[PATCH ipsec] xfrm: interface: fix the priorities for ipip and ipv6 tunnels

[PATCH ipsec] xfrm: interface: fix the priorities for ipip and ipv6 tunnels

[Xin Long]

As Nicolas noticed in his case, when xfrm_interface module is installed
the standard IP tunnels will break in receiving packets.

This is caused by the IP tunnel handlers with a higher priority in xfrm
interface processing incoming packets by xfrm_input(), which would drop
the packets and return 0 instead when anything wrong happens.

Rather than changing xfrm_input(), this patch is to adjust the priority
for the IP tunnel handlers in xfrm interface, so that the packets would
go to xfrmi's later than the others', as the others' would not drop the
packets when the handlers couldn't process them.

Note that IPCOMP also defines its own IPIP tunnel handler and it calls
xfrm_input() as well, so we must make its priority lower than xfrmi's,
which means having xfrmi loaded would still break IPCOMP. We may seek
another way to fix it in xfrm_input() in the future.

Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler")
FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/ipv4/xfrm4_tunnel.c   | 4 ++--
 net/ipv6/xfrm6_tunnel.c   | 4 ++--
 net/xfrm/xfrm_interface.c | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/ipv4/xfrm4_tunnel.c b/net/ipv4/xfrm4_tunnel.c
index dc19aff..fb0648e 100644
--- a/net/ipv4/xfrm4_tunnel.c
+++ b/net/ipv4/xfrm4_tunnel.c
@@ -64,14 +64,14 @@ static int xfrm_tunnel_err(struct sk_buff *skb, u32 info)
 static struct xfrm_tunnel xfrm_tunnel_handler __read_mostly = {
 	.handler	=	xfrm_tunnel_rcv,
 	.err_handler	=	xfrm_tunnel_err,
-	.priority	=	3,
+	.priority	=	4,
 };
 
 #if IS_ENABLED(CONFIG_IPV6)
 static struct xfrm_tunnel xfrm64_tunnel_handler __read_mostly = {
 	.handler	=	xfrm_tunnel_rcv,
 	.err_handler	=	xfrm_tunnel_err,
-	.priority	=	2,
+	.priority	=	3,
 };
 #endif
 
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 25b7ebd..f696d46 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -303,13 +303,13 @@ static const struct xfrm_type xfrm6_tunnel_type = {
 static struct xfrm6_tunnel xfrm6_tunnel_handler __read_mostly = {
 	.handler	= xfrm6_tunnel_rcv,
 	.err_handler	= xfrm6_tunnel_err,
-	.priority	= 2,
+	.priority	= 3,
 };
 
 static struct xfrm6_tunnel xfrm46_tunnel_handler __read_mostly = {
 	.handler	= xfrm6_tunnel_rcv,
 	.err_handler	= xfrm6_tunnel_err,
-	.priority	= 2,
+	.priority	= 3,
 };
 
 static int __net_init xfrm6_tunnel_net_init(struct net *net)
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index a8f6611..0bb7963 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -830,14 +830,14 @@ static struct xfrm6_tunnel xfrmi_ipv6_handler __read_mostly = {
 	.handler	=	xfrmi6_rcv_tunnel,
 	.cb_handler	=	xfrmi_rcv_cb,
 	.err_handler	=	xfrmi6_err,
-	.priority	=	-1,
+	.priority	=	2,
 };
 
 static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = {
 	.handler	=	xfrmi6_rcv_tunnel,
 	.cb_handler	=	xfrmi_rcv_cb,
 	.err_handler	=	xfrmi6_err,
-	.priority	=	-1,
+	.priority	=	2,
 };
 #endif
 
@@ -875,14 +875,14 @@ static struct xfrm_tunnel xfrmi_ipip_handler __read_mostly = {
 	.handler	=	xfrmi4_rcv_tunnel,
 	.cb_handler	=	xfrmi_rcv_cb,
 	.err_handler	=	xfrmi4_err,
-	.priority	=	-1,
+	.priority	=	3,
 };
 
 static struct xfrm_tunnel xfrmi_ipip6_handler __read_mostly = {
 	.handler	=	xfrmi4_rcv_tunnel,
 	.cb_handler	=	xfrmi_rcv_cb,
 	.err_handler	=	xfrmi4_err,
-	.priority	=	-1,
+	.priority	=	2,
 };
 #endif
 
