* pull request (net): ipsec 2020-01-21
@ 2020-01-21 7:16 Steffen Klassert
2020-01-21 7:16 ` [PATCH 1/4] vti[6]: fix packet tx through bpf_redirect() Steffen Klassert
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Steffen Klassert @ 2020-01-21 7:16 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
1) Fix packet tx through bpf_redirect() for xfrm and vti
interfaces. From Nicolas Dichtel.
2) Do not confirm neighbor when do pmtu update on a virtual
xfrm interface. From Xu Wang.
3) Support output_mark for offload ESP packets, this was
forgotten when the output_mark was added initially.
From Ulrich Weber.
Please pull or let me know if there are problems.
Thanks!
The following changes since commit a112adafcb47760feff959ee1ecd10b74d2c5467:
NFC: pn533: fix bulk-message timeout (2020-01-13 18:50:18 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec.git master
for you to fetch changes up to 4e4362d2bf2a49ff44dbbc9585207977ca3d71d0:
xfrm: support output_mark for offload ESP packets (2020-01-15 12:18:35 +0100)
----------------------------------------------------------------
Nicolas Dichtel (2):
vti[6]: fix packet tx through bpf_redirect()
xfrm interface: fix packet tx through bpf_redirect()
Ulrich Weber (1):
xfrm: support output_mark for offload ESP packets
Xu Wang (1):
xfrm: interface: do not confirm neighbor when do pmtu update
net/ipv4/esp4_offload.c | 2 ++
net/ipv4/ip_vti.c | 13 +++++++++++--
net/ipv6/esp6_offload.c | 2 ++
net/ipv6/ip6_vti.c | 13 +++++++++++--
net/xfrm/xfrm_interface.c | 34 ++++++++++++++++++++++++++--------
5 files changed, 52 insertions(+), 12 deletions(-)
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] vti[6]: fix packet tx through bpf_redirect()
2020-01-21 7:16 pull request (net): ipsec 2020-01-21 Steffen Klassert
@ 2020-01-21 7:16 ` Steffen Klassert
2020-01-21 7:16 ` [PATCH 2/4] xfrm interface: " Steffen Klassert
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2020-01-21 7:16 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
With an ebpf program that redirects packets through a vti[6] interface,
the packets are dropped because no dst is attached.
This could also be reproduced with an AF_PACKET socket, with the following
python script (vti1 is an ip_vti interface):
import socket
send_s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, 0)
# scapy
# p = IP(src='10.100.0.2', dst='10.200.0.1')/ICMP(type='echo-request')
# raw(p)
req = b'E\x00\x00\x1c\x00\x01\x00\x00@\x01e\xb2\nd\x00\x02\n\xc8\x00\x01\x08\x00\xf7\xff\x00\x00\x00\x00'
send_s.sendto(req, ('vti1', 0x800, 0, 0))
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv4/ip_vti.c | 13 +++++++++++--
net/ipv6/ip6_vti.c | 13 +++++++++++--
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index e90b600c7a25..37cddd18f282 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -187,8 +187,17 @@ static netdev_tx_t vti_xmit(struct sk_buff *skb, struct net_device *dev,
int mtu;
if (!dst) {
- dev->stats.tx_carrier_errors++;
- goto tx_error_icmp;
+ struct rtable *rt;
+
+ fl->u.ip4.flowi4_oif = dev->ifindex;
+ fl->u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
+ rt = __ip_route_output_key(dev_net(dev), &fl->u.ip4);
+ if (IS_ERR(rt)) {
+ dev->stats.tx_carrier_errors++;
+ goto tx_error_icmp;
+ }
+ dst = &rt->dst;
+ skb_dst_set(skb, dst);
}
dst_hold(dst);
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index 6f08b760c2a7..524006aa0d78 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -449,8 +449,17 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
int err = -1;
int mtu;
- if (!dst)
- goto tx_err_link_failure;
+ if (!dst) {
+ fl->u.ip6.flowi6_oif = dev->ifindex;
+ fl->u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
+ dst = ip6_route_output(dev_net(dev), NULL, &fl->u.ip6);
+ if (dst->error) {
+ dst_release(dst);
+ dst = NULL;
+ goto tx_err_link_failure;
+ }
+ skb_dst_set(skb, dst);
+ }
dst_hold(dst);
dst = xfrm_lookup(t->net, dst, fl, NULL, 0);
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] xfrm interface: fix packet tx through bpf_redirect()
2020-01-21 7:16 pull request (net): ipsec 2020-01-21 Steffen Klassert
2020-01-21 7:16 ` [PATCH 1/4] vti[6]: fix packet tx through bpf_redirect() Steffen Klassert
@ 2020-01-21 7:16 ` Steffen Klassert
2020-01-21 7:16 ` [PATCH 3/4] xfrm: interface: do not confirm neighbor when do pmtu update Steffen Klassert
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2020-01-21 7:16 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
With an ebpf program that redirects packets through a xfrm interface,
packets are dropped because no dst is attached to skb.
