Patch "ipv6: fix 'disable_policy' for fwd packets" has been added to the 5.13-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Jul 2021 22:42:41 -0400

This is a note to let you know that I've just added the patch titled

    ipv6: fix 'disable_policy' for fwd packets

to the 5.13-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     ipv6-fix-disable_policy-for-fwd-packets.patch
and it can be found in the queue-5.13 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit e0622e1971e0b3143e7ab8fc9653379d16fd981a
Author: Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx>
Date:   Tue Jul 6 11:13:35 2021 +0200

    ipv6: fix 'disable_policy' for fwd packets
    
    [ Upstream commit ccd27f05ae7b8ebc40af5b004e94517a919aa862 ]
    
    The goal of commit df789fe75206 ("ipv6: Provide ipv6 version of
    "disable_policy" sysctl") was to have the disable_policy from ipv4
    available on ipv6.
    However, it's not exactly the same mechanism. On IPv4, all packets coming
    from an interface, which has disable_policy set, bypass the policy check.
    For ipv6, this is done only for local packets, ie for packets destinated to
    an address configured on the incoming interface.
    
    Let's align ipv6 with ipv4 so that the 'disable_policy' sysctl has the same
    effect for both protocols.
    
    My first approach was to create a new kind of route cache entries, to be
    able to set DST_NOPOLICY without modifying routes. This would have added a
    lot of code. Because the local delivery path is already handled, I choose
    to focus on the forwarding path to minimize code churn.
    
    Fixes: df789fe75206 ("ipv6: Provide ipv6 version of "disable_policy" sysctl")
    Signed-off-by: Nicolas Dichtel <nicolas.dichtel@xxxxxxxxx>
    Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 497974b4372a..b7ffb4f227a4 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -479,7 +479,9 @@ int ip6_forward(struct sk_buff *skb)
 	if (skb_warn_if_lro(skb))
 		goto drop;
 
-	if (!xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
+	if (!net->ipv6.devconf_all->disable_policy &&
+	    !idev->cnf.disable_policy &&
+	    !xfrm6_policy_check(NULL, XFRM_POLICY_FWD, skb)) {
 		__IP6_INC_STATS(net, idev, IPSTATS_MIB_INDISCARDS);
 		goto drop;
 	}






