[PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments.

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments.
@ 2019-08-24 16:58 Justin Pettit
  2019-08-24 16:58 ` [PATCH net 2/2] openvswitch: Clear the L4 portion of the key for "later" fragments Justin Pettit
  2019-08-25 16:54 ` [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments Pravin Shelar
  0 siblings, 2 replies; 7+ messages in thread
From: Justin Pettit @ 2019-08-24 16:58 UTC (permalink / raw)
  To: netdev, Pravin Shelar; +Cc: Joe Stringer

When IP fragments are reassembled before being sent to conntrack, the
key from the last fragment is used.  Unless there are reordering
issues, the last fragment received will not contain the L4 ports, so the
key for the reassembled datagram won't contain them.  This patch updates
the key once we have a reassembled datagram.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
---
 net/openvswitch/conntrack.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
index 848c6eb55064..f40ad2a42086 100644
--- a/net/openvswitch/conntrack.c
+++ b/net/openvswitch/conntrack.c
@@ -524,6 +524,10 @@ static int handle_fragments(struct net *net, struct sw_flow_key *key,
 		return -EPFNOSUPPORT;
 	}
 
+	/* The key extracted from the fragment that completed this datagram
+	 * likely didn't have an L4 header, so regenerate it. */
+	ovs_flow_key_update(skb, key);
+
 	key->ip.frag = OVS_FRAG_TYPE_NONE;
 	skb_clear_hash(skb);
 	skb->ignore_df = 1;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [PATCH net 2/2] openvswitch: Clear the L4 portion of the key for "later" fragments.
  2019-08-24 16:58 [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments Justin Pettit
@ 2019-08-24 16:58 ` Justin Pettit
  2019-08-25 17:00   ` Pravin Shelar
  2019-08-25 16:54 ` [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments Pravin Shelar
  1 sibling, 1 reply; 7+ messages in thread
From: Justin Pettit @ 2019-08-24 16:58 UTC (permalink / raw)
  To: netdev, Pravin Shelar; +Cc: Joe Stringer

Only the first fragment in a datagram contains the L4 headers.  When the
Open vSwitch module parses a packet, it always sets the IP protocol
field in the key, but can only set the L4 fields on the first fragment.
The original behavior would not clear the L4 portion of the key, so
garbage values would be sent in the key for "later" fragments.  This
patch clears the L4 fields in that circumstance to prevent sending those
garbage values as part of the upcall.

Signed-off-by: Justin Pettit <jpettit@ovn.org>
---
 net/openvswitch/flow.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index bc89e16e0505..0fb2cec08523 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -623,6 +623,7 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
 		offset = nh->frag_off & htons(IP_OFFSET);
 		if (offset) {
 			key->ip.frag = OVS_FRAG_TYPE_LATER;
+			memset(&key->tp, 0, sizeof(key->tp));
 			return 0;
 		}
 		if (nh->frag_off & htons(IP_MF) ||
@@ -740,8 +741,10 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
 			return error;
 		}
 
-		if (key->ip.frag == OVS_FRAG_TYPE_LATER)
+		if (key->ip.frag == OVS_FRAG_TYPE_LATER) {
+			memset(&key->tp, 0, sizeof(key->tp));
 			return 0;
+		}
 		if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
 			key->ip.frag = OVS_FRAG_TYPE_FIRST;
 
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments.
  2019-08-24 16:58 [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments Justin Pettit
  2019-08-24 16:58 ` [PATCH net 2/2] openvswitch: Clear the L4 portion of the key for "later" fragments Justin Pettit
@ 2019-08-25 16:54 ` Pravin Shelar
  2019-08-25 20:40   ` Pravin Shelar
  1 sibling, 1 reply; 7+ messages in thread
From: Pravin Shelar @ 2019-08-25 16:54 UTC (permalink / raw)
  To: Justin Pettit; +Cc: Linux Kernel Network Developers, Joe Stringer

On Sat, Aug 24, 2019 at 9:58 AM Justin Pettit <jpettit@ovn.org> wrote:
>
> When IP fragments are reassembled before being sent to conntrack, the
> key from the last fragment is used.  Unless there are reordering
> issues, the last fragment received will not contain the L4 ports, so the
> key for the reassembled datagram won't contain them.  This patch updates
> the key once we have a reassembled datagram.
>
> Signed-off-by: Justin Pettit <jpettit@ovn.org>
> ---
>  net/openvswitch/conntrack.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
> index 848c6eb55064..f40ad2a42086 100644
> --- a/net/openvswitch/conntrack.c
> +++ b/net/openvswitch/conntrack.c
> @@ -524,6 +524,10 @@ static int handle_fragments(struct net *net, struct sw_flow_key *key,
>                 return -EPFNOSUPPORT;
>         }
>
> +       /* The key extracted from the fragment that completed this datagram
> +        * likely didn't have an L4 header, so regenerate it. */
> +       ovs_flow_key_update(skb, key);
> +
>         key->ip.frag = OVS_FRAG_TYPE_NONE;
>         skb_clear_hash(skb);
>         skb->ignore_df = 1;
> --

Looks good to me.