-- 
2.1.0

Re: [PATCH ipsec] xfrm: interface: fix the priorities for ipip and ipv6 tunnels

[Steffen Klassert]

On Thu, Oct 08, 2020 at 04:13:24PM +0800, Xin Long wrote:
> As Nicolas noticed in his case, when xfrm_interface module is installed
> the standard IP tunnels will break in receiving packets.
> 
> This is caused by the IP tunnel handlers with a higher priority in xfrm
> interface processing incoming packets by xfrm_input(), which would drop
> the packets and return 0 instead when anything wrong happens.
> 
> Rather than changing xfrm_input(), this patch is to adjust the priority
> for the IP tunnel handlers in xfrm interface, so that the packets would
> go to xfrmi's later than the others', as the others' would not drop the
> packets when the handlers couldn't process them.
> 
> Note that IPCOMP also defines its own IPIP tunnel handler and it calls
> xfrm_input() as well, so we must make its priority lower than xfrmi's,
> which means having xfrmi loaded would still break IPCOMP. We may seek
> another way to fix it in xfrm_input() in the future.
> 
> Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler")
> FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied, thanks a lot Xin!

Re: [PATCH ipsec] xfrm: interface: fix the priorities for ipip and ipv6 tunnels

[Nicolas Dichtel]

Le 13/10/2020 à 11:28, Steffen Klassert a écrit :
> On Thu, Oct 08, 2020 at 04:13:24PM +0800, Xin Long wrote:
>> As Nicolas noticed in his case, when xfrm_interface module is installed
>> the standard IP tunnels will break in receiving packets.
>>
>> This is caused by the IP tunnel handlers with a higher priority in xfrm
>> interface processing incoming packets by xfrm_input(), which would drop
>> the packets and return 0 instead when anything wrong happens.
>>
>> Rather than changing xfrm_input(), this patch is to adjust the priority
>> for the IP tunnel handlers in xfrm interface, so that the packets would
>> go to xfrmi's later than the others', as the others' would not drop the
>> packets when the handlers couldn't process them.
>>
>> Note that IPCOMP also defines its own IPIP tunnel handler and it calls
>> xfrm_input() as well, so we must make its priority lower than xfrmi's,
>> which means having xfrmi loaded would still break IPCOMP. We may seek
>> another way to fix it in xfrm_input() in the future.
>>
>> Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>> Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>> Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler")
>> FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler")
>> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> 
> Applied, thanks a lot Xin!
> 
Is it possible to queue this for stable branches?


Thank you,
Nicolas

Re: [PATCH ipsec] xfrm: interface: fix the priorities for ipip and ipv6 tunnels

[Steffen Klassert]

On Tue, Oct 13, 2020 at 02:41:18PM +0200, Nicolas Dichtel wrote:
> Le 13/10/2020 à 11:28, Steffen Klassert a écrit :
> > On Thu, Oct 08, 2020 at 04:13:24PM +0800, Xin Long wrote:
> >> As Nicolas noticed in his case, when xfrm_interface module is installed
> >> the standard IP tunnels will break in receiving packets.
> >>
> >> This is caused by the IP tunnel handlers with a higher priority in xfrm
> >> interface processing incoming packets by xfrm_input(), which would drop
> >> the packets and return 0 instead when anything wrong happens.
> >>
> >> Rather than changing xfrm_input(), this patch is to adjust the priority
> >> for the IP tunnel handlers in xfrm interface, so that the packets would
> >> go to xfrmi's later than the others', as the others' would not drop the
> >> packets when the handlers couldn't process them.
> >>
> >> Note that IPCOMP also defines its own IPIP tunnel handler and it calls
> >> xfrm_input() as well, so we must make its priority lower than xfrmi's,
> >> which means having xfrmi loaded would still break IPCOMP. We may seek
> >> another way to fix it in xfrm_input() in the future.
> >>
> >> Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> >> Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> >> Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler")
> >> FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler")
> >> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> > 
> > Applied, thanks a lot Xin!
> > 
> Is it possible to queue this for stable branches?

Yes, it will go to stable after it is intergated into the mainline.