Re: [PATCH net] ipv6: set all.accept_dad to 0 by default

[Erik Kline]

Should we consider rolling back the patch that caused this?
"accept_dad = 1" is the proper IETF-expected default behaviour.

Alternatively, if we really want to make all, default, and ifname
useful perhaps we need to investigate a tristate option (for currently
boolean values, at least).  -1 could mean no preference, for example.

On 13 November 2017 at 13:45, Nicolas Dichtel <nicolas.dich...@6wind.com> wrote:
> The commit a2d3f3e33853 modifies the way to disable dad on an interface.
> Before the patch, setting .accept_dad to 0 was enough to disable it.
> Because all.accept_dad is set to 1 by default, after the patch, the user
> needs to set both all.accept_dad and .accept_dad to 0 to disable it.
>
> This is not backward compatible. When a user updates its kernel, the dad
> may be enabled by error.
>
> Let's set all.accept_dad to 0 by default to restore the previous behavior.
>
> Fixes: a2d3f3e33853 ("ipv6: fix net.ipv6.conf.all.accept_dad behaviour for 
> real")
> CC: Stefano Brivio <sbri...@redhat.com>
> CC: Matteo Croce <mcr...@redhat.com>
> CC: Erik Kline <e...@google.com>
> Signed-off-by: Nicolas Dichtel <nicolas.dich...@6wind.com>
> ---
>  net/ipv6/addrconf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 8a1c846d3df9..ef5b61507b9a 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -231,7 +231,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
> .proxy_ndp  = 0,
> .accept_source_route= 0,/* we do not accept RH0 by default. */
> .disable_ipv6   = 0,
> -   .accept_dad = 1,
> +   .accept_dad = 0,
> .suppress_frag_ndisc= 1,
> .accept_ra_mtu  = 1,
> .stable_secret  = {
> --
> 2.13.2
>


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [PATCH] net: ipv6: sysctl to specify IPv6 ND traffic class

[Erik Kline]

Thanks.

Signed-off-by: Erik Kline <e...@google.com>

On 7 November 2017 at 16:59, Maciej Żenczykowski <zenczykow...@gmail.com> wrote:
> From: Maciej Żenczykowski <m...@google.com>
>
> Add a per-device sysctl to specify the default traffic class to use for
> kernel originated IPv6 Neighbour Discovery packets.
>
> Currently this includes:
>
>   - Router Solicitation (ICMPv6 type 133)
> ndisc_send_rs() -> ndisc_send_skb() -> ip6_nd_hdr()
>
>   - Neighbour Solicitation (ICMPv6 type 135)
> ndisc_send_ns() -> ndisc_send_skb() -> ip6_nd_hdr()
>
>   - Neighbour Advertisement (ICMPv6 type 136)
> ndisc_send_na() -> ndisc_send_skb() -> ip6_nd_hdr()
>
>   - Redirect (ICMPv6 type 137)
> ndisc_send_redirect() -> ndisc_send_skb() -> ip6_nd_hdr()
>
> and if the kernel ever gets around to generating RA's,
> it would presumably also include:
>
>   - Router Advertisement (ICMPv6 type 134)
> (radvd daemon could pick up on the kernel setting and use it)
>
> Interface drivers may examine the Traffic Class value and translate
> the DiffServ Code Point into a link-layer appropriate traffic
> prioritization scheme.  An example of mapping IETF DSCP values to
> IEEE 802.11 User Priority values can be found here:
>
> https://tools.ietf.org/html/draft-ietf-tsvwg-ieee-802-11
>
> The expected primary use case is to properly prioritize ND over wifi.
>
> Testing:
>   jzem22:~# cat /proc/sys/net/ipv6/conf/eth0/ndisc_tclass
>   0
>   jzem22:~# echo -1 > /proc/sys/net/ipv6/conf/eth0/ndisc_tclass
>   -bash: echo: write error: Invalid argument
>   jzem22:~# echo 256 > /proc/sys/net/ipv6/conf/eth0/ndisc_tclass
>   -bash: echo: write error: Invalid argument
>   jzem22:~# echo 0 > /proc/sys/net/ipv6/conf/eth0/ndisc_tclass
>   jzem22:~# echo 255 > /proc/sys/net/ipv6/conf/eth0/ndisc_tclass
>   jzem22:~# cat /proc/sys/net/ipv6/conf/eth0/ndisc_tclass
>   255
>   jzem22:~# echo 34 > /proc/sys/net/ipv6/conf/eth0/ndisc_tclass
>   jzem22:~# cat /proc/sys/net/ipv6/conf/eth0/ndisc_tclass
>   34
>
>   jzem22:~# echo $[0xDC] > /proc/sys/net/ipv6/conf/eth0/ndisc_tclass
>   jzem22:~# tcpdump -v -i eth0 icmp6 and src host jzem22.pgc and dst host 
> fe80::1
>   tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 
> 262144 bytes
>   IP6 (class 0xdc, hlim 255, next-header ICMPv6 (58) payload length: 24)
>   jzem22.pgc > fe80::1: [icmp6 sum ok] ICMP6, neighbor advertisement,
>   length 24, tgt is jzem22.pgc, Flags [solicited]
>
> (based on original change written by Erik Kline, with minor changes)
>
> Cc: Lorenzo Colitti <lore...@google.com>
> Cc: Erik Kline <e...@google.com>
> Signed-off-by: Maciej Żenczykowski <m...@google.com>
> ---
>  Documentation/networking/ip-sysctl.txt |  9 +
>  include/linux/ipv6.h   |  1 +
>  include/uapi/linux/ipv6.h  |  1 +
>  net/ipv6/addrconf.c| 11 +++
>  net/ipv6/ndisc.c   |  4 +++-
>  5 files changed, 25 insertions(+), 1 deletion(-)
>
> diff --git a/Documentation/networking/ip-sysctl.txt 
> b/Documentation/networking/ip-sysctl.txt
> index 54410a1d4065..d8676dda7fa6 100644
> --- a/Documentation/networking/ip-sysctl.txt
> +++ b/Documentation/networking/ip-sysctl.txt
> @@ -1732,6 +1732,15 @@ ndisc_notify - BOOLEAN
> 1 - Generate unsolicited neighbour advertisements when device is 
> brought
> up or hardware address changes.
>
> +ndisc_tclass - INTEGER
> +   The IPv6 Traffic Class to use by default when sending IPv6 Neighbor
> +   Discovery (Router Solicitation, Router Advertisement, Neighbor
> +   Solicitation, Neighbor Advertisement, Redirect) messages.
> +   These 8 bits can be interpreted as 6 high order bits holding the DSCP
> +   value and 2 low order bits representing ECN (which you probably want
> +   to leave cleared).
> +   0 - (default)
> +
>  mldv1_unsolicited_report_interval - INTEGER
> The interval in milliseconds in which the next unsolicited
> MLDv1 report retransmit will take place.
> diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
> index ea04ca024f0d..cb18c6290ca8 100644
> --- a/include/linux/ipv6.h
> +++ b/include/linux/ipv6.h
> @@ -73,6 +73,7 @@ struct ipv6_devconf {
> __u32   enhanced_dad;
> __u32   addr_gen_mode;
> __s32   disable_policy;
> +   __s32   ndisc_tclass;
>
> struct ctl_table_header *sysctl_header;
>  };
> diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
> index b22a9c4e1b12..9c0f4a92bcff 100644
> --- a/include/uapi/

Re: [PATCH net] ipv6: fix net.ipv6.conf.all interface DAD handlers

[Erik Kline]

On 28 September 2017 at 13:47, Erik Kline <e...@google.com> wrote:
>> Erik, please review.
>
> I apologize for the delay. I see that you've already applied this, and
> it's mostly LGTM except I have one thing I'm not seeing clearly.
>
> The documentation accept_dad  now claims:
>
> DAD operation and mode on a given interface will be selected according
> to the maximum value of conf/{all,interface}/accept_dad.
>
> but I'm try to square this with my reading of the changes to
> addrconf_dad_begin().  I think setting all.accept_dad to 0 but
> ifname.accept_dad to non-0 still results in the short-circuit call to
> addrconf_dad_completed().
>
> Am I just not seeing (thinking) straight?

Upon further reflection, doesn't the whole premise of this change
means that it's no longer possible to selectively disable these
features if they are set on "all"?  Or are we saying that this mode is
only support with "default" enable + "ifname" disable?


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [PATCH net] ipv6: fix net.ipv6.conf.all interface DAD handlers

[Erik Kline]

> Erik, please review.

I apologize for the delay. I see that you've already applied this, and
it's mostly LGTM except I have one thing I'm not seeing clearly.

The documentation accept_dad  now claims:

DAD operation and mode on a given interface will be selected according
to the maximum value of conf/{all,interface}/accept_dad.

but I'm try to square this with my reading of the changes to
addrconf_dad_begin().  I think setting all.accept_dad to 0 but
ifname.accept_dad to non-0 still results in the short-circuit call to
addrconf_dad_completed().

Am I just not seeing (thinking) straight?


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [PATCH] ipv6 addrconf: implement RFC7559 router solicitation backoff

[Erik Kline]

Passes my local unittest for this behaviour.

Acked-by: Erik Kline <e...@google.com>

Re: [PATCH] ipv6 addrconf: remove addrconf_sysctl_hop_limit()

[Erik Kline]

Seems fine to me.

Acked-by: Erik Kline <e...@google.com>

Re: [PATCH v2 3/7] ipv6 addrconf: rtr_solicits == -1 means unlimited

[Erik Kline]

On 27 September 2016 at 11:23, Maciej Żenczykowski
 wrote:
>> Given that some of this patch checks for == -1, and some of it checks
>> for != 0... is it possible that setting the value to something
>> unexpected like -3 will cause any issues to the stack? (Other than
>> just rendering IPv6 unusable on this interface, which seems like a
>> given.)
>
> You shouldn't be able to set it to -3, that's what the extra1 is for...

the proc_dointvec_minmax reference with _one means you shouldn't
be able to set it below -1.

Re: [PATCH v4 4/7] ipv6 addrconf: add new sysctl 'router_solicitation_max_interval'

[Erik Kline]

On 25 September 2016 at 20:03, Maciej Żenczykowski
<zenczykow...@gmail.com> wrote:
> From: Maciej Żenczykowski <m...@google.com>
>
> Accessible via:
>   /proc/sys/net/ipv6/conf/*/router_solicitation_max_interval
>
> For now we default it to the same value as the normal interval.
>
> Signed-off-by: Maciej Żenczykowski <m...@google.com>
> ---
>  include/linux/ipv6.h  |  1 +
>  include/net/addrconf.h|  1 +
>  include/uapi/linux/ipv6.h |  1 +
>  net/ipv6/addrconf.c   | 11 +++
>  4 files changed, 14 insertions(+)
>
> diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
> index c6dbcd84a2c7..7e9a789be5e0 100644
> --- a/include/linux/ipv6.h
> +++ b/include/linux/ipv6.h
> @@ -18,6 +18,7 @@ struct ipv6_devconf {
> __s32   dad_transmits;
> __s32   rtr_solicits;
> __s32   rtr_solicit_interval;
> +   __s32   rtr_solicit_max_interval;
> __s32   rtr_solicit_delay;
> __s32   force_mld_version;
> __s32   mldv1_unsolicited_report_interval;
> diff --git a/include/net/addrconf.h b/include/net/addrconf.h
> index 9826d3a9464c..275e5af4c2f4 100644
> --- a/include/net/addrconf.h
> +++ b/include/net/addrconf.h
> @@ -3,6 +3,7 @@
>
>  #define MAX_RTR_SOLICITATIONS  3
>  #define RTR_SOLICITATION_INTERVAL  (4*HZ)
> +#define RTR_SOLICITATION_MAX_INTERVAL  (4*HZ)
>
>  #define MIN_VALID_LIFETIME (2*3600)/* 2 hours */
>
> diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
> index 395876060f50..8c2772340c3f 100644
> --- a/include/uapi/linux/ipv6.h
> +++ b/include/uapi/linux/ipv6.h
> @@ -177,6 +177,7 @@ enum {
> DEVCONF_DROP_UNICAST_IN_L2_MULTICAST,
> DEVCONF_DROP_UNSOLICITED_NA,
> DEVCONF_KEEP_ADDR_ON_DOWN,
> +   DEVCONF_RTR_SOLICIT_MAX_INTERVAL,
> DEVCONF_MAX
>  };
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 6c63bf06fbcf..255be34cdbce 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -187,6 +187,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
> .dad_transmits  = 1,
> .rtr_solicits   = MAX_RTR_SOLICITATIONS,
> .rtr_solicit_interval   = RTR_SOLICITATION_INTERVAL,
> +   .rtr_solicit_max_interval = RTR_SOLICITATION_MAX_INTERVAL,
> .rtr_solicit_delay  = MAX_RTR_SOLICITATION_DELAY,
> .use_tempaddr   = 0,
> .temp_valid_lft = TEMP_VALID_LIFETIME,
> @@ -232,6 +233,7 @@ static struct ipv6_devconf ipv6_devconf_dflt 
> __read_mostly = {
> .dad_transmits  = 1,
> .rtr_solicits   = MAX_RTR_SOLICITATIONS,
> .rtr_solicit_interval   = RTR_SOLICITATION_INTERVAL,
> +   .rtr_solicit_max_interval = RTR_SOLICITATION_MAX_INTERVAL,
> .rtr_solicit_delay  = MAX_RTR_SOLICITATION_DELAY,
> .use_tempaddr   = 0,
> .temp_valid_lft = TEMP_VALID_LIFETIME,
> @@ -4891,6 +4893,8 @@ static inline void ipv6_store_devconf(struct 
> ipv6_devconf *cnf,
> array[DEVCONF_RTR_SOLICITS] = cnf->rtr_solicits;
> array[DEVCONF_RTR_SOLICIT_INTERVAL] =
> jiffies_to_msecs(cnf->rtr_solicit_interval);
> +   array[DEVCONF_RTR_SOLICIT_MAX_INTERVAL] =
> +   jiffies_to_msecs(cnf->rtr_solicit_max_interval);
> array[DEVCONF_RTR_SOLICIT_DELAY] =
> jiffies_to_msecs(cnf->rtr_solicit_delay);
> array[DEVCONF_FORCE_MLD_VERSION] = cnf->force_mld_version;
> @@ -5771,6 +5775,13 @@ static const struct ctl_table addrconf_sysctl[] = {
> .proc_handler   = proc_dointvec_jiffies,
> },
> {
> +   .procname   = "router_solicitation_max_interval",
> +   .data   = _devconf.rtr_solicit_max_interval,
> +   .maxlen = sizeof(int),
> +   .mode   = 0644,
> +   .proc_handler   = proc_dointvec_jiffies,
> +   },
> +   {
> .procname   = "router_solicitation_delay",
> .data   = _devconf.rtr_solicit_delay,
> .maxlen = sizeof(int),
> --
> 2.8.0.rc3.226.g39d4020
>

Acked-by: Erik Kline <e...@google.com>

Re: [PATCH v4 3/7] ipv6 addrconf: rtr_solicits == -1 means unlimited

[Erik Kline]

On 25 September 2016 at 20:03, Maciej Żenczykowski
 wrote:
> From: Maciej Żenczykowski 
>
> This allows setting /proc/sys/net/ipv6/conf/*/router_solicitations
> to -1 meaning an unlimited number of retransmits.
>
> Signed-off-by: Maciej Żenczykowski 
> ---
>  net/ipv6/addrconf.c | 10 ++
>  1 file changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 3a835495fb53..6c63bf06fbcf 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -3687,7 +3687,7 @@ static void addrconf_rs_timer(unsigned long data)
> if (idev->if_flags & IF_RA_RCVD)
> goto out;
>
> -   if (idev->rs_probes++ < idev->cnf.rtr_solicits) {
> +   if (idev->rs_probes++ < idev->cnf.rtr_solicits || 
> idev->cnf.rtr_solicits == -1) {
> write_unlock(>lock);
> if (!ipv6_get_lladdr(dev, , IFA_F_TENTATIVE))
> ndisc_send_rs(dev, ,
> @@ -3949,7 +3949,7 @@ static void addrconf_dad_completed(struct inet6_ifaddr 
> *ifp)
> send_mld = ifp->scope == IFA_LINK && ipv6_lonely_lladdr(ifp);
> send_rs = send_mld &&
>   ipv6_accept_ra(ifp->idev) &&
> - ifp->idev->cnf.rtr_solicits > 0 &&
> + ifp->idev->cnf.rtr_solicits != 0 &&
>   (dev->flags_LOOPBACK) == 0;
> read_unlock_bh(>idev->lock);
>
> @@ -5099,7 +5099,7 @@ static int inet6_set_iftoken(struct inet6_dev *idev, 
> struct in6_addr *token)
> return -EINVAL;
> if (!ipv6_accept_ra(idev))
> return -EINVAL;
> -   if (idev->cnf.rtr_solicits <= 0)
> +   if (idev->cnf.rtr_solicits == 0)
> return -EINVAL;
>
> write_lock_bh(>lock);
> @@ -5699,6 +5699,7 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct 
> ctl_table *ctl,
> return ret;
>  }
>
> +static int minus_one = -1;

Same question from part 2: const as well?

>  static int one = 1;
>  static int two_five_five = 255;
>
> @@ -5759,7 +5760,8 @@ static const struct ctl_table addrconf_sysctl[] = {
> .data   = _devconf.rtr_solicits,
> .maxlen = sizeof(int),
> .mode   = 0644,
> -   .proc_handler   = proc_dointvec,
> +   .proc_handler   = proc_dointvec_minmax,
> +   .extra1 = _one,
> },
> {
> .procname   = "router_solicitation_interval",
> --
> 2.8.0.rc3.226.g39d4020
>

Re: [PATCH v4 2/7] ipv6 addrconf: remove addrconf_sysctl_hop_limit()

[Erik Kline]

On 25 September 2016 at 20:03, Maciej Żenczykowski
 wrote:
> From: Maciej Żenczykowski 
>
> replace with extra1/2 magic
>
> Signed-off-by: Maciej Żenczykowski 
> ---
>  net/ipv6/addrconf.c | 21 ++---
>  1 file changed, 6 insertions(+), 15 deletions(-)
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 11fa1a5564d4..3a835495fb53 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -5467,20 +5467,6 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int 
> write,
>  }
>
>  static
> -int addrconf_sysctl_hop_limit(struct ctl_table *ctl, int write,
> -  void __user *buffer, size_t *lenp, loff_t 
> *ppos)
> -{
> -   struct ctl_table lctl;
> -   int min_hl = 1, max_hl = 255;
> -
> -   lctl = *ctl;
> -   lctl.extra1 = _hl;
> -   lctl.extra2 = _hl;
> -
> -   return proc_dointvec_minmax(, write, buffer, lenp, ppos);
> -}
> -
> -static
>  int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
> void __user *buffer, size_t *lenp, loff_t *ppos)
>  {
> @@ -5713,6 +5699,9 @@ int addrconf_sysctl_ignore_routes_with_linkdown(struct 
> ctl_table *ctl,
> return ret;
>  }
>
> +static int one = 1;
> +static int two_five_five = 255;

Should these be const as well?

> +
>  static const struct ctl_table addrconf_sysctl[] = {
> {
> .procname   = "forwarding",
> @@ -5726,7 +5715,9 @@ static const struct ctl_table addrconf_sysctl[] = {
> .data   = _devconf.hop_limit,
> .maxlen = sizeof(int),
> .mode   = 0644,
> -   .proc_handler   = addrconf_sysctl_hop_limit,
> +   .proc_handler   = proc_dointvec_minmax,
> +   .extra1 = ,
> +   .extra2 = _five_five,
> },
> {
> .procname   = "mtu",
> --
> 2.8.0.rc3.226.g39d4020
>

Re: [PATCH v4 1/7] ipv6 addrconf: enable use of proc_dointvec_minmax in addrconf_sysctl

[Erik Kline]

On 25 September 2016 at 20:03, Maciej Żenczykowski
<zenczykow...@gmail.com> wrote:
> From: Maciej Żenczykowski <m...@google.com>
>
> Signed-off-by: Maciej Żenczykowski <m...@google.com>
> ---
>  net/ipv6/addrconf.c | 10 --
>  1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
> index 2f1f5d439788..11fa1a5564d4 100644
> --- a/net/ipv6/addrconf.c
> +++ b/net/ipv6/addrconf.c
> @@ -6044,8 +6044,14 @@ static int __addrconf_sysctl_register(struct net *net, 
> char *dev_name,
>
> for (i = 0; table[i].data; i++) {
> table[i].data += (char *)p - (char *)_devconf;
> -   table[i].extra1 = idev; /* embedded; no ref */
> -   table[i].extra2 = net;
> +   /* If one of these is already set, then it is not safe to
> +* overwrite either of them: this makes proc_dointvec_minmax
> +* usable.
> +*/
> +   if (!table[i].extra1 && !table[i].extra2) {
> +   table[i].extra1 = idev; /* embedded; no ref */
> +   table[i].extra2 = net;
> +   }
> }
>
>     snprintf(path, sizeof(path), "net/ipv6/conf/%s", dev_name);
> --
> 2.8.0.rc3.226.g39d4020
>

Acked-by: Erik Kline <e...@google.com>

Re: [PATCH net] net: ipv6: Fix ping to link-local addresses.

[Erik Kline]

On 9 August 2016 at 14:20, David Miller  wrote:
> From: Lorenzo Colitti 
> Date: Tue, 9 Aug 2016 10:00:25 +0900
>
>> Note that pretty much every sendmsg codepath allows other data to take
>> precedence over sk_bound_dev_if:
>>
>> - udpv6_sendmsg: if sin6_scope_id specified on a scoped address
>> - rawv6_sendmsg: if sin6_scope_id specified on a scoped address
>> - l2tp_ip6_sendmsg: if sin6_scope_id specified on a scoped address
>> - ip_cmsg_send: if IP_PKTINFO or IPV6_PKTINFO specified
>>
>> What should I do about those? -EINVAL? Ignore the conflicting data? Leave as 
>> is?
>
> That's a good point, I guess this needs some more thought.

I could see a point of view that says when bound_if is in play sending
to destinations on/via other interfaces--by any mechanism--should
effectively get ENETUNREACH (or something).

That does seem like I would involve changing some existing behavior, though.

Re: Add a SOCK_DESTROY operation to close sockets from userspace

[Erik Kline]

On 18 November 2015 at 12:34, Erik Kline <e...@google.com> wrote:
>
>
> On 18 November 2015 at 12:27, Stephen Hemminger <step...@networkplumber.org>
> wrote:
>>
>> On Wed, 18 Nov 2015 10:43:40 +0900
>> Lorenzo Colitti <lore...@google.com> wrote:
>>
>> > This patch series adds the ability for a privileged process to
>> > destroy sockets belonging to other userspace processes via the
>> > sock_diag interface, and implements that for TCP sockets.
>> >
>> > This functionality is needed on laptops and mobile hosts to
>> > ensure that network switches / disconnects do not result in
>> > applications being blocked for long periods of time (minutes) in
>> > read or connect calls on TCP sockets that will never succeed
>> > because the IP address they are bound to is gone. Closing the
>> > sockets in the protocol layer causes these calls to fail fast and
>> > allows applications to reconnect on another network.
>> >
>> > For many years Android kernels have done this via an out-of-tree
>> > SIOCKILLADDR ioctl that is called when networks disconnect, but
>> > this solution is cleaner, more robust and more flexible. The
>> > system can iterate over all connections on the deleted IP address
>> > and close all of them. But it can also close all sockets opened
>> > by a given process on a given network, for example if the user
>> > has restricted that process from using that network, or if a
>> > secure network such as a VPN is now being applied to the
>> > application and thus previously-established connections are
>> > blackholed.
>> >
>> > The patch series only implements SOCK_DESTROY for TCP sockets,
>> > but the mechanism can be extended to any protocol family that
>> > supports the sock_diag interface.
>> >
>>
>> I understand why you might want this, but it smells like the same
>> kind of problems that the "forced unmount" patch had which eventually
>> led to it not being accepted in mainline.  Lots of corner
>> cases and race conditions waiting to blow up.
>>
>> Look at the issues that the multi-thread socket close has.
>> This looks worse.
>
>
> I'm unsure of the specific issue to which you refer with "multi-thread
> socket close".  This is basically just a user-space forced tcp_close(),
> leaving the file descriptor still valid in the user context for the
> application to manage (alternatively: it aims to be the same as if a
> correctly crafted TCP RST had arrived).
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net-next v5] ipv6: sysctl to restrict candidate source addresses

[Erik Kline]

Per RFC 6724, section 4, Candidate Source Addresses:

It is RECOMMENDED that the candidate source addresses be the set
of unicast addresses assigned to the interface that will be used
to send to the destination (the outgoing interface).