Acked-by: Pravin B Shelar <pshelar@ovn.org>

Thanks,
Pravin.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH net 2/2] openvswitch: Clear the L4 portion of the key for "later" fragments.
  2019-08-24 16:58 ` [PATCH net 2/2] openvswitch: Clear the L4 portion of the key for "later" fragments Justin Pettit
@ 2019-08-25 17:00   ` Pravin Shelar
  0 siblings, 0 replies; 7+ messages in thread
From: Pravin Shelar @ 2019-08-25 17:00 UTC (permalink / raw)
  To: Justin Pettit; +Cc: Linux Kernel Network Developers, Joe Stringer

On Sat, Aug 24, 2019 at 9:58 AM Justin Pettit <jpettit@ovn.org> wrote:
>
> Only the first fragment in a datagram contains the L4 headers.  When the
> Open vSwitch module parses a packet, it always sets the IP protocol
> field in the key, but can only set the L4 fields on the first fragment.
> The original behavior would not clear the L4 portion of the key, so
> garbage values would be sent in the key for "later" fragments.  This
> patch clears the L4 fields in that circumstance to prevent sending those
> garbage values as part of the upcall.
>
> Signed-off-by: Justin Pettit <jpettit@ovn.org>
> ---
>  net/openvswitch/flow.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
> index bc89e16e0505..0fb2cec08523 100644
> --- a/net/openvswitch/flow.c
> +++ b/net/openvswitch/flow.c
> @@ -623,6 +623,7 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
>                 offset = nh->frag_off & htons(IP_OFFSET);
>                 if (offset) {
>                         key->ip.frag = OVS_FRAG_TYPE_LATER;
> +                       memset(&key->tp, 0, sizeof(key->tp));
>                         return 0;
>                 }
>                 if (nh->frag_off & htons(IP_MF) ||
> @@ -740,8 +741,10 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
>                         return error;
>                 }
>
> -               if (key->ip.frag == OVS_FRAG_TYPE_LATER)
> +               if (key->ip.frag == OVS_FRAG_TYPE_LATER) {
> +                       memset(&key->tp, 0, sizeof(key->tp));
>                         return 0;
> +               }
>                 if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP)
>                         key->ip.frag = OVS_FRAG_TYPE_FIRST;
>

Looks good to me.

Acked-by: Pravin B Shelar <pshelar@ovn.org>

Thanks,
Pravin.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments.
  2019-08-25 16:54 ` [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments Pravin Shelar
@ 2019-08-25 20:40   ` Pravin Shelar
  2019-08-25 21:52     ` David Miller
  2019-08-26 18:42     ` Justin Pettit
  0 siblings, 2 replies; 7+ messages in thread
From: Pravin Shelar @ 2019-08-25 20:40 UTC (permalink / raw)
  To: Justin Pettit; +Cc: Linux Kernel Network Developers, Joe Stringer

On Sun, Aug 25, 2019 at 9:54 AM Pravin Shelar <pshelar@ovn.org> wrote:
>
> On Sat, Aug 24, 2019 at 9:58 AM Justin Pettit <jpettit@ovn.org> wrote:
> >
> > When IP fragments are reassembled before being sent to conntrack, the
> > key from the last fragment is used.  Unless there are reordering
> > issues, the last fragment received will not contain the L4 ports, so the
> > key for the reassembled datagram won't contain them.  This patch updates
> > the key once we have a reassembled datagram.
> >
> > Signed-off-by: Justin Pettit <jpettit@ovn.org>
> > ---
> >  net/openvswitch/conntrack.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
> > index 848c6eb55064..f40ad2a42086 100644
> > --- a/net/openvswitch/conntrack.c
> > +++ b/net/openvswitch/conntrack.c
> > @@ -524,6 +524,10 @@ static int handle_fragments(struct net *net, struct sw_flow_key *key,
> >                 return -EPFNOSUPPORT;
> >         }
> >
> > +       /* The key extracted from the fragment that completed this datagram
> > +        * likely didn't have an L4 header, so regenerate it. */
> > +       ovs_flow_key_update(skb, key);
> > +
> >         key->ip.frag = OVS_FRAG_TYPE_NONE;
> >         skb_clear_hash(skb);
> >         skb->ignore_df = 1;
> > --
>
> Looks good to me.
>
> Acked-by: Pravin B Shelar <pshelar@ovn.org>
>
Actually I am not sure about this change. caller of this function
(ovs_ct_execute()) does skb-pull and push of L2 header, calling
ovs_flow_key_update() is not safe here, it expect skb data to point to
L2 header.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments.
  2019-08-25 20:40   ` Pravin Shelar
@ 2019-08-25 21:52     ` David Miller
  2019-08-26 18:42     ` Justin Pettit
  1 sibling, 0 replies; 7+ messages in thread
From: David Miller @ 2019-08-25 21:52 UTC (permalink / raw)
  To: pshelar; +Cc: jpettit, netdev, joe

