| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Apr 2022 16:15:51 +0800
From: menglong8.dong@...il.com
To: dsahern@...nel.org
Cc: rostedt@...dmis.org, mingo@...hat.com, davem@...emloft.net,
yoshfuji@...ux-ipv6.org, kuba@...nel.org, pabeni@...hat.com,
benbjiang@...cent.com, flyingpeng@...cent.com,
imagedong@...cent.com, edumazet@...gle.com, kafai@...com,
talalahmad@...gle.com, keescook@...omium.org,
mengensun@...cent.com, dongli.zhang@...cle.com,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: [PATCH net-next 0/9] net: ip: add skb drop reasons to ip ingress
From: Menglong Dong <imagedong@...cent.com>
In the series "net: use kfree_skb_reason() for ip/udp packet receive",
skb drop reasons are added to the basic ingress path of IPv4. And in
the series "net: use kfree_skb_reason() for ip/neighbour", the egress
paths of IPv4 and IPv6 are handled. Related links:
https://lore.kernel.org/netdev/20220205074739.543606-1-imagedong@tencent.com/
https://lore.kernel.org/netdev/20220226041831.2058437-1-imagedong@tencent.com/
Seems we still have a lot work to do with IP layer, including IPv6 basic
ingress path, IPv4/IPv6 forwarding, IPv6 exthdrs, fragment and defrag,
etc.
In this series, skb drop reasons are added to the basic ingress path of
IPv6 protocol and IPv4/IPv6 packet forwarding. Following functions, which
are used for IPv6 packet receiving are handled:
ip6_pkt_drop()
ip6_rcv_core()
ip6_protocol_deliver_rcu()
And following functions that used for IPv6 TLV parse are handled:
ip6_parse_tlv()
ipv6_hop_ra()
ipv6_hop_ioam()
ipv6_hop_jumbo()
ipv6_hop_calipso()
ipv6_dest_hao()
Besides, ip_forward() and ip6_forward(), which are used for IPv4/IPv6
forwarding, are also handled. And following new drop reasons are added:
/* host unreachable, corresponding to IPSTATS_MIB_INADDRERRORS */
SKB_DROP_REASON_IP_INADDRERRORS
/* network unreachable, corresponding to IPSTATS_MIB_INADDRERRORS */
SKB_DROP_REASON_IP_INNOROUTES
/* packet size is too big, corresponding to
* IPSTATS_MIB_INTOOBIGERRORS
*/
SKB_DROP_REASON_PKT_TOO_BIG
In order to simply the definition and assignment for
'enum skb_drop_reason', some helper functions are introduced in the 1th
patch. I'm not such if this is necessary, but it makes the code simpler.
For example, we can replace the code:
if (reason == SKB_DROP_REASON_NOT_SPECIFIED)
reason = SKB_DROP_REASON_IP_INHDR;
with:
SKB_DR_OR(reason, IP_INHDR);
In the 6th patch, the statistics for skb in ipv6_hop_jum() is removed,
as I think it is redundant. There are two call chains for
ipv6_hop_jumbo(). The first one is:
ipv6_destopt_rcv() -> ip6_parse_tlv() -> ipv6_hop_jumbo()
On this call chain, the drop statistics will be done in
ipv6_destopt_rcv() with 'IPSTATS_MIB_INHDRERRORS' if ipv6_hop_jumbo()
returns false.
The second call chain is:
ip6_rcv_core() -> ipv6_parse_hopopts() -> ip6_parse_tlv()
And the drop statistics will also be done in ip6_rcv_core() with
'IPSTATS_MIB_INHDRERRORS' if ipv6_hop_jumbo() returns false.
Therefore, the statistics in ipv6_hop_jumbo() is redundant, which
means the drop is counted twice. The statistics in ipv6_hop_jumbo()
is almost the same as the outside, except the
'IPSTATS_MIB_INTRUNCATEDPKTS', which seems that we have to ignore it.
======================================================================
Here is a basic test for IPv6 forwarding packet drop that monitored by
'dropwatch' tool:
drop at: ip6_forward+0x81a/0xb70 (0xffffffff86c73f8a)
origin: software
input port ifindex: 7
timestamp: Wed Apr 13 11:51:06 2022 130010176 nsec
protocol: 0x86dd
length: 94
original length: 94
drop reason: IP_INADDRERRORS
The origin cause of this case is that IPv6 doesn't allow to forward the
packet with LOCAL-LINK saddr, and results the 'IP_INADDRERRORS' drop
reason.
Menglong Dong (9):
skb: add some helpers for skb drop reasons
net: ipv4: add skb drop reasons to ip_error()
net: ipv6: add skb drop reasons to ip6_pkt_drop()
net: ip: add skb drop reasons to ip forwarding
net: icmp: introduce function icmpv6_param_prob_reason()
net: ipv6: remove redundant statistics in ipv6_hop_jumbo()
net: ipv6: add skb drop reasons to TLV parse
net: ipv6: add skb drop reasons to ip6_rcv_core()
net: ipv6: add skb drop reasons to ip6_protocol_deliver_rcu()
include/linux/icmpv6.h | 11 +++++++++--
include/linux/skbuff.h | 21 ++++++++++++++++++++
include/trace/events/skb.h | 3 +++
net/ipv4/ip_forward.c | 13 ++++++++++---
net/ipv4/route.c | 6 +++++-
net/ipv6/exthdrs.c | 39 +++++++++++++++++++++----------------
net/ipv6/icmp.c | 7 ++++---
net/ipv6/ip6_input.c | 40 ++++++++++++++++++++++++++------------
net/ipv6/ip6_output.c | 9 ++++++---
net/ipv6/route.c | 6 +++++-
10 files changed, 113 insertions(+), 42 deletions(-)
--
2.35.1
Powered by blists - more mailing lists