Add a sysctl to enable this behaviour.

Signed-off-by: Erik Kline e...@google.com
---
 Documentation/networking/ip-sysctl.txt |  7 +++
 include/linux/ipv6.h   |  1 +
 include/uapi/linux/ipv6.h  |  1 +
 net/ipv6/addrconf.c| 22 +++---
 4 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt 
b/Documentation/networking/ip-sysctl.txt
index f63aeef..1a5ab21b 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1460,6 +1460,13 @@ router_solicitations - INTEGER
routers are present.
Default: 3
 
+use_oif_addrs_only - BOOLEAN
+   When enabled, the candidate source addresses for destinations
+   routed via this interface are restricted to the set of addresses
+   configured on this interface (vis. RFC 6724, section 4).
+
+   Default: false
+
 use_tempaddr - INTEGER
Preference for Privacy Extensions (RFC3041).
  = 0 : disable Privacy Extensions
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 1319a6b..06ed637 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -57,6 +57,7 @@ struct ipv6_devconf {
bool initialized;
struct in6_addr secret;
} stable_secret;
+   __s32   use_oif_addrs_only;
void*sysctl;
 };
 
diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
index 5efa54a..641a146 100644
--- a/include/uapi/linux/ipv6.h
+++ b/include/uapi/linux/ipv6.h
@@ -171,6 +171,7 @@ enum {
DEVCONF_USE_OPTIMISTIC,
DEVCONF_ACCEPT_RA_MTU,
DEVCONF_STABLE_SECRET,
+   DEVCONF_USE_OIF_ADDRS_ONLY,
DEVCONF_MAX
 };
 
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 32153c2..eb0c6a3 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -211,7 +211,8 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
.accept_ra_mtu  = 1,
.stable_secret  = {
.initialized = false,
-   }
+   },
+   .use_oif_addrs_only = 0,
 };
 
 static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
@@ -253,6 +254,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly 
= {
.stable_secret  = {
.initialized = false,
},
+   .use_oif_addrs_only = 0,
 };
 
 /* Check if a valid qdisc is available */
@@ -1472,11 +1474,16 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
net_device *dst_dev,
 *include addresses assigned to interfaces
 *belonging to the same site as the outgoing
 *interface.)
+*  - It is RECOMMENDED that the candidate source addresses
+*be the set of unicast addresses assigned to the
+*interface that will be used to send to the destination
+*(the 'outgoing' interface). (RFC 6724)
 */
if (dst_dev) {
+   idev = __in6_dev_get(dst_dev);
if ((dst_type  IPV6_ADDR_MULTICAST) ||
-   dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL) {
-   idev = __in6_dev_get(dst_dev);
+   dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL ||
+   (idev  idev-cnf.use_oif_addrs_only)) {
use_oif_addr = true;
}
}
@@ -4607,6 +4614,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf 
*cnf,
array[DEVCONF_ACCEPT_RA_FROM_LOCAL] = cnf-accept_ra_from_local;
array[DEVCONF_ACCEPT_RA_MTU] = cnf-accept_ra_mtu;
/* we omit DEVCONF_STABLE_SECRET for now */
+   array[DEVCONF_USE_OIF_ADDRS_ONLY] = cnf-use_oif_addrs_only;
 }
 
 static inline size_t inet6_ifla6_size(void)
@@ -5606,6 +5614,14 @@ static struct addrconf_sysctl_table
.proc_handler   = addrconf_sysctl_stable_secret,
},
{
+   .procname   = use_oif_addrs_only,
+   .data   = ipv6_devconf.use_oif_addrs_only,
+   .maxlen = sizeof(int),
+   .mode   = 0644,
+   .proc_handler   = proc_dointvec,
+
+   },
+   {
/* sentinel */
}
},
-- 
2.4.3.573.g4eafbef

--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net-next v4] ipv6: sysctl to restrict candidate source addresses

[Erik Kline]

Per RFC 6724, section 4, Candidate Source Addresses:

It is RECOMMENDED that the candidate source addresses be the set
of unicast addresses assigned to the interface that will be used
to send to the destination (the outgoing interface).

Add a sysctl to enable this behaviour.

Signed-off-by: Erik Kline e...@google.com
---
 Documentation/networking/ip-sysctl.txt |  7 +++
 include/linux/ipv6.h   |  1 +
 include/uapi/linux/ipv6.h  |  1 +
 net/ipv6/addrconf.c| 22 +++---
 4 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt 
b/Documentation/networking/ip-sysctl.txt
index f63aeef..e710369 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1460,6 +1460,13 @@ router_solicitations - INTEGER
routers are present.
Default: 3
 
+use_oif_addr_only - BOOLEAN
+   When enabled, the candidate source addresses for destinations
+   routed via this interface are restricted to the set of addresses
+   configured on this interface (vis. RFC 6724, section 4).
+
+   Default: false
+
 use_tempaddr - INTEGER
Preference for Privacy Extensions (RFC3041).
  = 0 : disable Privacy Extensions
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 1319a6b..28e4837 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -57,6 +57,7 @@ struct ipv6_devconf {
bool initialized;
struct in6_addr secret;
} stable_secret;
+   __s32   use_oif_addr_only;
void*sysctl;
 };
 
diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
index 5efa54a..6fcb256 100644
--- a/include/uapi/linux/ipv6.h
+++ b/include/uapi/linux/ipv6.h
@@ -171,6 +171,7 @@ enum {
DEVCONF_USE_OPTIMISTIC,
DEVCONF_ACCEPT_RA_MTU,
DEVCONF_STABLE_SECRET,
+   DEVCONF_USE_OIF_ADDR_ONLY,
DEVCONF_MAX
 };
 
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 32153c2..ebfb38a 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -211,7 +211,8 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
.accept_ra_mtu  = 1,
.stable_secret  = {
.initialized = false,
-   }
+   },
+   .use_oif_addr_only  = 0,
 };
 
 static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
@@ -253,6 +254,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly 
= {
.stable_secret  = {
.initialized = false,
},
+   .use_oif_addr_only  = 0,
 };
 
 /* Check if a valid qdisc is available */
@@ -1472,11 +1474,16 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
net_device *dst_dev,
 *include addresses assigned to interfaces
 *belonging to the same site as the outgoing
 *interface.)
+*  - It is RECOMMENDED that the candidate source addresses
+*be the set of unicast addresses assigned to the
+*interface that will be used to send to the destination
+*(the 'outgoing' interface). (RFC 6724)
 */
if (dst_dev) {
+   idev = __in6_dev_get(dst_dev);
if ((dst_type  IPV6_ADDR_MULTICAST) ||
-   dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL) {
-   idev = __in6_dev_get(dst_dev);
+   dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL ||
+   (idev  idev-cnf.use_oif_addr_only)) {
use_oif_addr = true;
}
}
@@ -4607,6 +4614,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf 
*cnf,
array[DEVCONF_ACCEPT_RA_FROM_LOCAL] = cnf-accept_ra_from_local;
array[DEVCONF_ACCEPT_RA_MTU] = cnf-accept_ra_mtu;
/* we omit DEVCONF_STABLE_SECRET for now */
+   array[DEVCONF_USE_OIF_ADDR_ONLY] = cnf-use_oif_addr_only;
 }
 
 static inline size_t inet6_ifla6_size(void)
@@ -5606,6 +5614,14 @@ static struct addrconf_sysctl_table
.proc_handler   = addrconf_sysctl_stable_secret,
},
{
+   .procname   = use_oif_addr_only,
+   .data   = ipv6_devconf.use_oif_addr_only,
+   .maxlen = sizeof(int),
+   .mode   = 0644,
+   .proc_handler   = proc_dointvec,
+
+   },
+   {
/* sentinel */
}
},
-- 
2.4.3.573.g4eafbef

--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net-next v4] ipv6: sysctl to restrict candidate source addresses

[Erik Kline]

I thought perhaps use_oif_addr_only was a slightly clearer sysctl name.

(Maybe it should be plural, use_oif_addrs_only?)

On 20 July 2015 at 16:04, Erik Kline e...@google.com wrote:
 Per RFC 6724, section 4, Candidate Source Addresses:

 It is RECOMMENDED that the candidate source addresses be the set
 of unicast addresses assigned to the interface that will be used
 to send to the destination (the outgoing interface).

 Add a sysctl to enable this behaviour.

 Signed-off-by: Erik Kline e...@google.com
 ---
  Documentation/networking/ip-sysctl.txt |  7 +++
  include/linux/ipv6.h   |  1 +
  include/uapi/linux/ipv6.h  |  1 +
  net/ipv6/addrconf.c| 22 +++---
  4 files changed, 28 insertions(+), 3 deletions(-)

 diff --git a/Documentation/networking/ip-sysctl.txt 
 b/Documentation/networking/ip-sysctl.txt
 index f63aeef..e710369 100644
 --- a/Documentation/networking/ip-sysctl.txt
 +++ b/Documentation/networking/ip-sysctl.txt
 @@ -1460,6 +1460,13 @@ router_solicitations - INTEGER
 routers are present.
 Default: 3

 +use_oif_addr_only - BOOLEAN
 +   When enabled, the candidate source addresses for destinations
 +   routed via this interface are restricted to the set of addresses
 +   configured on this interface (vis. RFC 6724, section 4).
 +
 +   Default: false
 +
  use_tempaddr - INTEGER
 Preference for Privacy Extensions (RFC3041).
   = 0 : disable Privacy Extensions
 diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
 index 1319a6b..28e4837 100644
 --- a/include/linux/ipv6.h
 +++ b/include/linux/ipv6.h
 @@ -57,6 +57,7 @@ struct ipv6_devconf {
 bool initialized;
 struct in6_addr secret;
 } stable_secret;
 +   __s32   use_oif_addr_only;
 void*sysctl;
  };

 diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
 index 5efa54a..6fcb256 100644
 --- a/include/uapi/linux/ipv6.h
 +++ b/include/uapi/linux/ipv6.h
 @@ -171,6 +171,7 @@ enum {
 DEVCONF_USE_OPTIMISTIC,
 DEVCONF_ACCEPT_RA_MTU,
 DEVCONF_STABLE_SECRET,
 +   DEVCONF_USE_OIF_ADDR_ONLY,
 DEVCONF_MAX
  };

 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
 index 32153c2..ebfb38a 100644
 --- a/net/ipv6/addrconf.c
 +++ b/net/ipv6/addrconf.c
 @@ -211,7 +211,8 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
 .accept_ra_mtu  = 1,
 .stable_secret  = {
 .initialized = false,
 -   }
 +   },
 +   .use_oif_addr_only  = 0,
  };

  static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
 @@ -253,6 +254,7 @@ static struct ipv6_devconf ipv6_devconf_dflt 
 __read_mostly = {
 .stable_secret  = {
 .initialized = false,
 },
 +   .use_oif_addr_only  = 0,
  };

  /* Check if a valid qdisc is available */
 @@ -1472,11 +1474,16 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
 net_device *dst_dev,
  *include addresses assigned to interfaces
  *belonging to the same site as the outgoing
  *interface.)
 +*  - It is RECOMMENDED that the candidate source addresses
 +*be the set of unicast addresses assigned to the
 +*interface that will be used to send to the destination
 +*(the 'outgoing' interface). (RFC 6724)
  */
 if (dst_dev) {
 +   idev = __in6_dev_get(dst_dev);
 if ((dst_type  IPV6_ADDR_MULTICAST) ||
 -   dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL) {
 -   idev = __in6_dev_get(dst_dev);
 +   dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL ||
 +   (idev  idev-cnf.use_oif_addr_only)) {
 use_oif_addr = true;
 }
 }
 @@ -4607,6 +4614,7 @@ static inline void ipv6_store_devconf(struct 
 ipv6_devconf *cnf,
 array[DEVCONF_ACCEPT_RA_FROM_LOCAL] = cnf-accept_ra_from_local;
 array[DEVCONF_ACCEPT_RA_MTU] = cnf-accept_ra_mtu;
 /* we omit DEVCONF_STABLE_SECRET for now */
 +   array[DEVCONF_USE_OIF_ADDR_ONLY] = cnf-use_oif_addr_only;
  }

  static inline size_t inet6_ifla6_size(void)
 @@ -5606,6 +5614,14 @@ static struct addrconf_sysctl_table
 .proc_handler   = addrconf_sysctl_stable_secret,
 },
 {
 +   .procname   = use_oif_addr_only,
 +   .data   = ipv6_devconf.use_oif_addr_only,
 +   .maxlen = sizeof(int),
 +   .mode   = 0644,
 +   .proc_handler   = proc_dointvec,
 +
 +   },
 +   {
 /* sentinel */
 }
 },
 --
 2.4.3.573.g4eafbef

--
To unsubscribe from this list: send the line unsubscribe netdev

[PATCH net-next v3] ipv6: sysctl to restrict candidate source addresses

[Erik Kline]

Per RFC 6724, section 4, Candidate Source Addresses:

It is RECOMMENDED that the candidate source addresses be the set
of unicast addresses assigned to the interface that will be used
to send to the destination (the outgoing interface).

Add a sysctl to enable this behaviour.

Signed-off-by: Erik Kline e...@google.com
---
 Documentation/networking/ip-sysctl.txt |  7 +++
 include/linux/ipv6.h   |  1 +
 include/uapi/linux/ipv6.h  |  1 +
 net/ipv6/addrconf.c| 22 +++---
 4 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt 
b/Documentation/networking/ip-sysctl.txt
index f63aeef..27007c5 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1460,6 +1460,13 @@ router_solicitations - INTEGER
routers are present.
Default: 3
 
+use_oif_addr - BOOLEAN
+   When enabled, the candidate source addresses for destinations
+   routed via this interface are restricted to the set of addresses
+   configured on this interface (vis. RFC 6724, section 4).
+
+   Default: false
+
 use_tempaddr - INTEGER
Preference for Privacy Extensions (RFC3041).
  = 0 : disable Privacy Extensions
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 1319a6b..190b22b 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -57,6 +57,7 @@ struct ipv6_devconf {
bool initialized;
struct in6_addr secret;
} stable_secret;
+   __s32   use_oif_addr;
void*sysctl;
 };
 
diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
index 5efa54a..cf9d65a 100644
--- a/include/uapi/linux/ipv6.h
+++ b/include/uapi/linux/ipv6.h
@@ -171,6 +171,7 @@ enum {
DEVCONF_USE_OPTIMISTIC,
DEVCONF_ACCEPT_RA_MTU,
DEVCONF_STABLE_SECRET,
+   DEVCONF_USE_OIF_ADDR,
DEVCONF_MAX
 };
 
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 4c9a024..a7c49bb 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -211,7 +211,8 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
.accept_ra_mtu  = 1,
.stable_secret  = {
.initialized = false,
-   }
+   },
+   .use_oif_addr   = 0,
 };
 
 static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
@@ -253,6 +254,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly 
= {
.stable_secret  = {
.initialized = false,
},
+   .use_oif_addr   = 0,
 };
 
 /* Check if a valid qdisc is available */
@@ -1474,11 +1476,16 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
net_device *dst_dev,
 *include addresses assigned to interfaces
 *belonging to the same site as the outgoing
 *interface.)
+*  - It is RECOMMENDED that the candidate source addresses
+*be the set of unicast addresses assigned to the
+*interface that will be used to send to the destination
+*(the 'outgoing' interface). (RFC 6724)
 */
if (dst_dev) {
+   idev = __in6_dev_get(dst_dev);
if ((dst_type  IPV6_ADDR_MULTICAST) ||
-   dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL) {
-   idev = __in6_dev_get(dst_dev);
+   dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL ||
+   (idev  idev-cnf.use_oif_addr)) {
use_oif_addr = true;
}
}
@@ -4609,6 +4616,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf 
*cnf,
array[DEVCONF_ACCEPT_RA_FROM_LOCAL] = cnf-accept_ra_from_local;
array[DEVCONF_ACCEPT_RA_MTU] = cnf-accept_ra_mtu;
/* we omit DEVCONF_STABLE_SECRET for now */
+   array[DEVCONF_USE_OIF_ADDR] = cnf-use_oif_addr;
 }
 
 static inline size_t inet6_ifla6_size(void)
@@ -5608,6 +5616,14 @@ static struct addrconf_sysctl_table
.proc_handler   = addrconf_sysctl_stable_secret,
},
{
+   .procname   = use_oif_addr,
+   .data   = ipv6_devconf.use_oif_addr,
+   .maxlen = sizeof(int),
+   .mode   = 0644,
+   .proc_handler   = proc_dointvec,
+
+   },
+   {
/* sentinel */
}
},
-- 
2.4.3.573.g4eafbef

--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ipv6: Fix finding best source address in ipv6_dev_get_saddr().

