All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH ipsec] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
@ 2020-04-10  9:06 Xin Long
  2020-04-10  9:07 ` [PATCH ipsec] esp6: support ipv6 nexthdrs process for beet gso segment Xin Long
  2020-04-20 10:36 ` [PATCH ipsec] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input Steffen Klassert
  0 siblings, 2 replies; 5+ messages in thread
From: Xin Long @ 2020-04-10  9:06 UTC (permalink / raw)
  To: netdev; +Cc: Steffen Klassert, Herbert Xu, David S. Miller, Sabrina Dubroca

For beet mode, when it's ipv6 inner address with nexthdrs set,
the packet format might be:

    ----------------------------------------------------
    | outer  |     | dest |     |      |  ESP    | ESP |
    | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV |
    ----------------------------------------------------

The nexthdr from ESP could be NEXTHDR_HOP(0), so it should
continue processing the packet when nexthdr returns 0 in
xfrm_input(). Otherwise, when ipv6 nexthdr is set, the
packet will be dropped.

I don't see any error cases that nexthdr may return 0. So
fix it by removing the check for nexthdr == 0.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/xfrm/xfrm_input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index aa35f23..8a202c44 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -644,7 +644,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 		dev_put(skb->dev);
 
 		spin_lock(&x->lock);
-		if (nexthdr <= 0) {
+		if (nexthdr < 0) {
 			if (nexthdr == -EBADMSG) {
 				xfrm_audit_state_icvfail(x, skb,
 							 x->type->proto);
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH ipsec] esp6: support ipv6 nexthdrs process for beet gso segment
@ 2020-04-10  9:07 ` Xin Long
  2020-04-15  9:56   ` Sabrina Dubroca
  0 siblings, 1 reply; 5+ messages in thread
From: Xin Long @ 2020-04-10  9:07 UTC (permalink / raw)
  To: netdev; +Cc: Steffen Klassert, Herbert Xu, David S. Miller, Sabrina Dubroca

For beet mode, when it's ipv6 inner address with nexthdrs set,
the packet format might be:

    ----------------------------------------------------
    | outer  |     | dest |     |      |  ESP    | ESP |
    | IP6 hdr| ESP | opts.| TCP | Data | Trailer | ICV |
    ----------------------------------------------------

Before doing gso segment in xfrm6_beet_gso_segment(), it should
skip all nexthdrs and get the real transport proto, and set
transport_header properly.

This patch is to fix it by simply calling ipv6_skip_exthdr()
in xfrm6_beet_gso_segment().

Fixes: 7f9e40eb18a9 ("esp6: add gso_segment for esp6 beet mode")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/ipv6/esp6_offload.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index b828508..021f58c 100644
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -173,7 +173,7 @@ static struct sk_buff *xfrm6_beet_gso_segment(struct xfrm_state *x,
 	struct xfrm_offload *xo = xfrm_offload(skb);
 	struct sk_buff *segs = ERR_PTR(-EINVAL);
 	const struct net_offload *ops;
-	int proto = xo->proto;
+	u8 proto = xo->proto;
 
 	skb->transport_header += x->props.header_len;
 
@@ -184,7 +184,13 @@ static struct sk_buff *xfrm6_beet_gso_segment(struct xfrm_state *x,
 		proto = ph->nexthdr;
 	}
 
-	if (x->sel.family != AF_INET6) {
+	if (x->sel.family == AF_INET6) {
+		int offset = skb_transport_offset(skb);
+		__be16 frag;
+
+		offset = ipv6_skip_exthdr(skb, offset, &proto, &frag);
+		skb->transport_header += offset;
+	} else {
 		skb->transport_header -=
 			(sizeof(struct ipv6hdr) - sizeof(struct iphdr));
 
-- 
2.1.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH ipsec] esp6: support ipv6 nexthdrs process for beet gso segment
  2020-04-10  9:07 ` [PATCH ipsec] esp6: support ipv6 nexthdrs process for beet gso segment Xin Long
@ 2020-04-15  9:56   ` Sabrina Dubroca
  2020-04-19  7:26     ` Xin Long
  0 siblings, 1 reply; 5+ messages in thread
From: Sabrina Dubroca @ 2020-04-15  9:56 UTC (permalink / raw)
  To: Xin Long; +Cc: netdev, Steffen Klassert, Herbert Xu, David S. Miller

2020-04-10, 17:07:31 +0800, Xin Long wrote:
> For beet mode, when it's ipv6 inner address with nexthdrs set,
> the packet format might be:
> 
>     ----------------------------------------------------
>     | outer  |     | dest |     |      |  ESP    | ESP |
>     | IP6 hdr| ESP | opts.| TCP | Data | Trailer | ICV |
>     ----------------------------------------------------
> 
> Before doing gso segment in xfrm6_beet_gso_segment(), it should
> skip all nexthdrs and get the real transport proto, and set
> transport_header properly.
> 
> This patch is to fix it by simply calling ipv6_skip_exthdr()
> in xfrm6_beet_gso_segment().
> 
> Fixes: 7f9e40eb18a9 ("esp6: add gso_segment for esp6 beet mode")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/ipv6/esp6_offload.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
> index b828508..021f58c 100644
> --- a/net/ipv6/esp6_offload.c
> +++ b/net/ipv6/esp6_offload.c
> @@ -173,7 +173,7 @@ static struct sk_buff *xfrm6_beet_gso_segment(struct xfrm_state *x,
>  	struct xfrm_offload *xo = xfrm_offload(skb);
>  	struct sk_buff *segs = ERR_PTR(-EINVAL);
>  	const struct net_offload *ops;
> -	int proto = xo->proto;
> +	u8 proto = xo->proto;
>  
>  	skb->transport_header += x->props.header_len;
>  
> @@ -184,7 +184,13 @@ static struct sk_buff *xfrm6_beet_gso_segment(struct xfrm_state *x,
>  		proto = ph->nexthdr;
>  	}
>  
> -	if (x->sel.family != AF_INET6) {
> +	if (x->sel.family == AF_INET6) {
> +		int offset = skb_transport_offset(skb);
> +		__be16 frag;
> +
> +		offset = ipv6_skip_exthdr(skb, offset, &proto, &frag);
> +		skb->transport_header += offset;

This seems a bit wrong: we start with offset = transport_offset, then
ipv6_skip_exthdr adds the size of the extension headers to it.

In a simple case where there's no extension header, ipv6_skip_exthdr
returns offset. Now we add offset to skb->transport_header, so
transport_header is increased, but it shouldn't have changed.

What am I missing?

Thanks.

-- 
Sabrina


^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH ipsec] esp6: support ipv6 nexthdrs process for beet gso segment
  2020-04-15  9:56   ` Sabrina Dubroca
@ 2020-04-19  7:26     ` Xin Long
  0 siblings, 0 replies; 5+ messages in thread
From: Xin Long @ 2020-04-19  7:26 UTC (permalink / raw)
  To: Sabrina Dubroca
  Cc: network dev, Steffen Klassert, Herbert Xu, David S. Miller

