Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3667880pxv; Mon, 26 Jul 2021 09:03:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx31JjBfGgnKLaU0qVRCdb2OnqyPof5C8L/ZT0GOL8q1m7UX4g4DomzAAWHauJrScBZUv2D X-Received: by 2002:a05:6402:1846:: with SMTP id v6mr4342333edy.198.1627315414559; Mon, 26 Jul 2021 09:03:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627315414; cv=none; d=google.com; s=arc-20160816; b=n2QoRDu8YFrVzAh5nSpeO2058J+SOei9XkWsnihwC6uak31LRPnqpM7Sahrjv/pSX2 fQ7b0mhsimyowyqefZhv+uLjvnLE6pbKQWEcNCsxrejnw66Wa12PYZ3HlPCiFh2B2B/B Zn+vs1WJDtG6xdEOmfKdKnwipsTi+XsO4MeZTsZroA2QF72Q7mnNSFV/zXb+vHLK2N2T oiNjqZJP1IuhNpAi1elFfn6Qj0050fYJTcDWPXvLVVKWEy6mTLZ8x0BBA4wDJPF7WDUY PgRSyUTkRNZ/bD4auilH/kzXayN79Vs+fUbcixFY0FhP4ZKh1jjUlyuWTeQGKxvIcMtf qW9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=DrH1soNilYYKLF/Hd534w8/OCm59GlM59tE7Ir/En3w=; b=aAWtM6ENHU6nGjJdke+2L2tUFsSGNriO/XyKjq0Z3QR6nYtEyyH/igCDmrxrOmhPLS HrXwMlQpnwNLwsm1XDO8AEB2RQBWuMnBWuJXKySzdjx850wSRb4Gx89i08MQm2cHHRoa 7yIgv29V4nRNr82BPTLo91JUUBK6byro++tDLvGTwA3MwzbycXmbgea6QUZ7tb2usnhS jW8j5VJ7biVh0HEoibysn031PWxdeatv9LYn6x/BQyQlr7jj8IbsDOprC3AGi4zaiLbk DIUWnEIgC0bv5HPldtvcH5IuDJt5yLQVSjr2bQjESbLtNrRvKFnSqNm45wUmEr76ucp0 aDyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=luaTdS7G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n8si288451edo.167.2021.07.26.09.03.10; Mon, 26 Jul 2021 09:03:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=luaTdS7G; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237126AbhGZPVI (ORCPT + 99 others); Mon, 26 Jul 2021 11:21:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:52030 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236563AbhGZPLT (ORCPT ); Mon, 26 Jul 2021 11:11:19 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 6BBA160F5B; Mon, 26 Jul 2021 15:51:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627314707; bh=BodNKQBivTpSayoZMw7qWtVSOamDOsTcfAu9LdcKFHs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=luaTdS7GLIyF1l2Y6uOvc5Ob+29OmZeV6Q1pOLVrbi47QXW7Ei0cjk5TcxdRKboQe 0ikRCKumml9bXckj1HZEU2d9tTZ18FjOQ0Zn07sLyffyz0ZysxwHJBL/zPnO32qZ/N 8fJ9fu19CyFNix1ptP1vn08oy9Jxu79ZR30N8x5c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nicolas Dichtel , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 061/120] ipv6: fix disable_policy for fwd packets Date: Mon, 26 Jul 2021 17:38:33 +0200 Message-Id: <20210726153834.340216674@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210726153832.339431936@linuxfoundation.org> References: <20210726153832.339431936@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nicolas Dichtel [ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ] The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") was to have the disable_policy from ipv4 available on ipv6. However, it's not exactly the same mechanism. On IPv4, all packets coming from an interface, which has disable_policy set, bypass the policy check. For ipv6, this is done only for local packets, ie for packets destinated to an address configured on the incoming interface. Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same effect for both protocols. My first approach was to create a new kind of route cache entries, to be able to set DST_NOPOLICY without modifying routes. This would have added a lot of code. Because the local delivery path is already handled, I choose to focus on the forwarding path to minimize code churn. Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv6/ip6_output.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index aa8f19f852cc..fc36f3b0dceb 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -459,7 +459,9 @@ int ip6_forward(struct sk_buff *skb) if (skb_warn_if_lro(skb)) goto drop; - if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { + if (!net->ipv6.devconf_all->disable_policy && + !idev->cnf.disable_policy && + !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); goto drop; } -- 2.30.2