Merge branch 'do-not-allow-adding-routes-if-disable_ipv6-is-enabled'

Lorenzo Bianconi says: ==================== do not allow adding routes if disable_ipv6 is enabled Do not allow userspace to add static ipv6 routes if disable_ipv6 is enabled. Update disable_ipv6 documentation according to that change Changes since v1: - added an extack message telling the user that IPv6 is disabled on the nexthop device - rebased on-top of net-next ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 12:20:53 -04:00 · 2018-03-30 12:20:53 -04:00 · e7696042fe
commit e7696042fe
parent d162190bde 2f0aaf7fb1
2 changed files with 9 additions and 1 deletions
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@ -1703,7 +1703,9 @@ disable_ipv6 - BOOLEAN
 	interface and start Duplicate Address Detection, if necessary.

 	When this value is changed from 0 to 1 (IPv6 is being disabled),
-	it will dynamically delete all address on the given interface.
+	it will dynamically delete all addresses and routes on the given
+	interface. From now on it will not possible to add addresses/routes
+	to the selected interface.

 accept_dad - INTEGER
 	Whether to accept DAD (Duplicate Address Detection).
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@ -2917,6 +2917,12 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg,
 	if (!dev)
 		goto out;

+	if (idev->cnf.disable_ipv6) {
+		NL_SET_ERR_MSG(extack, "IPv6 is disabled on nexthop device");
+		err = -EACCES;
+		goto out;
+	}
+
 	if (!(dev->flags & IFF_UP)) {
 		NL_SET_ERR_MSG(extack, "Nexthop device is not up");
 		err = -ENETDOWN;