From: Pravin Shelar <pshelar@ovn.org>
Date: Sun, 25 Aug 2019 13:40:58 -0700

> On Sun, Aug 25, 2019 at 9:54 AM Pravin Shelar <pshelar@ovn.org> wrote:
>>
>> On Sat, Aug 24, 2019 at 9:58 AM Justin Pettit <jpettit@ovn.org> wrote:
>> >
>> > When IP fragments are reassembled before being sent to conntrack, the
>> > key from the last fragment is used.  Unless there are reordering
>> > issues, the last fragment received will not contain the L4 ports, so the
>> > key for the reassembled datagram won't contain them.  This patch updates
>> > the key once we have a reassembled datagram.
>> >
>> > Signed-off-by: Justin Pettit <jpettit@ovn.org>
>> > ---
>> >  net/openvswitch/conntrack.c | 4 ++++
>> >  1 file changed, 4 insertions(+)
>> >
>> > diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c
>> > index 848c6eb55064..f40ad2a42086 100644
>> > --- a/net/openvswitch/conntrack.c
>> > +++ b/net/openvswitch/conntrack.c
>> > @@ -524,6 +524,10 @@ static int handle_fragments(struct net *net, struct sw_flow_key *key,
>> >                 return -EPFNOSUPPORT;
>> >         }
>> >
>> > +       /* The key extracted from the fragment that completed this datagram
>> > +        * likely didn't have an L4 header, so regenerate it. */
>> > +       ovs_flow_key_update(skb, key);
>> > +
>> >         key->ip.frag = OVS_FRAG_TYPE_NONE;
>> >         skb_clear_hash(skb);
>> >         skb->ignore_df = 1;
>> > --
>>
>> Looks good to me.
>>
>> Acked-by: Pravin B Shelar <pshelar@ovn.org>
>>
> Actually I am not sure about this change. caller of this function
> (ovs_ct_execute()) does skb-pull and push of L2 header, calling
> ovs_flow_key_update() is not safe here, it expect skb data to point to
> L2 header.

Agreed, also the comment needs to be formatted properly ala:

	/* blah
	 * blah
	 */

instead of:

	/* blah
	 * blah */

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments.
  2019-08-25 20:40   ` Pravin Shelar
  2019-08-25 21:52     ` David Miller
@ 2019-08-26 18:42     ` Justin Pettit
  1 sibling, 0 replies; 7+ messages in thread
From: Justin Pettit @ 2019-08-26 18:42 UTC (permalink / raw)
  To: Pravin Shelar, David Miller
  Cc: Linux Kernel Network Developers, Joe Stringer, Greg Rose


> On Aug 25, 2019, at 1:40 PM, Pravin Shelar <pshelar@ovn.org> wrote:
> 
> Actually I am not sure about this change. caller of this function
> (ovs_ct_execute()) does skb-pull and push of L2 header, calling
> ovs_flow_key_update() is not safe here, it expect skb data to point to
> L2 header.

Thanks for the feedback, Pravin and David.  Greg Rose has a revised version that will address the issues you raised and also make it so that we don't bother re-extracting the L2 headers.  He'll hopefully get that out today once we've done some internal testing on it.

--Justin



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2019-08-26 18:42 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-24 16:58 [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments Justin Pettit
2019-08-24 16:58 ` [PATCH net 2/2] openvswitch: Clear the L4 portion of the key for "later" fragments Justin Pettit
2019-08-25 17:00   ` Pravin Shelar
2019-08-25 16:54 ` [PATCH net 1/2] openvswitch: Properly set L4 keys on "later" IP fragments Pravin Shelar
2019-08-25 20:40   ` Pravin Shelar
2019-08-25 21:52     ` David Miller
2019-08-26 18:42     ` Justin Pettit

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).