This could also be reproduced with an AF_PACKET socket, with the following
python script (xfrm1 is a xfrm interface):
import socket
send_s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, 0)
# scapy
# p = IP(src='10.100.0.2', dst='10.200.0.1')/ICMP(type='echo-request')
# raw(p)
req = b'E\x00\x00\x1c\x00\x01\x00\x00@\x01e\xb2\nd\x00\x02\n\xc8\x00\x01\x08\x00\xf7\xff\x00\x00\x00\x00'
send_s.sendto(req, ('xfrm1', 0x800, 0, 0))
It was also not possible to send an ip packet through an AF_PACKET socket
because a LL header was expected. Let's remove those LL header constraints.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_interface.c | 32 +++++++++++++++++++++++++-------
1 file changed, 25 insertions(+), 7 deletions(-)
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 7ac1542feaf8..00393179f185 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -268,9 +268,6 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
int err = -1;
int mtu;
- if (!dst)
- goto tx_err_link_failure;
-
dst_hold(dst);
dst = xfrm_lookup_with_ifid(xi->net, dst, fl, NULL, 0, xi->p.if_id);
if (IS_ERR(dst)) {
@@ -343,6 +340,7 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)
{
struct xfrm_if *xi = netdev_priv(dev);
struct net_device_stats *stats = &xi->dev->stats;
+ struct dst_entry *dst = skb_dst(skb);
struct flowi fl;
int ret;
@@ -352,10 +350,33 @@ static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)
case htons(ETH_P_IPV6):
xfrm_decode_session(skb, &fl, AF_INET6);
memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+ if (!dst) {
+ fl.u.ip6.flowi6_oif = dev->ifindex;
+ fl.u.ip6.flowi6_flags |= FLOWI_FLAG_ANYSRC;
+ dst = ip6_route_output(dev_net(dev), NULL, &fl.u.ip6);
+ if (dst->error) {
+ dst_release(dst);
+ stats->tx_carrier_errors++;
+ goto tx_err;
+ }
+ skb_dst_set(skb, dst);
+ }
break;
case htons(ETH_P_IP):
xfrm_decode_session(skb, &fl, AF_INET);
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+ if (!dst) {
+ struct rtable *rt;
+
+ fl.u.ip4.flowi4_oif = dev->ifindex;
+ fl.u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
+ rt = __ip_route_output_key(dev_net(dev), &fl.u.ip4);
+ if (IS_ERR(rt)) {
+ stats->tx_carrier_errors++;
+ goto tx_err;
+ }
+ skb_dst_set(skb, &rt->dst);
+ }
break;
default:
goto tx_err;
@@ -563,12 +584,9 @@ static void xfrmi_dev_setup(struct net_device *dev)
{
dev->netdev_ops = &xfrmi_netdev_ops;
dev->type = ARPHRD_NONE;
- dev->hard_header_len = ETH_HLEN;
- dev->min_header_len = ETH_HLEN;
dev->mtu = ETH_DATA_LEN;
dev->min_mtu = ETH_MIN_MTU;
- dev->max_mtu = ETH_DATA_LEN;
- dev->addr_len = ETH_ALEN;
+ dev->max_mtu = IP_MAX_MTU;
dev->flags = IFF_NOARP;
dev->needs_free_netdev = true;
dev->priv_destructor = xfrmi_dev_free;
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] xfrm: interface: do not confirm neighbor when do pmtu update
2020-01-21 7:16 pull request (net): ipsec 2020-01-21 Steffen Klassert
2020-01-21 7:16 ` [PATCH 1/4] vti[6]: fix packet tx through bpf_redirect() Steffen Klassert
2020-01-21 7:16 ` [PATCH 2/4] xfrm interface: " Steffen Klassert
@ 2020-01-21 7:16 ` Steffen Klassert
2020-01-21 7:16 ` [PATCH 4/4] xfrm: support output_mark for offload ESP packets Steffen Klassert
2020-01-21 8:26 ` pull request (net): ipsec 2020-01-21 David Miller
4 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2020-01-21 7:16 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Xu Wang <vulab@iscas.ac.cn>
When do IPv6 tunnel PMTU update and calls __ip6_rt_update_pmtu() in the end,
we should not call dst_confirm_neigh() as there is no two-way communication.
