* [PATCH net v2] xfrm: fix policy lookup for ipv6 gre packets
[not found] <20211119170402.11213-1-nicolas.dichtel@6wind.com>
@ 2021-11-19 17:20 ` Nicolas Dichtel
2021-11-25 9:29 ` Steffen Klassert
0 siblings, 1 reply; 2+ messages in thread
From: Nicolas Dichtel @ 2021-11-19 17:20 UTC (permalink / raw)
To: steffen.klassert, herbert
Cc: davem, kuba, netdev, Ghalem Boudour, stable, Nicolas Dichtel
From: Ghalem Boudour <ghalem.boudour@6wind.com>
On egress side, xfrm lookup is called from __gre6_xmit() with the
fl6_gre_key field not initialized leading to policies selectors check
failure. Consequently, gre packets are sent without encryption.
On ingress side, INET6_PROTO_NOPOLICY was set, thus packets were not
checked against xfrm policies. Like for egress side, fl6_gre_key should be
correctly set, this is now done in decode_session6().
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Cc: stable@vger.kernel.org
Signed-off-by: Ghalem Boudour <ghalem.boudour@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
This patch targets ipsec tree, but because this tree has not been yet
rebased on top of the net tree, I based the patch on top of net.
v1 -> v2
Add 'Cc: stable@vger.kernel.org'
net/ipv6/ip6_gre.c | 5 ++++-
net/xfrm/xfrm_policy.c | 21 +++++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index d831d2439693..f5a511c57aa2 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -755,6 +755,7 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb,
fl6->daddr = key->u.ipv6.dst;
fl6->flowlabel = key->label;
fl6->flowi6_uid = sock_net_uid(dev_net(dev), NULL);
+ fl6->fl6_gre_key = tunnel_id_to_key32(key->tun_id);
dsfield = key->tos;
flags = key->tun_flags &
@@ -990,6 +991,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
fl6.daddr = key->u.ipv6.dst;
fl6.flowlabel = key->label;
fl6.flowi6_uid = sock_net_uid(dev_net(dev), NULL);
+ fl6.fl6_gre_key = tunnel_id_to_key32(key->tun_id);
dsfield = key->tos;
if (!(tun_info->key.tun_flags & TUNNEL_ERSPAN_OPT))
@@ -1098,6 +1100,7 @@ static void ip6gre_tnl_link_config_common(struct ip6_tnl *t)
fl6->flowi6_oif = p->link;
fl6->flowlabel = 0;
fl6->flowi6_proto = IPPROTO_GRE;
+ fl6->fl6_gre_key = t->parms.o_key;
if (!(p->flags&IP6_TNL_F_USE_ORIG_TCLASS))
fl6->flowlabel |= IPV6_TCLASS_MASK & p->flowinfo;
@@ -1544,7 +1547,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev)
static struct inet6_protocol ip6gre_protocol __read_mostly = {
.handler = gre_rcv,
.err_handler = ip6gre_err,
- .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
+ .flags = INET6_PROTO_FINAL,
};
static void ip6gre_destroy_tunnels(struct net *net, struct list_head *head)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 1a06585022ab..84d2361da015 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -33,6 +33,7 @@
#include <net/flow.h>
#include <net/xfrm.h>
#include <net/ip.h>
+#include <net/gre.h>
#if IS_ENABLED(CONFIG_IPV6_MIP6)
#include <net/mip6.h>
#endif
@@ -3422,6 +3423,26 @@ decode_session6(struct sk_buff *skb, struct flowi *fl, bool reverse)
}
fl6->flowi6_proto = nexthdr;
return;
+ case IPPROTO_GRE:
+ if (!onlyproto &&
+ (nh + offset + 12 < skb->data ||
+ pskb_may_pull(skb, nh + offset + 12 - skb->data))) {
+ struct gre_base_hdr *gre_hdr;
+ __be32 *gre_key;
+
+ nh = skb_network_header(skb);
+ gre_hdr = (struct gre_base_hdr *)(nh + offset);
+ gre_key = (__be32 *)(gre_hdr + 1);
+
+ if (gre_hdr->flags & GRE_KEY) {
+ if (gre_hdr->flags & GRE_CSUM)
+ gre_key++;
+ fl6->fl6_gre_key = *gre_key;
+ }
+ }
+ fl6->flowi6_proto = nexthdr;
+ return;
+
#if IS_ENABLED(CONFIG_IPV6_MIP6)
case IPPROTO_MH:
offset += ipv6_optlen(exthdr);
--
2.33.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net v2] xfrm: fix policy lookup for ipv6 gre packets
2021-11-19 17:20 ` [PATCH net v2] xfrm: fix policy lookup for ipv6 gre packets Nicolas Dichtel
@ 2021-11-25 9:29 ` Steffen Klassert
0 siblings, 0 replies; 2+ messages in thread
From: Steffen Klassert @ 2021-11-25 9:29 UTC (permalink / raw)
To: Nicolas Dichtel; +Cc: herbert, davem, kuba, netdev, Ghalem Boudour, stable
On Fri, Nov 19, 2021 at 06:20:16PM +0100, Nicolas Dichtel wrote:
> From: Ghalem Boudour <ghalem.boudour@6wind.com>
>
> On egress side, xfrm lookup is called from __gre6_xmit() with the
> fl6_gre_key field not initialized leading to policies selectors check
> failure. Consequently, gre packets are sent without encryption.
>
> On ingress side, INET6_PROTO_NOPOLICY was set, thus packets were not
> checked against xfrm policies. Like for egress side, fl6_gre_key should be
> correctly set, this is now done in decode_session6().
>
> Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
> Cc: stable@vger.kernel.org
> Signed-off-by: Ghalem Boudour <ghalem.boudour@6wind.com>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Patch applied, thanks a lot!
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-11-25 9:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20211119170402.11213-1-nicolas.dichtel@6wind.com>
2021-11-19 17:20 ` [PATCH net v2] xfrm: fix policy lookup for ipv6 gre packets Nicolas Dichtel
2021-11-25 9:29 ` Steffen Klassert
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).