lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 25 Jun 2021 15:32:59 +0200
From:   Guillaume Nault <gnault@...hat.com>
To:     David Miller <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>
Cc:     netdev@...r.kernel.org,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>,
        Simon Horman <simon.horman@...ronome.com>,
        Martin Varghese <martin.varghese@...ia.com>,
        Eli Cohen <elic@...dia.com>, Jiri Benc <jbenc@...hat.com>,
        Tom Herbert <tom@...bertland.com>,
        Pablo Neira Ayuso <pablo@...filter.org>,
        Harald Welte <laforge@...monks.org>,
        Andreas Schultz <aschultz@...p.net>,
        Jonas Bonn <jonas@...rbonn.se>
Subject: [PATCH net-next 0/6] net: reset MAC header consistently across L3
 virtual devices

Some virtual L3 devices, like vxlan-gpe and gre (in collect_md mode),
reset the MAC header pointer after they parsed the outer headers. This
accurately reflects the fact that the decapsulated packet is pure L3
packet, as that makes the MAC header 0 bytes long (the MAC and network
header pointers are equal).

However, many L3 devices only adjust the network header after
decapsulation and leave the MAC header pointer to its original value.
This can confuse other parts of the networking stack, like TC, which
then considers the outer headers as one big MAC header.

This patch series makes the following L3 tunnels behave like VXLAN-GPE:
bareudp, ipip, sit, gre, ip6gre, ip6tnl, gtp.

The case of gre is a bit special. It already resets the MAC header
pointer in collect_md mode, so only the classical mode needs to be
adjusted. However, gre also has a special case that expects the MAC
header pointer to keep pointing to the outer header even after
decapsulation. Therefore, patch 4 keeps an exception for this case.

Ideally, we'd centralise the call to skb_reset_mac_header() in
ip_tunnel_rcv(), to avoid manual calls in ipip (patch 2),
sit (patch 3) and gre (patch 4). That's unfortunately not feasible
currently, because of the gre special case discussed above that
precludes us from resetting the MAC header unconditionally.

The original motivation is to redirect bareudp packets to Ethernet
devices (as described in patch 1). The rest of this series aims at
bringing consistency across all L3 devices (apart from gre's special
case unfortunately).

Note: the gtp patch results from pure code inspection and has been
compiled tested only.


Guillaume Nault (6):
  bareudp: allow redirecting bareudp packets to eth devices
  ipip: allow redirecting ipip and mplsip packets to eth devices
  sit: allow redirecting ip6ip, ipip and mplsip packets to eth devices
  gre: let mac_header point to outer header only when necessary
  ip6_tunnel: allow redirecting ip6gre and ipxip6 packets to eth devices
  gtp: reset mac_header after decap

 drivers/net/bareudp.c | 1 +
 drivers/net/gtp.c     | 1 +
 net/ipv4/ip_gre.c     | 7 ++++++-
 net/ipv4/ipip.c       | 2 ++
 net/ipv6/ip6_tunnel.c | 1 +
 net/ipv6/sit.c        | 4 ++++
 6 files changed, 15 insertions(+), 1 deletion(-)

-- 
2.21.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