fib_trie.c
71 @@ -2324,6 +2324,7 @@ static const char *const rtn_type_names[
72 [RTN_THROW] = "THROW",
74 [RTN_XRESOLVE] = "XRESOLVE",
75 + [RTN_POLICY_FAILED] = "POLICY_FAILED",
78 static inline const char *rtn_type(char *buf, size_t len, unsigned int t)
81 @@ -184,6 +184,7 @@ static int ipmr_rule_action(struct fib_r
82 case FR_ACT_UNREACHABLE:
85 + case FR_ACT_POLICY_FAILED:
87 case FR_ACT_BLACKHOLE:
89 --- a/net/ipv6/fib6_rules.c
90 +++ b/net/ipv6/fib6_rules.c
91 @@ -73,6 +73,10 @@ static int fib6_rule_action(struct fib_r
93 rt = net->ipv6.ip6_prohibit_entry;
95 + case FR_ACT_POLICY_FAILED:
97 + rt = net->ipv6.ip6_policy_failed_entry;
101 table = fib6_get_table(net, rule->table);
102 --- a/net/ipv6/ip6mr.c
103 +++ b/net/ipv6/ip6mr.c
104 @@ -169,6 +169,8 @@ static int ip6mr_rule_action(struct fib_
106 case FR_ACT_PROHIBIT:
108 + case FR_ACT_POLICY_FAILED:
110 case FR_ACT_BLACKHOLE:
113 --- a/net/ipv6/route.c
114 +++ b/net/ipv6/route.c
115 @@ -87,6 +87,8 @@ static int ip6_pkt_discard(struct sk_bu
116 static int ip6_pkt_discard_out(struct sock *sk, struct sk_buff *skb);
117 static int ip6_pkt_prohibit(struct sk_buff *skb);
118 static int ip6_pkt_prohibit_out(struct sock *sk, struct sk_buff *skb);
119 +static int ip6_pkt_policy_failed(struct sk_buff *skb);
120 +static int ip6_pkt_policy_failed_out(struct sock *sk, struct sk_buff *skb);
121 static void ip6_link_failure(struct sk_buff *skb);
122 static void ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,
123 struct sk_buff *skb, u32 mtu);
124 @@ -283,6 +285,21 @@ static const struct rt6_info ip6_prohibi
125 .rt6i_ref = ATOMIC_INIT(1),
128 +static const struct rt6_info ip6_policy_failed_entry_template = {
130 + .__refcnt = ATOMIC_INIT(1),
132 + .obsolete = DST_OBSOLETE_FORCE_CHK,
134 + .input = ip6_pkt_policy_failed,
135 + .output = ip6_pkt_policy_failed_out,
137 + .rt6i_flags = (RTF_REJECT | RTF_NONEXTHOP),
138 + .rt6i_protocol = RTPROT_KERNEL,
139 + .rt6i_metric = ~(u32) 0,
140 + .rt6i_ref = ATOMIC_INIT(1),
143 static const struct rt6_info ip6_blk_hole_entry_template = {
145 .__refcnt = ATOMIC_INIT(1),
146 @@ -1581,6 +1598,11 @@ int ip6_route_add(struct fib6_config *cf
147 rt->dst.output = ip6_pkt_prohibit_out;
148 rt->dst.input = ip6_pkt_prohibit;
150 + case RTN_POLICY_FAILED:
151 + rt->dst.error = -EACCES;
152 + rt->dst.output = ip6_pkt_policy_failed_out;
153 + rt->dst.input = ip6_pkt_policy_failed;
157 rt->dst.error = (cfg->fc_type == RTN_THROW) ? -EAGAIN
158 @@ -2142,6 +2164,17 @@ static int ip6_pkt_prohibit_out(struct s
159 return ip6_pkt_drop(skb, ICMPV6_ADM_PROHIBITED, IPSTATS_MIB_OUTNOROUTES);
162 +static int ip6_pkt_policy_failed(struct sk_buff *skb)
164 + return ip6_pkt_drop(skb, ICMPV6_POLICY_FAIL, IPSTATS_MIB_INNOROUTES);
167 +static int ip6_pkt_policy_failed_out(struct sock *sk, struct sk_buff *skb)
169 + skb->dev = skb_dst(skb)->dev;
170 + return ip6_pkt_drop(skb, ICMPV6_POLICY_FAIL, IPSTATS_MIB_OUTNOROUTES);
174 * Allocate a dst for local (unicast / anycast) address.