On Wed, Apr 15, 2020 at 5:56 PM Sabrina Dubroca <sd@queasysnail.net> wrote:
>
> 2020-04-10, 17:07:31 +0800, Xin Long wrote:
> > For beet mode, when it's ipv6 inner address with nexthdrs set,
> > the packet format might be:
> >
> >     ----------------------------------------------------
> >     | outer  |     | dest |     |      |  ESP    | ESP |
> >     | IP6 hdr| ESP | opts.| TCP | Data | Trailer | ICV |
> >     ----------------------------------------------------
> >
> > Before doing gso segment in xfrm6_beet_gso_segment(), it should
> > skip all nexthdrs and get the real transport proto, and set
> > transport_header properly.
> >
> > This patch is to fix it by simply calling ipv6_skip_exthdr()
> > in xfrm6_beet_gso_segment().
> >
> > Fixes: 7f9e40eb18a9 ("esp6: add gso_segment for esp6 beet mode")
> > Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > ---
> >  net/ipv6/esp6_offload.c | 10 ++++++++--
> >  1 file changed, 8 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
> > index b828508..021f58c 100644
> > --- a/net/ipv6/esp6_offload.c
> > +++ b/net/ipv6/esp6_offload.c
> > @@ -173,7 +173,7 @@ static struct sk_buff *xfrm6_beet_gso_segment(struct xfrm_state *x,
> >       struct xfrm_offload *xo = xfrm_offload(skb);
> >       struct sk_buff *segs = ERR_PTR(-EINVAL);
> >       const struct net_offload *ops;
> > -     int proto = xo->proto;
> > +     u8 proto = xo->proto;
> >
> >       skb->transport_header += x->props.header_len;
> >
> > @@ -184,7 +184,13 @@ static struct sk_buff *xfrm6_beet_gso_segment(struct xfrm_state *x,
> >               proto = ph->nexthdr;
> >       }
> >
> > -     if (x->sel.family != AF_INET6) {
> > +     if (x->sel.family == AF_INET6) {
> > +             int offset = skb_transport_offset(skb);
> > +             __be16 frag;
> > +
> > +             offset = ipv6_skip_exthdr(skb, offset, &proto, &frag);
> > +             skb->transport_header += offset;
>
> This seems a bit wrong: we start with offset = transport_offset, then
> ipv6_skip_exthdr adds the size of the extension headers to it.
>
> In a simple case where there's no extension header, ipv6_skip_exthdr
> returns offset. Now we add offset to skb->transport_header, so
> transport_header is increased, but it shouldn't have changed.
>
> What am I missing?
You're right, actually skb_transport_offset(skb) is always 0 in there.

I will post v2 with:
skb->transport_header += ipv6_skip_exthdr(skb, 0, &proto, &frag);

Thanks for reviewing.

>
> Thanks.
>
> --
> Sabrina
>

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [PATCH ipsec] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
  2020-04-10  9:06 [PATCH ipsec] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input Xin Long
  2020-04-10  9:07 ` [PATCH ipsec] esp6: support ipv6 nexthdrs process for beet gso segment Xin Long
@ 2020-04-20 10:36 ` Steffen Klassert
  1 sibling, 0 replies; 5+ messages in thread
From: Steffen Klassert @ 2020-04-20 10:36 UTC (permalink / raw)
  To: Xin Long; +Cc: netdev, Herbert Xu, David S. Miller, Sabrina Dubroca

On Fri, Apr 10, 2020 at 05:06:01PM +0800, Xin Long wrote:
> For beet mode, when it's ipv6 inner address with nexthdrs set,
> the packet format might be:
> 
>     ----------------------------------------------------
>     | outer  |     | dest |     |      |  ESP    | ESP |
>     | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV |
>     ----------------------------------------------------
> 
> The nexthdr from ESP could be NEXTHDR_HOP(0), so it should
> continue processing the packet when nexthdr returns 0 in
> xfrm_input(). Otherwise, when ipv6 nexthdr is set, the
> packet will be dropped.
> 
> I don't see any error cases that nexthdr may return 0. So
> fix it by removing the check for nexthdr == 0.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied, thanks!

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-04-20 10:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-10  9:06 [PATCH ipsec] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input Xin Long
2020-04-10  9:07 ` [PATCH ipsec] esp6: support ipv6 nexthdrs process for beet gso segment Xin Long
2020-04-15  9:56   ` Sabrina Dubroca
2020-04-19  7:26     ` Xin Long
2020-04-20 10:36 ` [PATCH ipsec] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input Steffen Klassert

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.