* [PATCH net-next] ipv4: Reject again rules with high DSCP values
@ 2022-02-10 12:24 Guillaume Nault
2022-02-10 15:40 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 2+ messages in thread
From: Guillaume Nault @ 2022-02-10 12:24 UTC (permalink / raw)
To: David Miller, Jakub Kicinski
Cc: netdev, Hideaki YOSHIFUJI, David Ahern, Toke Høiland-Jørgensen
Commit 563f8e97e054 ("ipv4: Stop taking ECN bits into account in
fib4-rules") replaced the validation test on frh->tos. While the new
test is stricter for ECN bits, it doesn't detect the use of high order
DSCP bits. This would be fine if IPv4 could properly handle them. But
currently, most IPv4 lookups are done with the three high DSCP bits
masked. Therefore, using these bits doesn't lead to the expected
result.
Let's reject such configurations again, so that nobody starts to
use and make any assumption about how the stack handles the three high
order DSCP bits in fib4 rules.
Fixes: 563f8e97e054 ("ipv4: Stop taking ECN bits into account in fib4-rules")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
net/ipv4/fib_rules.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 117c48571cf0..001fea394bde 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -231,6 +231,11 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
"Invalid dsfield (tos): ECN bits must be 0");
goto errout;
}
+ /* IPv4 currently doesn't handle high order DSCP bits correctly */
+ if (frh->tos & ~IPTOS_TOS_MASK) {
+ NL_SET_ERR_MSG(extack, "Invalid tos");
+ goto errout;
+ }
rule4->dscp = inet_dsfield_to_dscp(frh->tos);
/* split local/main if they are not already split */
--
2.21.3
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net-next] ipv4: Reject again rules with high DSCP values
2022-02-10 12:24 [PATCH net-next] ipv4: Reject again rules with high DSCP values Guillaume Nault
@ 2022-02-10 15:40 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 2+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-02-10 15:40 UTC (permalink / raw)
To: Guillaume Nault; +Cc: davem, kuba, netdev, yoshfuji, dsahern, toke
Hello:
This patch was applied to netdev/net-next.git (master)
by David S. Miller <davem@davemloft.net>:
On Thu, 10 Feb 2022 13:24:51 +0100 you wrote:
> Commit 563f8e97e054 ("ipv4: Stop taking ECN bits into account in
> fib4-rules") replaced the validation test on frh->tos. While the new
> test is stricter for ECN bits, it doesn't detect the use of high order
> DSCP bits. This would be fine if IPv4 could properly handle them. But
> currently, most IPv4 lookups are done with the three high DSCP bits
> masked. Therefore, using these bits doesn't lead to the expected
> result.
>
> [...]
Here is the summary with links:
- [net-next] ipv4: Reject again rules with high DSCP values
https://git.kernel.org/netdev/net-next/c/dc513a405cad
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-10 15:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-10 12:24 [PATCH net-next] ipv4: Reject again rules with high DSCP values Guillaume Nault
2022-02-10 15:40 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).