Received: by 2002:a19:f614:0:0:0:0:0 with SMTP id x20csp62383lfe; Fri, 15 Apr 2022 19:36:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwxJPoADRlKqofw1UWgDzlriXADyWuebnpVicVHm3UOpqc34bTpjBUMpIv8SBBfK3pX18oN X-Received: by 2002:a17:90a:c7c5:b0:1cb:757c:3969 with SMTP id gf5-20020a17090ac7c500b001cb757c3969mr7169742pjb.146.1650076587081; Fri, 15 Apr 2022 19:36:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1650076587; cv=none; d=google.com; s=arc-20160816; b=FKU/bwLU8518fzbjN8HcczuW+h8236y36yoqaxeWRK+uwiU0MFAOFdp/krPAE1GszO 690UAz/nd2pogI63qG1TPcrs474S5YAxMy/3FhBw2FsGxdQHPHwb1o7m5poiC1/18mnF He4ZSmC3tRMGDStCEzQ6AsfMXm1JyxqHZW4aGGHLO2UZljRkf+5lldPKdfeMCJ53WZhm v2qNCI4IHtonEevUugb9fMtO+f91ibTJdDr85bTiobP334rvIFbos/8oE2PZLsT648ty 13eS7bwPCmjvkt9vy/Ak6u/o5r5QtvYu8nq3QZ5zc3hs5JuRcJbJ/HY2OzrAeOQJkKT4 VoBw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wM+XB/L9YwVfVXNvq3c4u4NlK/RikpB/iCMKn+YlwN8=; b=feY/v4DJHEsi0U3eOrvlsZY0SBfceaddhR/KAjlsswJndzIzVlAt7gK65NFIpaMsVp l/KFIg+7vv/v/LbCXDtQITYhfNkWReBXaQlK7582MX6Xpv8SZf+DUvySBUZfmmTtJsyd 7IBmRFC7tM4FMNVyyEZHmHof9owKdKEJATNA9aO3H1QRmDH5UzKX/9UZt7JMOIZnjLLz pR0xLy6AN/oAKG+RVkGJGxS+X87Tl+XsOGzDat02fczWGWspVTaV57xTvYLzD7QuKUr0 1u8iQ45+9rmgN2TWYc+Iqpu5d+dBScDAiZqhi5C1MSeje0sAjqTAsJq2zMVg4mnNufkk HMiQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="seBMY/Gu"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id t71-20020a63814a000000b003816043eecesi2759259pgd.195.2022.04.15.19.36.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Apr 2022 19:36:27 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="seBMY/Gu"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id D2187198; Fri, 15 Apr 2022 18:45:56 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243868AbiDNNSt (ORCPT + 99 others); Thu, 14 Apr 2022 09:18:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243732AbiDNNRt (ORCPT ); Thu, 14 Apr 2022 09:17:49 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A751BE0; Thu, 14 Apr 2022 06:15:25 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C89B3612ED; Thu, 14 Apr 2022 13:15:24 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D57F9C385A1; Thu, 14 Apr 2022 13:15:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649942124; bh=HRWp0DPtkLnjg5wRAjN9vQZy9JHLc0iQkk9SIi8PfKw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=seBMY/Gu6hOPbDR/0yBxODWcnpAkv0Qn8O2+acGQS0rdQbN5k8/GOXa2HJQ4mLw8H 24FKiZNqNm4fuQyrCC78huHxTDjiNxLjv8RGmKqmOLjtHA1atpEXQlxfje3eM52DIy jobgm+Riect8tXTDMqDFx+0sRwZNGoSJJrzXuJu8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lina Wang , Steffen Klassert , Sasha Levin Subject: [PATCH 4.19 005/338] xfrm: fix tunnel model fragmentation behavior Date: Thu, 14 Apr 2022 15:08:28 +0200 Message-Id: <20220414110839.043714250@linuxfoundation.org> X-Mailer: git-send-email 2.35.2 In-Reply-To: <20220414110838.883074566@linuxfoundation.org> References: <20220414110838.883074566@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lina Wang [ Upstream commit 4ff2980b6bd2aa6b4ded3ce3b7c0ccfab29980af ] in tunnel mode, if outer interface(ipv4) is less, it is easily to let inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message is received. When send again, packets are fragmentized with 1280, they are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2(). According to RFC4213 Section3.2.2: if (IPv4 path MTU - 20) is less than 1280 if packet is larger than 1280 bytes Send ICMPv6 "packet too big" with MTU=1280 Drop packet else Encapsulate but do not set the Don't Fragment flag in the IPv4 header. The resulting IPv4 packet might be fragmented by the IPv4 layer on the encapsulator or by some router along the IPv4 path. endif else if packet is larger than (IPv4 path MTU - 20) Send ICMPv6 "packet too big" with MTU = (IPv4 path MTU - 20). Drop packet. else Encapsulate and set the Don't Fragment flag in the IPv4 header. endif endif Packets should be fragmentized with ipv4 outer interface, so change it. After it is fragemtized with ipv4, there will be double fragmenation. No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, then tunneled with IPv4(No.49& No.50), which obey spec. And received peer cannot decrypt it rightly. 48 2002::10 2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) 49 0x0000 (0) 2002::10 2002::11 1304 IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44) 50 0x0000 (0) 2002::10 2002::11 200 ESP (SPI=0x00035000) 51 2002::10 2002::11 180 Echo (ping) request 52 0x56dc 2002::10 2002::11 248 IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50) xfrm6_noneed_fragment has fixed above issues. Finally, it acted like below: 1 0x6206 192.168.1.138 192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2] 2 0x6206 2002::10 2002::11 88 IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50) 3 0x0000 2002::10 2002::11 248 ICMPv6 Echo (ping) request Signed-off-by: Lina Wang Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/ipv6/xfrm6_output.c | 16 ++++++++++++++++ net/xfrm/xfrm_interface.c | 5 ++++- 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c index b5941c9475f3..fbcec4827071 100644 --- a/net/ipv6/xfrm6_output.c +++ b/net/ipv6/xfrm6_output.c @@ -142,6 +142,19 @@ static int __xfrm6_output_finish(struct net *net, struct sock *sk, struct sk_buf return x->outer_mode->afinfo->output_finish(sk, skb); } +static int xfrm6_noneed_fragment(struct sk_buff *skb) +{ + struct frag_hdr *fh; + u8 prevhdr = ipv6_hdr(skb)->nexthdr; + + if (prevhdr != NEXTHDR_FRAGMENT) + return 0; + fh = (struct frag_hdr *)(skb->data + sizeof(struct ipv6hdr)); + if (fh->nexthdr == NEXTHDR_ESP || fh->nexthdr == NEXTHDR_AUTH) + return 1; + return 0; +} + static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) { struct dst_entry *dst = skb_dst(skb); @@ -170,6 +183,9 @@ static int __xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb) xfrm6_local_rxpmtu(skb, mtu); kfree_skb(skb); return -EMSGSIZE; + } else if (toobig && xfrm6_noneed_fragment(skb)) { + skb->ignore_df = 1; + goto skip_frag; } else if (!skb->ignore_df && toobig && skb->sk) { xfrm_local_error(skb, mtu); kfree_skb(skb); diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c index 1ae8caca28a0..3c642328a117 100644 --- a/net/xfrm/xfrm_interface.c +++ b/net/xfrm/xfrm_interface.c @@ -300,7 +300,10 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) if (mtu < IPV6_MIN_MTU) mtu = IPV6_MIN_MTU; - icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); + if (skb->len > 1280) + icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); + else + goto xmit; } else { if (!(ip_hdr(skb)->frag_off & htons(IP_DF))) goto xmit; -- 2.34.1