--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
-@@ -69,6 +69,7 @@ struct netns_ipv6 {
- #ifdef CONFIG_IPV6_MULTIPLE_TABLES
- bool fib6_has_custom_rules;
+@@ -78,6 +78,7 @@ struct netns_ipv6 {
+ unsigned int fib6_rules_require_fldissect;
+ bool fib6_has_custom_rules;
struct rt6_info *ip6_prohibit_entry;
+ struct rt6_info *ip6_policy_failed_entry;
struct rt6_info *ip6_blk_hole_entry;
struct fib_rules_ops *fib6_rules_ops;
--- a/include/uapi/linux/fib_rules.h
+++ b/include/uapi/linux/fib_rules.h
-@@ -73,6 +73,10 @@ enum {
+@@ -82,6 +82,10 @@ enum {
FR_ACT_BLACKHOLE, /* Drop without notification */
FR_ACT_UNREACHABLE, /* Drop with ENETUNREACH */
FR_ACT_PROHIBIT, /* Drop with EACCES */
--- a/include/uapi/linux/rtnetlink.h
+++ b/include/uapi/linux/rtnetlink.h
-@@ -221,6 +221,7 @@ enum {
+@@ -228,6 +228,7 @@ enum {
RTN_THROW, /* Not in this table */
RTN_NAT, /* Translate this address */
RTN_XRESOLVE, /* Use external resolver */
static void rt_fibinfo_free(struct rtable __rcu **rtp)
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
-@@ -2460,6 +2460,7 @@ static const char *const rtn_type_names[
+@@ -2474,6 +2474,7 @@ static const char *const rtn_type_names[
[RTN_THROW] = "THROW",
[RTN_NAT] = "NAT",
[RTN_XRESOLVE] = "XRESOLVE",
static inline const char *rtn_type(char *buf, size_t len, unsigned int t)
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
-@@ -161,6 +161,7 @@ static int ipmr_rule_action(struct fib_r
+@@ -179,6 +179,7 @@ static int ipmr_rule_action(struct fib_r
case FR_ACT_UNREACHABLE:
return -ENETUNREACH;
case FR_ACT_PROHIBIT:
default:
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
-@@ -121,6 +121,10 @@ static int fib6_rule_action(struct fib_r
+@@ -221,6 +221,10 @@ static int __fib6_rule_action(struct fib
err = -EACCES;
rt = net->ipv6.ip6_prohibit_entry;
goto discard_pkt;
tb_id = fib_rule_get_table(rule, arg);
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
-@@ -168,6 +168,8 @@ static int ip6mr_rule_action(struct fib_
+@@ -162,6 +162,8 @@ static int ip6mr_rule_action(struct fib_
return -ENETUNREACH;
case FR_ACT_PROHIBIT:
return -EACCES;
return -EINVAL;
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
-@@ -91,6 +91,8 @@ static int ip6_pkt_discard(struct sk_bu
+@@ -97,6 +97,8 @@ static int ip6_pkt_discard(struct sk_bu
static int ip6_pkt_discard_out(struct net *net, struct sock *sk, struct sk_buff *skb);
static int ip6_pkt_prohibit(struct sk_buff *skb);
static int ip6_pkt_prohibit_out(struct net *net, struct sock *sk, struct sk_buff *skb);
static void ip6_link_failure(struct sk_buff *skb);
static void ip6_rt_update_pmtu(struct dst_entry *dst, struct sock *sk,
struct sk_buff *skb, u32 mtu);
-@@ -321,6 +323,21 @@ static const struct rt6_info ip6_prohibi
- .rt6i_ref = ATOMIC_INIT(1),
+@@ -326,6 +328,18 @@ static const struct rt6_info ip6_prohibi
+ .rt6i_flags = (RTF_REJECT | RTF_NONEXTHOP),
};
+static const struct rt6_info ip6_policy_failed_entry_template = {
+ .output = ip6_pkt_policy_failed_out,
+ },
+ .rt6i_flags = (RTF_REJECT | RTF_NONEXTHOP),
-+ .rt6i_protocol = RTPROT_KERNEL,
-+ .rt6i_metric = ~(u32) 0,
-+ .rt6i_ref = ATOMIC_INIT(1),
+};
+
static const struct rt6_info ip6_blk_hole_entry_template = {
.dst = {
.__refcnt = ATOMIC_INIT(1),
-@@ -2046,6 +2063,11 @@ static struct rt6_info *ip6_route_info_c
- rt->dst.output = ip6_pkt_prohibit_out;
- rt->dst.input = ip6_pkt_prohibit;
- break;
-+ case RTN_POLICY_FAILED:
-+ rt->dst.error = -EACCES;
-+ rt->dst.output = ip6_pkt_policy_failed_out;
-+ rt->dst.input = ip6_pkt_policy_failed;
-+ break;
- case RTN_THROW:
- case RTN_UNREACHABLE:
- default:
-@@ -2771,6 +2793,17 @@ static int ip6_pkt_prohibit_out(struct n
+@@ -900,6 +914,7 @@ static const int fib6_prop[RTN_MAX + 1]
+ [RTN_BLACKHOLE] = -EINVAL,
+ [RTN_UNREACHABLE] = -EHOSTUNREACH,
+ [RTN_PROHIBIT] = -EACCES,
++ [RTN_POLICY_FAILED] = -EACCES,
+ [RTN_THROW] = -EAGAIN,
+ [RTN_NAT] = -EINVAL,
+ [RTN_XRESOLVE] = -EINVAL,
+@@ -937,6 +952,10 @@ static void ip6_rt_init_dst_reject(struc
+ rt->dst.output = ip6_pkt_prohibit_out;
+ rt->dst.input = ip6_pkt_prohibit;
+ break;
++ case RTN_POLICY_FAILED:
++ rt->dst.output = ip6_pkt_policy_failed_out;
++ rt->dst.input = ip6_pkt_policy_failed;
++ break;
+ case RTN_THROW:
+ case RTN_UNREACHABLE:
+ default:
+@@ -3774,6 +3793,17 @@ static int ip6_pkt_prohibit_out(struct n
return ip6_pkt_drop(skb, ICMPV6_ADM_PROHIBITED, IPSTATS_MIB_OUTNOROUTES);
}
/*
* Allocate a dst for local (unicast / anycast) address.
