From: Tom Herbert <tom@herbertland.com>
To: <davem@davemloft.net>, <netdev@vger.kernel.org>
Cc: <kernel-team@fb.com>
Subject: [PATCH v3 net-next 08/11] ipv6: Change "final" protocol processing for encapsulation
Date: Fri, 6 May 2016 15:12:03 -0700 [thread overview]
Message-ID: <1462572726-566137-9-git-send-email-tom@herbertland.com> (raw)
In-Reply-To: <1462572726-566137-1-git-send-email-tom@herbertland.com>
When performing foo-over-UDP, UDP are receveived processed by the
encapsulation header which returns another protocol to process.
This may result in processing two (or more) protocols in the
loop that are marked as INET6_PROTO_FINAL. The actions taken
for hitting a final protocol, in particular the skb_postpull_rcsum
can only be performed.
This patch set adds a check of a final protocol has been seen. The
rules are:
- If the final protocol has not been seen any protocol is processed
(final and non-final). In the case of a final protocol, the final
actions are taken (like the skb_postpull_rcsum)
- If a final protocol has been seen (e.g. an encapsulating UDP
header) then no further non-final protocols are allowed
(e.g. extension headers). For more final protocols the
final actions are not taken (e.g. skb_postpull_rcsum).
Signed-off-by: Tom Herbert <tom@herbertland.com>
---
net/ipv6/ip6_input.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index 2a0258a..7d98d01 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -216,6 +216,7 @@ static int ip6_input_finish(struct net *net, struct sock *sk, struct sk_buff *sk
unsigned int nhoff;
int nexthdr;
bool raw;
+ bool have_final = false;
/*
* Parse extension headers
@@ -235,9 +236,21 @@ resubmit:
if (ipprot) {
int ret;
- if (ipprot->flags & INET6_PROTO_FINAL) {
+ if (have_final) {
+ if (!(ipprot->flags & INET6_PROTO_FINAL)) {
+ /* Once we've seen a final protocol don't
+ * allow encapsulation on any non-final
+ * ones. This allows foo in UDP encapsulation
+ * to work.
+ */
+ goto discard;
+ }
+ } else if (ipprot->flags & INET6_PROTO_FINAL) {
const struct ipv6hdr *hdr;
+ /* Only do this once for first final protocol */
+ have_final = true;
+
/* Free reference early: we don't need it any more,
and it may hold ip_conntrack module loaded
indefinitely. */
--
2.8.0.rc2
next prev parent reply other threads:[~2016-05-06 22:12 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-06 22:11 [PATCH v3 net-next 00/11] ipv6: Enable GUEoIPv6 and more fixes for v6 tunneling Tom Herbert
2016-05-06 22:11 ` [PATCH v3 net-next 01/11] gso: Remove arbitrary checks for unsupported GSO Tom Herbert
2016-05-06 22:34 ` Alexander Duyck
2016-05-07 2:44 ` Alexander Duyck
2016-05-06 22:11 ` [PATCH v3 net-next 02/11] net: define gso types for IPx over IPv4 and IPv6 Tom Herbert
2016-05-06 22:48 ` Alexander Duyck
2016-05-06 22:55 ` Tom Herbert
2016-05-06 22:11 ` [PATCH v3 net-next 03/11] gre6: Fix flag translations Tom Herbert
2016-05-06 22:11 ` [PATCH v3 net-next 04/11] fou: Call setup_udp_tunnel_sock Tom Herbert
2016-05-06 22:12 ` [PATCH v3 net-next 05/11] fou: Split out {fou,gue}_build_header Tom Herbert
2016-05-06 22:12 ` [PATCH v3 net-next 06/11] fou: Add encap ops for IPv6 tunnels Tom Herbert
2016-05-06 22:12 ` [PATCH v3 net-next 07/11] ipv6: Fix nexthdr for reinjection Tom Herbert
2016-05-06 22:12 ` Tom Herbert [this message]
2016-05-06 22:12 ` [PATCH v3 net-next 09/11] fou: Support IPv6 in fou Tom Herbert
2016-05-06 22:12 ` [PATCH v3 net-next 10/11] ip6_tun: Add infrastructure for doing encapsulation Tom Herbert
2016-05-06 22:12 ` [PATCH v3 net-next 11/11] ip6_gre: Add support for fou/gue encapsulation Tom Herbert
2016-05-07 1:09 ` [PATCH v3 net-next 00/11] ipv6: Enable GUEoIPv6 and more fixes for v6 tunneling Alexander Duyck
2016-05-07 1:57 ` Tom Herbert
2016-05-07 2:03 ` Alexander Duyck
2016-05-07 2:11 ` Tom Herbert
2016-05-07 3:03 ` Alexander Duyck
2016-05-09 16:56 ` Tom Herbert
2016-05-09 17:32 ` Alexander Duyck
2016-05-09 21:35 ` Alexander Duyck
2016-05-09 21:37 ` Tom Herbert
2016-05-09 22:32 ` Alexander Duyck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1462572726-566137-9-git-send-email-tom@herbertland.com \
--to=tom@herbertland.com \
--cc=davem@davemloft.net \
--cc=kernel-team@fb.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.