[Erik Kline]

All my tests pass with this applied to net-next/master.

Many thanks!

Acked-by: Erik Kline e...@google.com

On 13 July 2015 at 23:28, YOSHIFUJI Hideaki/吉藤英明
hideaki.yoshif...@miraclelinux.com wrote:
 Commit 9131f3de2 (ipv6: Do not iterate over all interfaces when
 finding source address on specific interface.) did not properly
 update best source address available.  Plus, it introduced
 possible NULL pointer dereference.

 Bug was reported by Erik Kline e...@google.com.
 Based on patch proposed by Hajime Tazaki thehaj...@gmail.com.

 Fixes: 9131f3de24db4dc12199aede7d931e6703e97f3b (ipv6: Do not
 iterate over all interfaces when finding source address
 on specific interface.)
 Signed-off-by: YOSHIFUJI Hideaki hideaki.yoshif...@miraclelinux.com
 ---
  net/ipv6/addrconf.c | 30 ++
  1 file changed, 18 insertions(+), 12 deletions(-)

 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
 index 4ab74d5..4c9a024 100644
 --- a/net/ipv6/addrconf.c
 +++ b/net/ipv6/addrconf.c
 @@ -1358,14 +1358,15 @@ out:
 return ret;
  }

 -static void __ipv6_dev_get_saddr(struct net *net,
 -struct ipv6_saddr_dst *dst,
 -unsigned int prefs,
 -const struct in6_addr *saddr,
 -struct inet6_dev *idev,
 -struct ipv6_saddr_score *scores)
 +static int __ipv6_dev_get_saddr(struct net *net,
 +   struct ipv6_saddr_dst *dst,
 +   unsigned int prefs,
 +   const struct in6_addr *saddr,
 +   struct inet6_dev *idev,
 +   struct ipv6_saddr_score *scores,
 +   int hiscore_idx)
  {
 -   struct ipv6_saddr_score *score = scores[0], *hiscore = scores[1];
 +   struct ipv6_saddr_score *score = scores[1 - hiscore_idx], *hiscore = 
 scores[hiscore_idx];

 read_lock_bh(idev-lock);
 list_for_each_entry(score-ifa, idev-addr_list, if_list) {
 @@ -1424,6 +1425,7 @@ static void __ipv6_dev_get_saddr(struct net *net,
 in6_ifa_hold(score-ifa);

 swap(hiscore, score);
 +   hiscore_idx = 1 - hiscore_idx;

 /* restore our iterator */
 score-ifa = hiscore-ifa;
 @@ -1434,18 +1436,20 @@ static void __ipv6_dev_get_saddr(struct net *net,
 }
  out:
 read_unlock_bh(idev-lock);
 +   return hiscore_idx;
  }

  int ipv6_dev_get_saddr(struct net *net, const struct net_device *dst_dev,
const struct in6_addr *daddr, unsigned int prefs,
struct in6_addr *saddr)
  {
 -   struct ipv6_saddr_score scores[2], *hiscore = scores[1];
 +   struct ipv6_saddr_score scores[2], *hiscore;
 struct ipv6_saddr_dst dst;
 struct inet6_dev *idev;
 struct net_device *dev;
 int dst_type;
 bool use_oif_addr = false;
 +   int hiscore_idx = 0;

 dst_type = __ipv6_addr_type(daddr);
 dst.addr = daddr;
 @@ -1454,8 +1458,8 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
 net_device *dst_dev,
 dst.label = ipv6_addr_label(net, daddr, dst_type, dst.ifindex);
 dst.prefs = prefs;

 -   hiscore-rule = -1;
 -   hiscore-ifa = NULL;
 +   scores[hiscore_idx].rule = -1;
 +   scores[hiscore_idx].ifa = NULL;

 rcu_read_lock();

 @@ -1480,17 +1484,19 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
 net_device *dst_dev,
 }

 if (use_oif_addr) {
 -   __ipv6_dev_get_saddr(net, dst, prefs, saddr, idev, scores);
 +   if (idev)
 +   hiscore_idx = __ipv6_dev_get_saddr(net, dst, prefs, 
 saddr, idev, scores, hiscore_idx);
 } else {
 for_each_netdev_rcu(net, dev) {
 idev = __in6_dev_get(dev);
 if (!idev)
 continue;
 -   __ipv6_dev_get_saddr(net, dst, prefs, saddr, idev, 
 scores);
 +   hiscore_idx = __ipv6_dev_get_saddr(net, dst, prefs, 
 saddr, idev, scores, hiscore_idx);
 }
 }
 rcu_read_unlock();

 +   hiscore = scores[hiscore_idx];
 if (!hiscore-ifa)
 return -EADDRNOTAVAIL;

 --
 1.9.1

--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] ipv6: Fix finding best source address in ipv6_dev_get_saddr().

[Erik Kline]

And I now have a use_oif_addr sysctl patch that, on top if this one,
passes all my tests.

On 15 July 2015 at 18:15, Erik Kline e...@google.com wrote:
 All my tests pass with this applied to net-next/master.

 Many thanks!

 Acked-by: Erik Kline e...@google.com

 On 13 July 2015 at 23:28, YOSHIFUJI Hideaki/吉藤英明
 hideaki.yoshif...@miraclelinux.com wrote:
 Commit 9131f3de2 (ipv6: Do not iterate over all interfaces when
 finding source address on specific interface.) did not properly
 update best source address available.  Plus, it introduced
 possible NULL pointer dereference.

 Bug was reported by Erik Kline e...@google.com.
 Based on patch proposed by Hajime Tazaki thehaj...@gmail.com.

 Fixes: 9131f3de24db4dc12199aede7d931e6703e97f3b (ipv6: Do not
 iterate over all interfaces when finding source address
 on specific interface.)
 Signed-off-by: YOSHIFUJI Hideaki hideaki.yoshif...@miraclelinux.com
 ---
  net/ipv6/addrconf.c | 30 ++
  1 file changed, 18 insertions(+), 12 deletions(-)

 diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
 index 4ab74d5..4c9a024 100644
 --- a/net/ipv6/addrconf.c
 +++ b/net/ipv6/addrconf.c
 @@ -1358,14 +1358,15 @@ out:
 return ret;
  }

 -static void __ipv6_dev_get_saddr(struct net *net,
 -struct ipv6_saddr_dst *dst,
 -unsigned int prefs,
 -const struct in6_addr *saddr,
 -struct inet6_dev *idev,
 -struct ipv6_saddr_score *scores)
 +static int __ipv6_dev_get_saddr(struct net *net,
 +   struct ipv6_saddr_dst *dst,
 +   unsigned int prefs,
 +   const struct in6_addr *saddr,
 +   struct inet6_dev *idev,
 +   struct ipv6_saddr_score *scores,
 +   int hiscore_idx)
  {
 -   struct ipv6_saddr_score *score = scores[0], *hiscore = scores[1];
 +   struct ipv6_saddr_score *score = scores[1 - hiscore_idx], *hiscore 
 = scores[hiscore_idx];

 read_lock_bh(idev-lock);
 list_for_each_entry(score-ifa, idev-addr_list, if_list) {
 @@ -1424,6 +1425,7 @@ static void __ipv6_dev_get_saddr(struct net *net,
 in6_ifa_hold(score-ifa);

 swap(hiscore, score);
 +   hiscore_idx = 1 - hiscore_idx;

 /* restore our iterator */
 score-ifa = hiscore-ifa;
 @@ -1434,18 +1436,20 @@ static void __ipv6_dev_get_saddr(struct net *net,
 }
  out:
 read_unlock_bh(idev-lock);
 +   return hiscore_idx;
  }

  int ipv6_dev_get_saddr(struct net *net, const struct net_device *dst_dev,
const struct in6_addr *daddr, unsigned int prefs,
struct in6_addr *saddr)
  {
 -   struct ipv6_saddr_score scores[2], *hiscore = scores[1];
 +   struct ipv6_saddr_score scores[2], *hiscore;
 struct ipv6_saddr_dst dst;
 struct inet6_dev *idev;
 struct net_device *dev;
 int dst_type;
 bool use_oif_addr = false;
 +   int hiscore_idx = 0;

 dst_type = __ipv6_addr_type(daddr);
 dst.addr = daddr;
 @@ -1454,8 +1458,8 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
 net_device *dst_dev,
 dst.label = ipv6_addr_label(net, daddr, dst_type, dst.ifindex);
 dst.prefs = prefs;

 -   hiscore-rule = -1;
 -   hiscore-ifa = NULL;
 +   scores[hiscore_idx].rule = -1;
 +   scores[hiscore_idx].ifa = NULL;

 rcu_read_lock();

 @@ -1480,17 +1484,19 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
 net_device *dst_dev,
 }

 if (use_oif_addr) {
 -   __ipv6_dev_get_saddr(net, dst, prefs, saddr, idev, scores);
 +   if (idev)
 +   hiscore_idx = __ipv6_dev_get_saddr(net, dst, prefs, 
 saddr, idev, scores, hiscore_idx);
 } else {
 for_each_netdev_rcu(net, dev) {
 idev = __in6_dev_get(dev);
 if (!idev)
 continue;
 -   __ipv6_dev_get_saddr(net, dst, prefs, saddr, idev, 
 scores);
 +   hiscore_idx = __ipv6_dev_get_saddr(net, dst, prefs, 
 saddr, idev, scores, hiscore_idx);
 }
 }
 rcu_read_unlock();

 +   hiscore = scores[hiscore_idx];
 if (!hiscore-ifa)
 return -EADDRNOTAVAIL;

 --
 1.9.1

--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net-next v2] ipv6: Do not iterate over all interfaces when finding source address on specific interface.

[Erik Kline]

On 13 July 2015 at 15:32, YOSHIFUJI Hideaki
hideaki.yoshif...@miraclelinux.com wrote:
 Hi,

 Erik Kline wrote:
 Hmm, when I run a UML linux with this patch (which, I'm ashamed to
 say, I failed to do before) I get these kinds of errors:

 unregister_netdevice: waiting for TAPdevice to become free.
 Usage count = 1
 unregister_netdevice: waiting for TAPdevice to become free.
 Usage count = 1

 Perhaps they're unrelated... I'm still investigating.

 Would you test attached patch please?

That does look logically correct, so +1 to it regardless, but it does
not seem to have fixed the issue I'm seeing.

I still haven't produced the smallest possible demo test program.
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net-next v2] ipv6: Do not iterate over all interfaces when finding source address on specific interface.

[Erik Kline]

Hmm, when I run a UML linux with this patch (which, I'm ashamed to
say, I failed to do before) I get these kinds of errors:

unregister_netdevice: waiting for TAPdevice to become free.
Usage count = 1
unregister_netdevice: waiting for TAPdevice to become free.
Usage count = 1

Perhaps they're unrelated... I'm still investigating.

On 11 July 2015 at 15:19, David Miller da...@davemloft.net wrote:
 From: YOSHIFUJI Hideaki/吉藤英明 hideaki.yoshif...@miraclelinux.com
 Date: Fri, 10 Jul 2015 16:58:31 +0900

 If outgoing interface is specified and the candidate address is
 restricted to the outgoing interface, it is enough to iterate
 over that given interface only.

 Signed-off-by: YOSHIFUJI Hideaki hideaki.yoshif...@miraclelinux.com
 Acked-by: Erik Kline e...@google.com

 Applied, thanks!
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net-next] ipv6: Do not iterate over all interfaces when finding source address on specific interface.

[Erik Kline]

.
 -*/
 -   goto try_nextdev;
 -   }
 -   break;
 -   } else if (minihiscore  miniscore) {
 -   if (hiscore-ifa)
 -   in6_ifa_put(hiscore-ifa);
 -
 -   in6_ifa_hold(score-ifa);
 -
 -   swap(hiscore, score);
 -
 -   /* restore our iterator */
 -   score-ifa = hiscore-ifa;
 -
 -   break;
 -   }
 -   }
 +   __ipv6_dev_get_saddr(net, dst, prefs, saddr, idev, 
 scores);
 }
 -try_nextdev:
 -   read_unlock_bh(idev-lock);
 }
 rcu_read_unlock();

 --
 1.9.1


LGTM, and thanks again.

Acked-by: Erik Kline e...@google.com
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH net-next v2] ipv6: sysctl to restrict candidate source addresses

[Erik Kline]

 I really would like to come up with a sane works-always behavior for
 this, but besides doing a retry on the complete source address selection
 algorithm I currently cannot come up with an idea.

 Maybe we can tweak saddr_eval a bit.

I think it all comes down to this: source address selection really
doesn't know anything about routing that could help it make a better
evaluation.

Reading the RFCs that seems to be by design, or at the very least
there is a kind of implied flat-ish routing table at work, which the
algorithm works around by having various prefer same interface type
of rules. So, after the routing lookup to determine outgoing interface
it's just looking at all the addresses on all the interfaces.  There
is no checking of any of the multiple possible routing tables, in part
because there just isn't all the right information available.

So, I figured the safe thing to do would be to not change existing
default behaviour but just introduce a knob to at least make it
possible to get the RFC recommended behaviour.

---

Re: not having a source address or returning a link-local source for a
global destination:  I think that's perfectly ok, if the knob is set.
Frequently the source address will just be tossed into a salad bowl of
(src, dst) pairs returned from DNS and 3484/6724 sorting will then
help pick a more globally optimum (src, dst) to work with.
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net-next v2] ipv6: sysctl to restrict candidate source addresses

[Erik Kline]

Per RFC 6724, section 4, Candidate Source Addresses:

It is RECOMMENDED that the candidate source addresses be the set
of unicast addresses assigned to the interface that will be used
to send to the destination (the outgoing interface).

Add a sysctl to enable this behaviour.

Signed-off-by: Erik Kline e...@google.com
---
 Documentation/networking/ip-sysctl.txt |  7 +++
 include/linux/ipv6.h   |  1 +
 include/uapi/linux/ipv6.h  |  1 +
 net/ipv6/addrconf.c| 30 +-
 4 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt 
b/Documentation/networking/ip-sysctl.txt
index 5fae770..c3bf04d 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1455,6 +1455,13 @@ router_solicitations - INTEGER
routers are present.
Default: 3
 
+use_oif_addr - BOOLEAN
+   When enabled, the candidate source addresses for destinations
+   routed via this interface are restricted to the set of addresses
+   configured on this interface (vis. RFC 6724, section 4).
+
+   Default: false
+
 use_tempaddr - INTEGER
Preference for Privacy Extensions (RFC3041).
  = 0 : disable Privacy Extensions
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 82806c6..4633c88 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -57,6 +57,7 @@ struct ipv6_devconf {
bool initialized;
struct in6_addr secret;
} stable_secret;
+   __s32   use_oif_addr;
void*sysctl;
 };
 
diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
index 5efa54a..cf9d65a 100644
--- a/include/uapi/linux/ipv6.h
+++ b/include/uapi/linux/ipv6.h
@@ -171,6 +171,7 @@ enum {
DEVCONF_USE_OPTIMISTIC,
DEVCONF_ACCEPT_RA_MTU,
DEVCONF_STABLE_SECRET,
+   DEVCONF_USE_OIF_ADDR,
DEVCONF_MAX
 };
 
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 21c2c81..a43687d 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -211,7 +211,8 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
.accept_ra_mtu  = 1,
.stable_secret  = {
.initialized = false,
-   }
+   },
+   .use_oif_addr   = 0,
 };
 
 static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
@@ -253,6 +254,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly 
= {
.stable_secret  = {
.initialized = false,
},
+   .use_oif_addr   = 0,
 };
 
 /* Check if a valid qdisc is available */
@@ -1366,7 +1368,8 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
net_device *dst_dev,
*score = scores[0], *hiscore = scores[1];
struct ipv6_saddr_dst dst;
struct net_device *dev;
-   int dst_type;
+   struct inet6_dev *idev;
+   int dst_type, use_oif_addr = 0;
 
dst_type = __ipv6_addr_type(daddr);
dst.addr = daddr;
@@ -1380,9 +1383,12 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
net_device *dst_dev,
 
rcu_read_lock();
 
-   for_each_netdev_rcu(net, dev) {
-   struct inet6_dev *idev;
+   if (dst_dev) {
+   idev = __in6_dev_get(dst_dev);
+   use_oif_addr = (idev) ? idev-cnf.use_oif_addr : 0;
+   }
 