176 @@ -2365,7 +2398,8 @@ static int rtm_to_fib6_config(struct sk_
177 if (rtm->rtm_type == RTN_UNREACHABLE ||
178 rtm->rtm_type == RTN_BLACKHOLE ||
179 rtm->rtm_type == RTN_PROHIBIT ||
180 - rtm->rtm_type == RTN_THROW)
181 + rtm->rtm_type == RTN_THROW ||
182 + rtm->rtm_type == RTN_POLICY_FAILED)
183 cfg->fc_flags |= RTF_REJECT;
185 if (rtm->rtm_type == RTN_LOCAL)
186 @@ -2567,6 +2601,9 @@ static int rt6_fill_node(struct net *net
188 rtm->rtm_type = RTN_PROHIBIT;
191 + rtm->rtm_type = RTN_POLICY_FAILED;
194 rtm->rtm_type = RTN_THROW;
196 @@ -2820,6 +2857,8 @@ static int ip6_route_dev_notify(struct n
197 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
198 net->ipv6.ip6_prohibit_entry->dst.dev = dev;
199 net->ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(dev);
200 + net->ipv6.ip6_policy_failed_entry->dst.dev = dev;
201 + net->ipv6.ip6_policy_failed_entry->rt6i_idev = in6_dev_get(dev);
202 net->ipv6.ip6_blk_hole_entry->dst.dev = dev;
203 net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);
205 @@ -3036,6 +3075,17 @@ static int __net_init ip6_route_net_init
206 net->ipv6.ip6_blk_hole_entry->dst.ops = &net->ipv6.ip6_dst_ops;
207 dst_init_metrics(&net->ipv6.ip6_blk_hole_entry->dst,
208 ip6_template_metrics, true);
210 + net->ipv6.ip6_policy_failed_entry =
211 + kmemdup(&ip6_policy_failed_entry_template,
212 + sizeof(*net->ipv6.ip6_policy_failed_entry), GFP_KERNEL);
213 + if (!net->ipv6.ip6_policy_failed_entry)
214 + goto out_ip6_blk_hole_entry;
215 + net->ipv6.ip6_policy_failed_entry->dst.path =
216 + (struct dst_entry *)net->ipv6.ip6_policy_failed_entry;
217 + net->ipv6.ip6_policy_failed_entry->dst.ops = &net->ipv6.ip6_dst_ops;
218 + dst_init_metrics(&net->ipv6.ip6_policy_failed_entry->dst,
219 + ip6_template_metrics, true);
222 net->ipv6.sysctl.flush_delay = 0;
223 @@ -3054,6 +3104,8 @@ out:
226 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
227 +out_ip6_blk_hole_entry:
228 + kfree(net->ipv6.ip6_blk_hole_entry);
229 out_ip6_prohibit_entry:
230 kfree(net->ipv6.ip6_prohibit_entry);
232 @@ -3071,6 +3123,7 @@ static void __net_exit ip6_route_net_exi
233 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
234 kfree(net->ipv6.ip6_prohibit_entry);
235 kfree(net->ipv6.ip6_blk_hole_entry);
236 + kfree(net->ipv6.ip6_policy_failed_entry);
238 dst_entries_destroy(&net->ipv6.ip6_dst_ops);
240 @@ -3167,6 +3220,9 @@ int __init ip6_route_init(void)
241 init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
242 init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;
243 init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
244 + init_net.ipv6.ip6_policy_failed_entry->dst.dev = init_net.loopback_dev;
245 + init_net.ipv6.ip6_policy_failed_entry->rt6i_idev =
246 + in6_dev_get(init_net.loopback_dev);