Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3674416pxv; Mon, 26 Jul 2021 09:09:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy+z3S+Ujiijnni84dytNNLbYtd6T73GVyaTqOIiO5xOR14Iq07BZ8UvElpceYQaG8fuKK7 X-Received: by 2002:a05:6e02:525:: with SMTP id h5mr13328324ils.205.1627315794089; Mon, 26 Jul 2021 09:09:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627315794; cv=none; d=google.com; s=arc-20160816; b=v9AFdQFv9fnAGWgI/S8FP8hUPpd7W9rlQAdlcuZWoedTKcc7nYgVm0Y/h4nZCj3335 UPAPMTKZFZ1rvvDnGqOQ2qHndxAAXEK8FM/a7C3v3Aiggi+64ryJsTUBTrHvrn5pGQl5 sezG25aK2pS5kC3gG2SuOmG5/S0gtJI+Gtc9gCxr/FCWG1lwz6JKMrNgH2OFA19mvh2S khEFm6D22KuCUpJvsJEGtxx1x6fm9pmDHdred9MbWESpgYhVNw8ARgLetI8fyEodnJ3Q AcitA1LrmniAPPW/lRlRWTw8WIUthWgW1hkssxoJoqJhkLht6FMz1fOhZVdjQU5W5Jf7 qWTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=puTZ5aRbr1QoUYe+uzKI4LKMu+3afu1vrMG4a1hs2Ug=; b=iUeU91z9oqemyDhbrr5Ep/p5ri3mQFRrNCN5EccgMaf4k0z+w20ZrU9tsRNrwGx06A bccdfkvIJvuVzIr8B6nlaq76Dq7z64DagMVaYYSIXJ5beXGZD8OXW1nrqpMsIvjVo+rM cL+QFHqWNymx2jz5nUJwbVdWTm7RZC8To3u2CR4GKCKrasHGG2BzfEUaT7ueYajSaTmA 7bZD9L2W7EPGT7tOw1rnt7pPxvZDetyTgngab8bn7h1vfyF0sNiZ0gnf4k3Hw4MAHoLV ulpnahkZVrybRwDq073JVYPwKF5LYMfxpHzMlcQ1frilBxavUi6IzXcUTCn0907FuElW wLSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lccdUhN7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d24si332211iob.3.2021.07.26.09.09.42; Mon, 26 Jul 2021 09:09:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=lccdUhN7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232647AbhGZP2f (ORCPT + 99 others); Mon, 26 Jul 2021 11:28:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:54244 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237420AbhGZPPo (ORCPT ); Mon, 26 Jul 2021 11:15:44 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CF27960F42; Mon, 26 Jul 2021 15:55:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627314904; bh=2VirUSuHXhtRbzEzHIzsnzktd/8NmrZ0EKQX5pKx70o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lccdUhN7WBCnmvsx2xhw74B3GhdZQJvnRvkPuvfXz+4EbkAmUucqnsPu7+hr4sLEZ EOnEI2N91XRceDmjeLzoongVz8tpDE9R/LOTMz8OcDDWhy+GS4ajwsbTd6hq1zPagl bRCXYFh3qTioEfJFhv7Po1nzzJbKeRF4Rw3krA/A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nicolas Dichtel , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 014/108] ipv6: fix disable_policy for fwd packets Date: Mon, 26 Jul 2021 17:38:15 +0200 Message-Id: <20210726153832.154879941@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210726153831.696295003@linuxfoundation.org> References: <20210726153831.696295003@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nicolas Dichtel [ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ] The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") was to have the disable_policy from ipv4 available on ipv6. However, it's not exactly the same mechanism. On IPv4, all packets coming from an interface, which has disable_policy set, bypass the policy check. For ipv6, this is done only for local packets, ie for packets destinated to an address configured on the incoming interface. Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same effect for both protocols. My first approach was to create a new kind of route cache entries, to be able to set DST_NOPOLICY without modifying routes. This would have added a lot of code. Because the local delivery path is already handled, I choose to focus on the forwarding path to minimize code churn. Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv6/ip6_output.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 4dcbb1ccab25..33444d985681 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -477,7 +477,9 @@ int ip6_forward(struct sk_buff *skb) if (skb_warn_if_lro(skb)) goto drop; - if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { + if (!net->ipv6.devconf_all->disable_policy && + !idev->cnf.disable_policy && + !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); goto drop; } -- 2.30.2