ipv6: add flowlabel_consistency sysctl

With the introduction of IPV6_FL_F_REFLECT, there is no guarantee of flow label unicity. This patch introduces a new sysctl to protect the old behaviour, enable by default. Changelog of V3: * rename ip6_flowlabel_consistency to flowlabel_consistency * use net_info_ratelimited() * checkpatch cleanups Signed-off-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Florent Fourcot <florent.fourcot@enst-bretagne.fr> 2014-01-17 17:15:05 +0100
committer: David S. Miller <davem@davemloft.net> 2014-01-19 17:12:31 -0800
commit: 6444f72b4b74f627c51891101e93ba2b94078b0a (patch)
tree: d5aa20605d13fa3e222e7e1bf1b7b678a295f398 /net/ipv6/ip6_flowlabel.c
parent: 46e5f401762c639e38eea350d335c0f54ec2442f (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index 01bf2524c72a..dfa41bb4e0dc 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -588,8 +588,15 @@ int ipv6_flowlabel_opt(struct sock *sk, char __user *optval, int optlen)
 
 	case IPV6_FL_A_GET:
 		if (freq.flr_flags & IPV6_FL_F_REFLECT) {
+			struct net *net = sock_net(sk);
+			if (net->ipv6.sysctl.flowlabel_consistency) {
+				net_info_ratelimited("Can not set IPV6_FL_F_REFLECT if flowlabel_consistency sysctl is enable\n");
+				return -EPERM;
+			}
+
 			if (sk->sk_protocol != IPPROTO_TCP)
 				return -ENOPROTOOPT;
+
 			np->repflow = 1;
 			return 0;
 		}
author	Florent Fourcot <florent.fourcot@enst-bretagne.fr>	2014-01-17 17:15:05 +0100
committer	David S. Miller <davem@davemloft.net>	2014-01-19 17:12:31 -0800
commit	6444f72b4b74f627c51891101e93ba2b94078b0a (patch)
tree	d5aa20605d13fa3e222e7e1bf1b7b678a295f398 /net/ipv6/ip6_flowlabel.c
parent	46e5f401762c639e38eea350d335c0f54ec2442f (diff)