Signed-off-by: Xu Wang <vulab@iscas.ac.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_interface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 00393179f185..dc651a628dcf 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -294,7 +294,7 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
mtu = dst_mtu(dst);
if (!skb->ignore_df && skb->len > mtu) {
- skb_dst_update_pmtu(skb, mtu);
+ skb_dst_update_pmtu_no_confirm(skb, mtu);
if (skb->protocol == htons(ETH_P_IPV6)) {
if (mtu < IPV6_MIN_MTU)
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] xfrm: support output_mark for offload ESP packets
2020-01-21 7:16 pull request (net): ipsec 2020-01-21 Steffen Klassert
` (2 preceding siblings ...)
2020-01-21 7:16 ` [PATCH 3/4] xfrm: interface: do not confirm neighbor when do pmtu update Steffen Klassert
@ 2020-01-21 7:16 ` Steffen Klassert
2020-01-21 8:26 ` pull request (net): ipsec 2020-01-21 David Miller
4 siblings, 0 replies; 6+ messages in thread
From: Steffen Klassert @ 2020-01-21 7:16 UTC (permalink / raw)
To: David Miller; +Cc: Herbert Xu, Steffen Klassert, netdev
From: Ulrich Weber <ulrich.weber@gmail.com>
Commit 9b42c1f179a6 ("xfrm: Extend the output_mark") added output_mark
support but missed ESP offload support.
xfrm_smark_get() is not called within xfrm_input() for packets coming
from esp4_gro_receive() or esp6_gro_receive(). Therefore call
xfrm_smark_get() directly within these functions.
Fixes: 9b42c1f179a6 ("xfrm: Extend the output_mark to support input direction and masking.")
Signed-off-by: Ulrich Weber <ulrich.weber@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/ipv4/esp4_offload.c | 2 ++
net/ipv6/esp6_offload.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index 0e4a7cf6bc87..e2e219c7854a 100644
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -57,6 +57,8 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
if (!x)
goto out_reset;
+ skb->mark = xfrm_smark_get(skb->mark, x);
+
sp->xvec[sp->len++] = x;
sp->olen++;
diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index e31626ffccd1..fd535053245b 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -79,6 +79,8 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
if (!x)
goto out_reset;
+ skb->mark = xfrm_smark_get(skb->mark, x);
+
sp->xvec[sp->len++] = x;
sp->olen++;
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: pull request (net): ipsec 2020-01-21
2020-01-21 7:16 pull request (net): ipsec 2020-01-21 Steffen Klassert
` (3 preceding siblings ...)
2020-01-21 7:16 ` [PATCH 4/4] xfrm: support output_mark for offload ESP packets Steffen Klassert
@ 2020-01-21 8:26 ` David Miller
4 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2020-01-21 8:26 UTC (permalink / raw)
To: steffen.klassert; +Cc: herbert, netdev
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Tue, 21 Jan 2020 08:16:27 +0100
> 1) Fix packet tx through bpf_redirect() for xfrm and vti
> interfaces. From Nicolas Dichtel.
>
> 2) Do not confirm neighbor when do pmtu update on a virtual
> xfrm interface. From Xu Wang.
>
> 3) Support output_mark for offload ESP packets, this was
> forgotten when the output_mark was added initially.
> From Ulrich Weber.
>
> Please pull or let me know if there are problems.
Pulled, thanks.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-01-21 8:26 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-21 7:16 pull request (net): ipsec 2020-01-21 Steffen Klassert
2020-01-21 7:16 ` [PATCH 1/4] vti[6]: fix packet tx through bpf_redirect() Steffen Klassert
2020-01-21 7:16 ` [PATCH 2/4] xfrm interface: " Steffen Klassert
2020-01-21 7:16 ` [PATCH 3/4] xfrm: interface: do not confirm neighbor when do pmtu update Steffen Klassert
2020-01-21 7:16 ` [PATCH 4/4] xfrm: support output_mark for offload ESP packets Steffen Klassert
2020-01-21 8:26 ` pull request (net): ipsec 2020-01-21 David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.