Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3093473imu; Sun, 6 Jan 2019 18:44:24 -0800 (PST) X-Google-Smtp-Source: ALg8bN4oMrAF8G5DeEDEyTJX0KCV0b1+6W9BWh78cjU7/VA/6S9LnurdsKSc89fs7BafT26KLY3h X-Received: by 2002:a17:902:4a0c:: with SMTP id w12mr60109941pld.8.1546829064173; Sun, 06 Jan 2019 18:44:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546829064; cv=none; d=google.com; s=arc-20160816; b=JA0BlW0vBOZMl2kAMy7IOnV3GJ1t92FwRClevVGNXDJA8i+CoOI7jhS6igMOUKfyhV va4CAawhmxfsHxl7NWGlQc/A7DqD4snIaQ9nM0r2IOTpr3/RB+lnDg59ueNTdi8AgrbO YclzdxW0nnC63zxKJU8KymoRevcQh6IlrmkOeI2Isiv5nvQ8Au9uDY27+dp2bk1jk7sV Q2P3dBGn9RWq6//UZIy1kvPl/mHKLdW93RTsTV/09HmUwLXasSv7q+HzJoDO7OLuQJ1H fPtbbXrBLsANNEN0Cf6eJUjpk0oqi+GBakJEib6efqjVMr3kbgfvoGgMNL32pWMVizso Bm+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from; bh=yy+WnWTEfIcc2T2yA81zoAR5ykW10m2aIpG0cBbiYWE=; b=OK/v7dm6idsJ1Sqf3n1lVsXXjGVCR7pRuaNQf8gR3Vnn08Cyot7KQWkuFtvrqjF2oD 2aioJjFo8v2w4yJYXosrFnzR2XOVvAl+uENQjwrARnyASE2qZSeu7OcF/BiPHqgMIfWC dBTcgpQGRI/VOkYYRQJmiz6To02jg9VEDQ2jWnZX1fdSnSSA8SUk+Ss3hOi0cxiMv0k2 3Sxg7zEYZCH7urB2MTX7g4d6OuUsu1brCQPNzgFa332q6wKVP3L90Q4J7oSggHx/5PaG +1BuEhv2vQKXJ0PhqoY5kcJSWt7m4YkzDwZT7xcjst9LYsohh+k8CK1+mmHJCC/CVn1Y Vv2g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b19si16403305pfm.100.2019.01.06.18.44.09; Sun, 06 Jan 2019 18:44:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726510AbfAGCbz (ORCPT + 99 others); Sun, 6 Jan 2019 21:31:55 -0500 Received: from mail.cn.fujitsu.com ([183.91.158.132]:43985 "EHLO heian.cn.fujitsu.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726180AbfAGCby (ORCPT ); Sun, 6 Jan 2019 21:31:54 -0500 X-IronPort-AV: E=Sophos;i="5.56,449,1539619200"; d="scan'208";a="51434766" Received: from unknown (HELO cn.fujitsu.com) ([10.167.33.5]) by heian.cn.fujitsu.com with ESMTP; 07 Jan 2019 10:31:49 +0800 Received: from G08CNEXCHPEKD03.g08.fujitsu.local (unknown [10.167.33.85]) by cn.fujitsu.com (Postfix) with ESMTP id 273B34B7D68F; Mon, 7 Jan 2019 10:31:44 +0800 (CST) Received: from ubuntu.g08.fujitsu.local (10.167.225.53) by G08CNEXCHPEKD03.g08.fujitsu.local (10.167.33.89) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 7 Jan 2019 10:31:47 +0800 From: Su Yanjun To: , , , , CC: , , , Subject: [PATCH v2] vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel Date: Sun, 6 Jan 2019 21:31:20 -0500 Message-ID: <1546828280-26039-1-git-send-email-suyj.fnst@cn.fujitsu.com> X-Mailer: git-send-email 2.7.4 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.167.225.53] X-yoursite-MailScanner-ID: 273B34B7D68F.ADDC2 X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-From: suyj.fnst@cn.fujitsu.com X-Spam-Status: No Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Recently we run a network test over ipcomp virtual tunnel.We find that if a ipv4 packet needs fragment, then the peer can't receive it. We deep into the code and find that when packet need fragment the smaller fragment will be encapsulated by ipip not ipcomp. So when the ipip packet goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code always set skb'dev to the last fragment's dev. After ipv4 defrag processing, when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV error. This patch adds compatible support for the ipip process in ipcomp virtual tunnel. Signed-off-by: Su Yanjun --- Based on Linus' master branch. Changes from v1: - use a separate handler for ipip packet processing in ipcomp virtual tunnel net/ipv4/ip_vti.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c index de31b30..d155a51 100644 --- a/net/ipv4/ip_vti.c +++ b/net/ipv4/ip_vti.c @@ -74,6 +74,33 @@ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi, return 0; } +static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi, + int encap_type) +{ + struct ip_tunnel *tunnel; + const struct iphdr *iph = ip_hdr(skb); + struct net *net = dev_net(skb->dev); + struct ip_tunnel_net *itn = net_generic(net, vti_net_id); + + tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, + iph->saddr, iph->daddr, 0); + if (tunnel) { + if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) + goto drop; + + XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; + + skb->dev = tunnel->dev; + + return xfrm_input(skb, nexthdr, spi, encap_type); + } + + return -EINVAL; +drop: + kfree_skb(skb); + return 0; +} + static int vti_rcv(struct sk_buff *skb) { XFRM_SPI_SKB_CB(skb)->family = AF_INET; @@ -82,6 +109,14 @@ static int vti_rcv(struct sk_buff *skb) return vti_input(skb, ip_hdr(skb)->protocol, 0, 0); } +static int vti_rcv_ipip(struct sk_buff *skb) +{ + XFRM_SPI_SKB_CB(skb)->family = AF_INET; + XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); + + return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0); +} + static int vti_rcv_cb(struct sk_buff *skb, int err) { unsigned short family; @@ -429,6 +464,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = { .priority = 100, }; +static struct xfrm_tunnel ipip_handler __read_mostly = { + .handler = vti_rcv_ipip, + .err_handler = vti4_err, + .priority = 0, +}; + static int __net_init vti_init_net(struct net *net) { int err; @@ -597,6 +638,13 @@ static int __init vti_init(void) if (err < 0) goto xfrm_proto_comp_failed; + msg = "ipip tunnel"; + err = xfrm4_tunnel_register(&ipip_handler, AF_INET); + if (err < 0) { + pr_info("%s: cant't register tunnel\n",__func__); + goto xfrm_tunnel_failed; + } + msg = "netlink interface"; err = rtnl_link_register(&vti_link_ops); if (err < 0) @@ -606,6 +654,8 @@ static int __init vti_init(void) rtnl_link_failed: xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP); +xfrm_tunnel_failed: + xfrm4_tunnel_deregister(&ipip_handler, AF_INET); xfrm_proto_comp_failed: xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH); xfrm_proto_ah_failed: -- 2.7.4