[Devel] [PATCH RHEL7 COMMIT] ms/ipv6: fix 'disable_policy' for fwd packets

Vasily Averin vvs at virtuozzo.com
Fri Nov 26 11:07:03 MSK 2021 

The commit is pushed to "branch-rh7-3.10.0-1160.42.2.vz7.184.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.42.2.vz7.184.5
------>
commit 2a88bf48450ca78a1ec8152fc4192b8c9869efc4
Author: Nicolas Bechtel <nicolas.dichtel at 6wind.com>
Date:   Fri Nov 26 11:07:02 2021 +0300

    ms/ipv6: fix 'disable_policy' for fwd packets
    
    The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of
    "disable_policy" sysctl") was to have the disable_policy from ipv4
    available on ipv6.
    However, it's not exactly the same mechanism. On IPv4, all packets coming
    from an interface, which has disable_policy set, bypass the policy check.
    For ipv6, this is done only for local packets, ie for packets destinated to
    an address configured on the incoming interface.
    
    Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same
    effect for both protocols.
    
    My first approach was to create a new kind of route cache entries, to be
    able to set DST_NOPOLICY without modifying routes. This would have added a
    lot of code. Because the local delivery path is already handled, I choose
    to focus on the forwarding path to minimize code churn.
    
    Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl")
    Signed-off-by: Nicolas Bechtel <nicolas.dichtel at 6wind.com>
    Signed-off-by: David S. Miller <davem at davemloft.net>
    (cherry picked from commit ccd27f05ae7b8ebc40af5b004e94517a919aa862)
    [VvS: minor context changes]
    https://pmc.acronis.com/browse/VSTOR-48427
    Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
---
 net/ipv6/ip6_output.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 367691c..1a945f9 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -379,7 +379,9 @@ int ip6_forward(struct sk_buff *skb)
 	if (skb_warn_if_lro(skb))
 		goto drop;
 
-	if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
+	if (!net->ipv6.devconf_all->disable_policy &&
+	    !ip6_dst_idev(dst)->cnf.disable_policy &&
+	    !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
 		IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_INDISCARDS);
 		goto drop;
 	}

More information about the Devel mailing list