+   for_each_netdev_rcu(net, dev) {
/* Candidate Source Address (section 4)
 *  - multicast and link-local destination address,
 *the set of candidate source address MUST only
@@ -1394,9 +1400,14 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
net_device *dst_dev,
 *include addresses assigned to interfaces
 *belonging to the same site as the outgoing
 *interface.)
+*  - It is RECOMMENDED that the candidate source addresses
+*be the set of unicast addresses assigned to the
+*interface that will be used to send to the destination
+*(the 'outgoing' interface). (RFC 6724)
 */
if (((dst_type  IPV6_ADDR_MULTICAST) ||
-dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL) 
+dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL ||
+use_oif_addr) 
dst.ifindex  dev-ifindex != dst.ifindex)
continue;
 
@@ -4586,6 +4597,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf 
*cnf,
array[DEVCONF_ACCEPT_RA_FROM_LOCAL] = cnf-accept_ra_from_local;
array[DEVCONF_ACCEPT_RA_MTU] = cnf-accept_ra_mtu;
/* we omit DEVCONF_STABLE_SECRET for now */
+   array[DEVCONF_USE_OIF_ADDR] = cnf-use_oif_addr;
 }
 
 static inline size_t inet6_ifla6_size(void)
@@ -5585,6 +5597,14 @@ static struct

Re: [PATCH net-next] ipv6: sysctl to restrict candidate source addresses

[Erik Kline]

Reworked with use_oif_addr.

Thanks,
-Erik

On 3 July 2015 at 16:03, YOSHIFUJI Hideaki
hideaki.yoshif...@miraclelinux.com wrote:
 Hi,

 Erik Kline wrote:
 Per RFC 6724, section 4, Candidate Source Addresses:

 It is RECOMMENDED that the candidate source addresses be the set
 of unicast addresses assigned to the interface that will be used
 to send to the destination (the outgoing interface).

 Add a sysctl to enable this behaviour.

 Signed-off-by: Erik Kline e...@google.com
 ---
  Documentation/networking/ip-sysctl.txt | 12 
  include/linux/ipv6.h   |  1 +
  include/uapi/linux/ipv6.h  |  1 +
  net/ipv6/addrconf.c| 30 +-
  4 files changed, 39 insertions(+), 5 deletions(-)

 diff --git a/Documentation/networking/ip-sysctl.txt 
 b/Documentation/networking/ip-sysctl.txt
 index 5fae770..d8f3e60 100644
 --- a/Documentation/networking/ip-sysctl.txt
 +++ b/Documentation/networking/ip-sysctl.txt
 @@ -1435,6 +1435,18 @@ mtu - INTEGER
   Default Maximum Transfer Unit
   Default: 1280 (IPv6 required minimum)

 +restrict_srcaddr - INTEGER
 + Restrict candidate source addresses (vis. RFC 6724, section 4).
 +
 + When set to 1, the candidate source addresses for destinations
 + routed via this interface are restricted to the set of addresses
 + configured on this interface.
 +
 + Possible values are:
 + 0 : no source address restrictions
 + 1 : require matching outgoing interface
 + Default:  0
 +

 I cannot get what restrict restricts.  How about use_oif_addr or
 something like that (like use_tempaddr)?

 --
 Hideaki Yoshifuji hideaki.yoshif...@miraclelinux.com
 Technical Division, MIRACLE LINUX CORPORATION
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net-next] ipv6: sysctl to restrict candidate source addresses

[Erik Kline]

Per RFC 6724, section 4, Candidate Source Addresses:

It is RECOMMENDED that the candidate source addresses be the set
of unicast addresses assigned to the interface that will be used
to send to the destination (the outgoing interface).

Add a sysctl to enable this behaviour.

Signed-off-by: Erik Kline e...@google.com
---
 Documentation/networking/ip-sysctl.txt | 12 
 include/linux/ipv6.h   |  1 +
 include/uapi/linux/ipv6.h  |  1 +
 net/ipv6/addrconf.c| 30 +-
 4 files changed, 39 insertions(+), 5 deletions(-)

diff --git a/Documentation/networking/ip-sysctl.txt 
b/Documentation/networking/ip-sysctl.txt
index 5fae770..d8f3e60 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -1435,6 +1435,18 @@ mtu - INTEGER
Default Maximum Transfer Unit
Default: 1280 (IPv6 required minimum)
 
+restrict_srcaddr - INTEGER
+   Restrict candidate source addresses (vis. RFC 6724, section 4).
+
+   When set to 1, the candidate source addresses for destinations
+   routed via this interface are restricted to the set of addresses
+   configured on this interface.
+
+   Possible values are:
+   0 : no source address restrictions
+   1 : require matching outgoing interface
+   Default:  0
+
 router_probe_interval - INTEGER
Minimum interval (in seconds) between Router Probing described
in RFC4191.
diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h
index 82806c6..6867d1f 100644
--- a/include/linux/ipv6.h
+++ b/include/linux/ipv6.h
@@ -57,6 +57,7 @@ struct ipv6_devconf {
bool initialized;
struct in6_addr secret;
} stable_secret;
+   __s32   restrict_srcaddr;
void*sysctl;
 };
 
diff --git a/include/uapi/linux/ipv6.h b/include/uapi/linux/ipv6.h
index 5efa54a..b174758 100644
--- a/include/uapi/linux/ipv6.h
+++ b/include/uapi/linux/ipv6.h
@@ -171,6 +171,7 @@ enum {
DEVCONF_USE_OPTIMISTIC,
DEVCONF_ACCEPT_RA_MTU,
DEVCONF_STABLE_SECRET,
+   DEVCONF_RESTRICT_SRCADDR,
DEVCONF_MAX
 };
 
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index 21c2c81..f72c974 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -211,7 +211,8 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
.accept_ra_mtu  = 1,
.stable_secret  = {
.initialized = false,
-   }
+   },
+   .restrict_srcaddr   = 0,
 };
 
 static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
@@ -253,6 +254,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly 
= {
.stable_secret  = {
.initialized = false,
},
+   .restrict_srcaddr   = 0,
 };
 
 /* Check if a valid qdisc is available */
@@ -1366,7 +1368,8 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
net_device *dst_dev,
*score = scores[0], *hiscore = scores[1];
struct ipv6_saddr_dst dst;
struct net_device *dev;
-   int dst_type;
+   struct inet6_dev *idev;
+   int dst_type, restrict_srcaddr = 0;
 
dst_type = __ipv6_addr_type(daddr);
dst.addr = daddr;
@@ -1380,9 +1383,12 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
net_device *dst_dev,
 
rcu_read_lock();
 
-   for_each_netdev_rcu(net, dev) {
-   struct inet6_dev *idev;
+   if (dst_dev) {
+   idev = __in6_dev_get(dst_dev);
+   restrict_srcaddr = (idev) ? idev-cnf.restrict_srcaddr : 0;
+   }
 
+   for_each_netdev_rcu(net, dev) {
/* Candidate Source Address (section 4)
 *  - multicast and link-local destination address,
 *the set of candidate source address MUST only
@@ -1394,9 +1400,14 @@ int ipv6_dev_get_saddr(struct net *net, const struct 
net_device *dst_dev,
 *include addresses assigned to interfaces
 *belonging to the same site as the outgoing
 *interface.)
+*  - It is RECOMMENDED that the candidate source addresses
+*be the set of unicast addresses assigned to the
+*interface that will be used to send to the destination
+*(the 'outgoing' interface). (RFC 6724)
 */
if (((dst_type  IPV6_ADDR_MULTICAST) ||
-dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL) 
+dst.scope = IPV6_ADDR_SCOPE_LINKLOCAL ||
+restrict_srcaddr) 
dst.ifindex  dev-ifindex != dst.ifindex)
continue;
 
@@ -4586,6 +4597,7 @@ static inline void ipv6_store_devconf(struct ipv6_devconf 
*cnf,
array[DEVCONF_ACCEPT_RA_FROM_LOCAL] = cnf-accept_ra_from_local;
array

Re: [PATCH net-next] Better handling of transition to NUD_PROBE state

[Erik Kline]

 Please, in the future, put a proper subsystem prefix in the Subject
 line of your patch submissions.  In this particular case neigh: 
 would have been appropriate and is what I added when applying your
 patch.

My apologies.

 Applied, thanks.

Appreciated.
-ek
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html