Commit 9bdd8d40 authored by Brian Haley's avatar Brian Haley Committed by David S. Miller

ipv6: Fix incorrect disable_ipv6 behavior

Fix the behavior of allowing both sysctl and addrconf_dad_failure()
to set the disable_ipv6 parameter without any bad side-effects.
If DAD fails and accept_dad > 1, we will still set disable_ipv6=1,
but then instead of allowing an RA to add an address then
immediately fail DAD, we simply don't allow the address to be
added in the first place.  This also lets the user set this flag
and disable all IPv6 addresses on the interface, or on the entire
system.
Signed-off-by: default avatarBrian Haley <brian.haley@hp.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent cedc1dba
...@@ -1043,7 +1043,9 @@ max_addresses - INTEGER ...@@ -1043,7 +1043,9 @@ max_addresses - INTEGER
Default: 16 Default: 16
disable_ipv6 - BOOLEAN disable_ipv6 - BOOLEAN
Disable IPv6 operation. Disable IPv6 operation. If accept_dad is set to 2, this value
will be dynamically set to TRUE if DAD fails for the link-local
address.
Default: FALSE (enable IPv6 operation) Default: FALSE (enable IPv6 operation)
accept_dad - INTEGER accept_dad - INTEGER
......
...@@ -590,6 +590,7 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, int pfxlen, ...@@ -590,6 +590,7 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, int pfxlen,
{ {
struct inet6_ifaddr *ifa = NULL; struct inet6_ifaddr *ifa = NULL;
struct rt6_info *rt; struct rt6_info *rt;
struct net *net = dev_net(idev->dev);
int hash; int hash;
int err = 0; int err = 0;
int addr_type = ipv6_addr_type(addr); int addr_type = ipv6_addr_type(addr);
...@@ -606,6 +607,11 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, int pfxlen, ...@@ -606,6 +607,11 @@ ipv6_add_addr(struct inet6_dev *idev, const struct in6_addr *addr, int pfxlen,
goto out2; goto out2;
} }
if (idev->cnf.disable_ipv6 || net->ipv6.devconf_all->disable_ipv6) {
err = -EACCES;
goto out2;
}
write_lock(&addrconf_hash_lock); write_lock(&addrconf_hash_lock);
/* Ignore adding duplicate addresses on an interface */ /* Ignore adding duplicate addresses on an interface */
...@@ -1433,6 +1439,11 @@ static void addrconf_dad_stop(struct inet6_ifaddr *ifp) ...@@ -1433,6 +1439,11 @@ static void addrconf_dad_stop(struct inet6_ifaddr *ifp)
void addrconf_dad_failure(struct inet6_ifaddr *ifp) void addrconf_dad_failure(struct inet6_ifaddr *ifp)
{ {
struct inet6_dev *idev = ifp->idev; struct inet6_dev *idev = ifp->idev;
if (net_ratelimit())
printk(KERN_INFO "%s: IPv6 duplicate address detected!\n",
ifp->idev->dev->name);
if (idev->cnf.accept_dad > 1 && !idev->cnf.disable_ipv6) { if (idev->cnf.accept_dad > 1 && !idev->cnf.disable_ipv6) {
struct in6_addr addr; struct in6_addr addr;
...@@ -1443,11 +1454,12 @@ void addrconf_dad_failure(struct inet6_ifaddr *ifp) ...@@ -1443,11 +1454,12 @@ void addrconf_dad_failure(struct inet6_ifaddr *ifp)
ipv6_addr_equal(&ifp->addr, &addr)) { ipv6_addr_equal(&ifp->addr, &addr)) {
/* DAD failed for link-local based on MAC address */ /* DAD failed for link-local based on MAC address */
idev->cnf.disable_ipv6 = 1; idev->cnf.disable_ipv6 = 1;
printk(KERN_INFO "%s: IPv6 being disabled!\n",
ifp->idev->dev->name);
} }
} }
if (net_ratelimit())
printk(KERN_INFO "%s: duplicate address detected!\n", ifp->idev->dev->name);
addrconf_dad_stop(ifp); addrconf_dad_stop(ifp);
} }
...@@ -2823,11 +2835,6 @@ static void addrconf_dad_timer(unsigned long data) ...@@ -2823,11 +2835,6 @@ static void addrconf_dad_timer(unsigned long data)
read_unlock_bh(&idev->lock); read_unlock_bh(&idev->lock);
goto out; goto out;
} }
if (idev->cnf.accept_dad > 1 && idev->cnf.disable_ipv6) {
read_unlock_bh(&idev->lock);
addrconf_dad_failure(ifp);
return;
}
spin_lock_bh(&ifp->lock); spin_lock_bh(&ifp->lock);
if (ifp->probes == 0) { if (ifp->probes == 0) {
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment