[PATCH] netifd: interface-ip: don't set fib6 policies if ipv6 disabled

Fri, 30 Apr 2021 07:37:23 -0700 

If IPv6 is disabled on a device, netifd still creates rules for it:

0:      from all lookup local
32766:  from all lookup main
4200000001:     from all iif lo lookup unspec 12
4200000002:     from all iif eth0 lookup unspec 12
4200000003:     from all iif eth1 lookup unspec 12

When logread is asked to log to a remote system, it invokes usock such
that getaddrinfo is called with AI_ADDRCONFIG in the flags; if ipv6 is
disabled on lo, musl attempts to connect to ::1 but gets EACCES from
the kernel, because of the reject policy added; this causes logread to
fail to connect:

socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_UDP) = 8
connect(8, {sa_family=AF_INET6, sin6_port=htons(65535), sin6_flowinfo=htonl(0), 
inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = -1 EACCES 
(Permission denied)

See <https://www.openwall.com/lists/musl/2021/04/30/2> for a
discussion of musl's handling of this.

This change only sets up the v6 rules if ipv6 is enabled on the
device.

Signed-off-by: Julian Squires <jul...@cipht.net>
---
 interface-ip.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/interface-ip.c b/interface-ip.c
index 648f521..e6573df 100644
--- a/interface-ip.c
+++ b/interface-ip.c
@@ -1708,11 +1708,13 @@ void interface_ip_set_enabled(struct 
interface_ip_settings *ip, bool enabled)
 
        if (ip->iface->policy_rules_set != enabled &&
            ip->iface->l3_dev.dev) {
-               set_ip_lo_policy(enabled, true, ip->iface);
+               if (ip->iface->l3_dev.dev->settings.ipv6) {
+                       set_ip_lo_policy(enabled, true, ip->iface);
+                       set_ip_source_policy(enabled, true, 
IPRULE_PRIORITY_REJECT + ip->iface->l3_dev.dev->ifindex,
+                                            NULL, 0, 0, ip->iface, 
"failed_policy", true);
+               }
                set_ip_lo_policy(enabled, false, ip->iface);
 
-               set_ip_source_policy(enabled, true, IPRULE_PRIORITY_REJECT + 
ip->iface->l3_dev.dev->ifindex,
-                       NULL, 0, 0, ip->iface, "failed_policy", true);
                ip->iface->policy_rules_set = enabled;
        }
 }
-- 
2.31.1


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to