lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 13 Apr 2022 16:15:51 +0800
Subject: [PATCH net-next 0/9] net: ip: add skb drop reasons to ip ingress

From: Menglong Dong <>

In the series "net: use kfree_skb_reason() for ip/udp packet receive",
skb drop reasons are added to the basic ingress path of IPv4. And in
the series "net: use kfree_skb_reason() for ip/neighbour", the egress
paths of IPv4 and IPv6 are handled. Related links:

Seems we still have a lot work to do with IP layer, including IPv6 basic
ingress path, IPv4/IPv6 forwarding, IPv6 exthdrs, fragment and defrag,

In this series, skb drop reasons are added to the basic ingress path of
IPv6 protocol and IPv4/IPv6 packet forwarding. Following functions, which
are used for IPv6 packet receiving are handled:


And following functions that used for IPv6 TLV parse are handled:


Besides, ip_forward() and ip6_forward(), which are used for IPv4/IPv6
forwarding, are also handled. And following new drop reasons are added:

  /* host unreachable, corresponding to IPSTATS_MIB_INADDRERRORS */
  /* network unreachable, corresponding to IPSTATS_MIB_INADDRERRORS */
  /* packet size is too big, corresponding to

In order to simply the definition and assignment for
'enum skb_drop_reason', some helper functions are introduced in the 1th
patch. I'm not such if this is necessary, but it makes the code simpler.
For example, we can replace the code:

          reason = SKB_DROP_REASON_IP_INHDR;


  SKB_DR_OR(reason, IP_INHDR);

In the 6th patch, the statistics for skb in ipv6_hop_jum() is removed,
as I think it is redundant. There are two call chains for
ipv6_hop_jumbo(). The first one is:

  ipv6_destopt_rcv() -> ip6_parse_tlv() -> ipv6_hop_jumbo()

On this call chain, the drop statistics will be done in
ipv6_destopt_rcv() with 'IPSTATS_MIB_INHDRERRORS' if ipv6_hop_jumbo()
returns false.

The second call chain is:

  ip6_rcv_core() -> ipv6_parse_hopopts() -> ip6_parse_tlv()

And the drop statistics will also be done in ip6_rcv_core() with
'IPSTATS_MIB_INHDRERRORS' if ipv6_hop_jumbo() returns false.

Therefore, the statistics in ipv6_hop_jumbo() is redundant, which
means the drop is counted twice. The statistics in ipv6_hop_jumbo()
is almost the same as the outside, except the
'IPSTATS_MIB_INTRUNCATEDPKTS', which seems that we have to ignore it.


Here is a basic test for IPv6 forwarding packet drop that monitored by
'dropwatch' tool:

  drop at: ip6_forward+0x81a/0xb70 (0xffffffff86c73f8a)
  origin: software
  input port ifindex: 7
  timestamp: Wed Apr 13 11:51:06 2022 130010176 nsec
  protocol: 0x86dd
  length: 94
  original length: 94
  drop reason: IP_INADDRERRORS

The origin cause of this case is that IPv6 doesn't allow to forward the
packet with LOCAL-LINK saddr, and results the 'IP_INADDRERRORS' drop

Menglong Dong (9):
  skb: add some helpers for skb drop reasons
  net: ipv4: add skb drop reasons to ip_error()
  net: ipv6: add skb drop reasons to ip6_pkt_drop()
  net: ip: add skb drop reasons to ip forwarding
  net: icmp: introduce function icmpv6_param_prob_reason()
  net: ipv6: remove redundant statistics in ipv6_hop_jumbo()
  net: ipv6: add skb drop reasons to TLV parse
  net: ipv6: add skb drop reasons to ip6_rcv_core()
  net: ipv6: add skb drop reasons to ip6_protocol_deliver_rcu()

 include/linux/icmpv6.h     | 11 +++++++++--
 include/linux/skbuff.h     | 21 ++++++++++++++++++++
 include/trace/events/skb.h |  3 +++
 net/ipv4/ip_forward.c      | 13 ++++++++++---
 net/ipv4/route.c           |  6 +++++-
 net/ipv6/exthdrs.c         | 39 +++++++++++++++++++++----------------
 net/ipv6/icmp.c            |  7 ++++---
 net/ipv6/ip6_input.c       | 40 ++++++++++++++++++++++++++------------
 net/ipv6/ip6_output.c      |  9 ++++++---
 net/ipv6/route.c           |  6 +++++-
 10 files changed, 113 insertions(+), 42 deletions(-)


Powered by blists - more mailing lists