Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3718061pxv; Mon, 26 Jul 2021 10:08:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxIyb6eomdkDoQHNfwU1ODSHx1j6y9h4t/hNhuVR2M615RC8yunVtVbr3qcvTQm2mZA9QzB X-Received: by 2002:a05:6638:c58:: with SMTP id g24mr17422804jal.63.1627319334421; Mon, 26 Jul 2021 10:08:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627319334; cv=none; d=google.com; s=arc-20160816; b=HwY8BNIkrDdqh2iLUZgfCAda3t/svLfQGgMm6NKxbYcxkLZWrJJRu2ijjlXT26np4F iUiF027werb9AX9ECTpydIKeNdv/6ZE4ZberBKIb4x94XLyptksUJTBooqi8cRJjniR9 QVMeu+DFg92A/l9gR2mZUmXDtsHv3yVc8QC5enhgDvAENM1xrebRs5kMrZ6nWHh25/n0 yVQRjur11gouTa5roKpyQusPVyihvM66dPUYS3SKuc7VA6NMXLwoLa7BJ8KoV2rC1eYn tcoYhEkzHRgCnauSnKZ8WBxeefuGoaew6/awBgsHZDmKFsUka4itSK/yR3VzdCmryu7A I6Hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=f018IKSCCas55JbuuU2qHiBezTde3NQ23PYoafo3/Bo=; b=YU87zNjxG64HLsBxA9Iwp3081Ol+lDRBe7GsoR9DxQgo/CZjB5OjUdWjjjvxgpKRK9 +YbARHeOC+5xmatSlhi3eP6RblWke9jD9ed4HocrUqAZUtS8y+y6Scv1+jhmckiYEcq3 BLVB0g4Fmmiiql3UBcC/rXBEVu+yxKNBZmWnOyvr1V837B4rWbNoaYXEg8Ce1LQH08NQ clD9NL8BBmiBSyDbW9NQ2sXlbmo6xtRQ1WlKPvwBy0cVAnw1BdkjfEMNW8i69X2Pbq2f aWfmiS8PYcPcI+gcXyNXg4Hn6Jf/ukj312iD5d7kNlbqYjTq72igcyZIAy/JBeacgKbR YUWQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=g3mJHcmn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p18si427031jam.27.2021.07.26.10.08.41; Mon, 26 Jul 2021 10:08:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=g3mJHcmn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238665AbhGZPqJ (ORCPT + 99 others); Mon, 26 Jul 2021 11:46:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:43054 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237496AbhGZP3Q (ORCPT ); Mon, 26 Jul 2021 11:29:16 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C1A4361037; Mon, 26 Jul 2021 16:07:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627315679; bh=OlXk9Ujo22upegf1tJ0XcYLVue7h3SN3WeIaPPcyhOo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=g3mJHcmnW2j4pCr5SvQA4dHVwYXHK42KTn6EC4lYqCMmM7Nr6JxxCIcHYb9YtuUUW jKfWlq5pNBuQu+R8i5YF7i6VrESFKzbzFZRTrW09nSFxNmuRwod/gg4ab0SLvrE3DW Sc4scj0NhJIhIZzt1wexRi4pD9xpGccnJvxG3/vk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Nicolas Dichtel , "David S. Miller" , Sasha Levin Subject: [PATCH 5.13 023/223] ipv6: fix disable_policy for fwd packets Date: Mon, 26 Jul 2021 17:36:55 +0200 Message-Id: <20210726153847.007181383@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210726153846.245305071@linuxfoundation.org> References: <20210726153846.245305071@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Nicolas Dichtel [ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ] The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") was to have the disable_policy from ipv4 available on ipv6. However, it's not exactly the same mechanism. On IPv4, all packets coming from an interface, which has disable_policy set, bypass the policy check. For ipv6, this is done only for local packets, ie for packets destinated to an address configured on the incoming interface. Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same effect for both protocols. My first approach was to create a new kind of route cache entries, to be able to set DST_NOPOLICY without modifying routes. This would have added a lot of code. Because the local delivery path is already handled, I choose to focus on the forwarding path to minimize code churn. Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl") Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv6/ip6_output.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 497974b4372a..b7ffb4f227a4 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -479,7 +479,9 @@ int ip6_forward(struct sk_buff *skb) if (skb_warn_if_lro(skb)) goto drop; - if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { + if (!net->ipv6.devconf_all->disable_policy && + !idev->cnf.disable_policy && + !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) { __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS); goto drop; } -- 2.30.2