ipv6: sysctl to restrict candidate source addresses
Per RFC 6724, section 4, "Candidate Source Addresses": It is RECOMMENDED that the candidate source addresses be the set of unicast addresses assigned to the interface that will be used to send to the destination (the "outgoing" interface). Add a sysctl to enable this behaviour. Signed-off-by: Erik Kline <ek@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
fb02eb4a29
commit
3985e8a361
|
@ -1460,6 +1460,13 @@ router_solicitations - INTEGER
|
||||||
routers are present.
|
routers are present.
|
||||||
Default: 3
|
Default: 3
|
||||||
|
|
||||||
|
use_oif_addrs_only - BOOLEAN
|
||||||
|
When enabled, the candidate source addresses for destinations
|
||||||
|
routed via this interface are restricted to the set of addresses
|
||||||
|
configured on this interface (vis. RFC 6724, section 4).
|
||||||
|
|
||||||
|
Default: false
|
||||||
|
|
||||||
use_tempaddr - INTEGER
|
use_tempaddr - INTEGER
|
||||||
Preference for Privacy Extensions (RFC3041).
|
Preference for Privacy Extensions (RFC3041).
|
||||||
<= 0 : disable Privacy Extensions
|
<= 0 : disable Privacy Extensions
|
||||||
|
|
|
@ -57,6 +57,7 @@ struct ipv6_devconf {
|
||||||
bool initialized;
|
bool initialized;
|
||||||
struct in6_addr secret;
|
struct in6_addr secret;
|
||||||
} stable_secret;
|
} stable_secret;
|
||||||
|
__s32 use_oif_addrs_only;
|
||||||
void *sysctl;
|
void *sysctl;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -171,6 +171,7 @@ enum {
|
||||||
DEVCONF_USE_OPTIMISTIC,
|
DEVCONF_USE_OPTIMISTIC,
|
||||||
DEVCONF_ACCEPT_RA_MTU,
|
DEVCONF_ACCEPT_RA_MTU,
|
||||||
DEVCONF_STABLE_SECRET,
|
DEVCONF_STABLE_SECRET,
|
||||||
|
DEVCONF_USE_OIF_ADDRS_ONLY,
|
||||||
DEVCONF_MAX
|
DEVCONF_MAX
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -211,7 +211,8 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
|
||||||
.accept_ra_mtu = 1,
|
.accept_ra_mtu = 1,
|
||||||
.stable_secret = {
|
.stable_secret = {
|
||||||
.initialized = false,
|
.initialized = false,
|
||||||
}
|
},
|
||||||
|
.use_oif_addrs_only = 0,
|
||||||
};
|
};
|
||||||
|
|
||||||
static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
|
static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
|
||||||
|
@ -253,6 +254,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
|
||||||
.stable_secret = {
|
.stable_secret = {
|
||||||
.initialized = false,
|
.initialized = false,
|
||||||
},
|
},
|
||||||
|
.use_oif_addrs_only = 0,
|
||||||
};
|
};
|
||||||
|
|
||||||
/* Check if a valid qdisc is available */
|
/* Check if a valid qdisc is available */
|
||||||
|
@ -1472,11 +1474,16 @@ int ipv6_dev_get_saddr(struct net *net, const struct net_device *dst_dev,
|
||||||
* include addresses assigned to interfaces
|
* include addresses assigned to interfaces
|
||||||
* belonging to the same site as the outgoing
|
* belonging to the same site as the outgoing
|
||||||
* interface.)
|
* interface.)
|
||||||
|
* - "It is RECOMMENDED that the candidate source addresses
|
||||||
|
* be the set of unicast addresses assigned to the
|
||||||
|
* interface that will be used to send to the destination
|
||||||
|
* (the 'outgoing' interface)." (RFC 6724)
|
||||||
*/
|
*/
|
||||||
if (dst_dev) {
|
if (dst_dev) {
|
||||||
|
idev = __in6_dev_get(dst_dev);
|
||||||
if ((dst_type & IPV6_ADDR_MULTICAST) ||
|
if ((dst_type & IPV6_ADDR_MULTICAST) ||
|
||||||
dst.scope <= IPV6_ADDR_SCOPE_LINKLOCAL) {
|
dst.scope <= IPV6_ADDR_SCOPE_LINKLOCAL ||
|
||||||
idev = __in6_dev_get(dst_dev);
|
(idev && idev->cnf.use_oif_addrs_only)) {
|
||||||
use_oif_addr = true;
|
use_oif_addr = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -4607,6 +4614,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf *cnf,
|
||||||
array[DEVCONF_ACCEPT_RA_FROM_LOCAL] = cnf->accept_ra_from_local;
|
array[DEVCONF_ACCEPT_RA_FROM_LOCAL] = cnf->accept_ra_from_local;
|
||||||
array[DEVCONF_ACCEPT_RA_MTU] = cnf->accept_ra_mtu;
|
array[DEVCONF_ACCEPT_RA_MTU] = cnf->accept_ra_mtu;
|
||||||
/* we omit DEVCONF_STABLE_SECRET for now */
|
/* we omit DEVCONF_STABLE_SECRET for now */
|
||||||
|
array[DEVCONF_USE_OIF_ADDRS_ONLY] = cnf->use_oif_addrs_only;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline size_t inet6_ifla6_size(void)
|
static inline size_t inet6_ifla6_size(void)
|
||||||
|
@ -5605,6 +5613,14 @@ static struct addrconf_sysctl_table
|
||||||
.mode = 0600,
|
.mode = 0600,
|
||||||
.proc_handler = addrconf_sysctl_stable_secret,
|
.proc_handler = addrconf_sysctl_stable_secret,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
.procname = "use_oif_addrs_only",
|
||||||
|
.data = &ipv6_devconf.use_oif_addrs_only,
|
||||||
|
.maxlen = sizeof(int),
|
||||||
|
.mode = 0644,
|
||||||
|
.proc_handler = proc_dointvec,
|
||||||
|
|
||||||
|
},
|
||||||
{
|
{
|
||||||
/* sentinel */
|
/* sentinel */
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue