net ipv6: Prevent neighbor add if protocol is disabled on device

Disabling IPv6 on an interface removes existing entries but nothing prevents
new entries from being manually added. To that end, add a new neigh_table
operation, allow_add, that is called on RTM_NEWNEIGH to see if neighbor
entries are allowed on a given device. If IPv6 is disabled on the device,
allow_add returns false and passes a message back to the user via extack.

  $ echo 1 > /proc/sys/net/ipv6/conf/eth1/disable_ipv6
  $ ip -6 neigh add fe80::4c88:bff:fe21:2704 dev eth1 lladdr de:ad:be:ef:01:01
  Error: IPv6 is disabled on this device.

Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/neighbour.h b/include/net/neighbour.h
index 3e5438bd0101cda2b9b6c7eecf051e9f73beef0d..50a67bd6a43413bf69e2ad7b7c27e8460b6fb152 100644 (file)
--- a/include/net/neighbour.h
+++ b/include/net/neighbour.h
@@ -205,6 +205,8 @@ struct neigh_table {
        int                     (*pconstructor)(struct pneigh_entry *);
        void                    (*pdestructor)(struct pneigh_entry *);
        void                    (*proxy_redo)(struct sk_buff *skb);
+       bool                    (*allow_add)(const struct net_device *dev,
+                                            struct netlink_ext_ack *extack);
        char                    *id;
        struct neigh_parms      parms;
        struct list_head        parms_list;

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index 30f6fd8f68e0dc42801686ede3886f366ee1732b..997cfa8f99ba9c1f259e3958e27cf5392e41745c 100644 (file)
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -1920,6 +1920,11 @@ static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
                goto out;
        }
 
+       if (tbl->allow_add && !tbl->allow_add(dev, extack)) {
+               err = -EINVAL;
+               goto out;
+       }
+
        neigh = neigh_lookup(tbl, dst, dev);
        if (neigh == NULL) {
                bool exempt_from_gc;

diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 66c8b294e02bbacbd673e84bfe8081e67281c1f8..4c8e2ea8bf193ac006a7dcb4e7e94dff2a394b0e 100644 (file)
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -77,6 +77,8 @@ static u32 ndisc_hash(const void *pkey,
                      const struct net_device *dev,
                      __u32 *hash_rnd);
 static bool ndisc_key_eq(const struct neighbour *neigh, const void *pkey);
+static bool ndisc_allow_add(const struct net_device *dev,
+                           struct netlink_ext_ack *extack);
 static int ndisc_constructor(struct neighbour *neigh);
 static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb);
 static void ndisc_error_report(struct neighbour *neigh, struct sk_buff *skb);
@@ -117,6 +119,7 @@ struct neigh_table nd_tbl = {
        .pconstructor = pndisc_constructor,
        .pdestructor =  pndisc_destructor,
        .proxy_redo =   pndisc_redo,
+       .allow_add  =   ndisc_allow_add,
        .id =           "ndisc_cache",
        .parms = {
                .tbl                    = &nd_tbl,
@@ -392,6 +395,20 @@ static void pndisc_destructor(struct pneigh_entry *n)
        ipv6_dev_mc_dec(dev, &maddr);
 }
 
+/* called with rtnl held */
+static bool ndisc_allow_add(const struct net_device *dev,
+                           struct netlink_ext_ack *extack)
+{
+       struct inet6_dev *idev = __in6_dev_get(dev);
+
+       if (!idev || idev->cnf.disable_ipv6) {
+               NL_SET_ERR_MSG(extack, "IPv6 is disabled on this device");
+               return false;
+       }
+
+       return true;
+}
+
 static struct sk_buff *ndisc_alloc_skb(struct net_device *dev,
                                       int len)
 {