*/
-@@ -3007,7 +3040,8 @@ static int rtm_to_fib6_config(struct sk_
+@@ -4221,7 +4251,8 @@ static int rtm_to_fib6_config(struct sk_
if (rtm->rtm_type == RTN_UNREACHABLE ||
rtm->rtm_type == RTN_BLACKHOLE ||
rtm->rtm_type == RTN_PROHIBIT ||
cfg->fc_flags |= RTF_REJECT;
if (rtm->rtm_type == RTN_LOCAL)
-@@ -3502,6 +3536,9 @@ static int rt6_fill_node(struct net *net
- case -EACCES:
- rtm->rtm_type = RTN_PROHIBIT;
- break;
-+ case -EPERM:
-+ rtm->rtm_type = RTN_POLICY_FAILED;
-+ break;
- case -EAGAIN:
- rtm->rtm_type = RTN_THROW;
- break;
-@@ -3820,6 +3857,8 @@ static int ip6_route_dev_notify(struct n
+@@ -5069,6 +5100,8 @@ static int ip6_route_dev_notify(struct n
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
net->ipv6.ip6_prohibit_entry->dst.dev = dev;
net->ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(dev);
net->ipv6.ip6_blk_hole_entry->dst.dev = dev;
net->ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(dev);
#endif
-@@ -3831,6 +3870,7 @@ static int ip6_route_dev_notify(struct n
+@@ -5080,6 +5113,7 @@ static int ip6_route_dev_notify(struct n
in6_dev_put_clear(&net->ipv6.ip6_null_entry->rt6i_idev);
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
in6_dev_put_clear(&net->ipv6.ip6_prohibit_entry->rt6i_idev);
in6_dev_put_clear(&net->ipv6.ip6_blk_hole_entry->rt6i_idev);
#endif
}
-@@ -4047,6 +4087,17 @@ static int __net_init ip6_route_net_init
+@@ -5274,6 +5308,15 @@ static int __net_init ip6_route_net_init
net->ipv6.ip6_blk_hole_entry->dst.ops = &net->ipv6.ip6_dst_ops;
dst_init_metrics(&net->ipv6.ip6_blk_hole_entry->dst,
ip6_template_metrics, true);
+ sizeof(*net->ipv6.ip6_policy_failed_entry), GFP_KERNEL);
+ if (!net->ipv6.ip6_policy_failed_entry)
+ goto out_ip6_blk_hole_entry;
-+ net->ipv6.ip6_policy_failed_entry->dst.path =
-+ (struct dst_entry *)net->ipv6.ip6_policy_failed_entry;
+ net->ipv6.ip6_policy_failed_entry->dst.ops = &net->ipv6.ip6_dst_ops;
+ dst_init_metrics(&net->ipv6.ip6_policy_failed_entry->dst,
+ ip6_template_metrics, true);
#endif
net->ipv6.sysctl.flush_delay = 0;
-@@ -4065,6 +4116,8 @@ out:
+@@ -5292,6 +5335,8 @@ out:
return ret;
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
out_ip6_prohibit_entry:
kfree(net->ipv6.ip6_prohibit_entry);
out_ip6_null_entry:
-@@ -4082,6 +4135,7 @@ static void __net_exit ip6_route_net_exi
+@@ -5312,6 +5357,7 @@ static void __net_exit ip6_route_net_exi
#ifdef CONFIG_IPV6_MULTIPLE_TABLES
kfree(net->ipv6.ip6_prohibit_entry);
kfree(net->ipv6.ip6_blk_hole_entry);
#endif
dst_entries_destroy(&net->ipv6.ip6_dst_ops);
}
-@@ -4155,6 +4209,9 @@ void __init ip6_route_init_special_entri
+@@ -5388,6 +5434,9 @@ void __init ip6_route_init_special_entri
init_net.ipv6.ip6_prohibit_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
init_net.ipv6.ip6_blk_hole_entry->dst.dev = init_net.loopback_dev;
init_net.ipv6.ip6_blk_hole_entry->rt6i_idev = in6_dev_get(init_net.loopback_dev);
projects / oweals / openwrt.git / blobdiff