ipv6: fix 'disable_policy' for forwarded packets

Bug #1936475 reported by Nicolas Dichtel
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Impish
Undecided
Unassigned

Bug Description

[Impact]

The ipv6 sysctl entry 'disable_policy' has effect for local packets only (while the ipv4 version is for all packets coming from the specified interface).

This is fixed upstream with commit ccd27f05ae7b ("ipv6: fix 'disable_policy' for fwd packets").

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ccd27f05ae7b

[Test Case]

Enable 'disable_policy' for an interface:
sysctl -w net.ipv6.conf.eth0.disable_policy=1
Add an ipsec policy:
ip xfrm policy add src fd00:100::/64 dst fd00:200::/64 dir out tmpl src fd00:125::1 dst fd00:125::2 proto esp mode tunnel

Try a ping from subnet fd00:100::/64 to subnet fd00:200::/64.

[Regression Potential]

The patch is small and located in ip6_forward(), thus only this function is affected.

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1936475

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.13.0-16.16

---------------
linux (5.13.0-16.16) impish; urgency=medium

  * impish/linux: 5.13.0-16.16 -proposed tracker (LP: #1942611)

  * Miscellaneous Ubuntu changes
    - [Config] update toolchain in configs

  * Miscellaneous upstream changes
    - Revert "UBUNTU: [Config] Enable CONFIG_UBSAN_BOUNDS"

 -- Andrea Righi <email address hidden> Fri, 03 Sep 2021 16:21:14 +0200

Changed in linux (Ubuntu Impish):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers