lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Apr 2022 16:15:51 +0800 From: menglong8.dong@...il.com To: dsahern@...nel.org Cc: rostedt@...dmis.org, mingo@...hat.com, davem@...emloft.net, yoshfuji@...ux-ipv6.org, kuba@...nel.org, pabeni@...hat.com, benbjiang@...cent.com, flyingpeng@...cent.com, imagedong@...cent.com, edumazet@...gle.com, kafai@...com, talalahmad@...gle.com, keescook@...omium.org, mengensun@...cent.com, dongli.zhang@...cle.com, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: [PATCH net-next 0/9] net: ip: add skb drop reasons to ip ingress From: Menglong Dong <imagedong@...cent.com> In the series "net: use kfree_skb_reason() for ip/udp packet receive", skb drop reasons are added to the basic ingress path of IPv4. And in the series "net: use kfree_skb_reason() for ip/neighbour", the egress paths of IPv4 and IPv6 are handled. Related links: https://lore.kernel.org/netdev/20220205074739.543606-1-imagedong@tencent.com/ https://lore.kernel.org/netdev/20220226041831.2058437-1-imagedong@tencent.com/ Seems we still have a lot work to do with IP layer, including IPv6 basic ingress path, IPv4/IPv6 forwarding, IPv6 exthdrs, fragment and defrag, etc. In this series, skb drop reasons are added to the basic ingress path of IPv6 protocol and IPv4/IPv6 packet forwarding. Following functions, which are used for IPv6 packet receiving are handled: ip6_pkt_drop() ip6_rcv_core() ip6_protocol_deliver_rcu() And following functions that used for IPv6 TLV parse are handled: ip6_parse_tlv() ipv6_hop_ra() ipv6_hop_ioam() ipv6_hop_jumbo() ipv6_hop_calipso() ipv6_dest_hao() Besides, ip_forward() and ip6_forward(), which are used for IPv4/IPv6 forwarding, are also handled. And following new drop reasons are added: /* host unreachable, corresponding to IPSTATS_MIB_INADDRERRORS */ SKB_DROP_REASON_IP_INADDRERRORS /* network unreachable, corresponding to IPSTATS_MIB_INADDRERRORS */ SKB_DROP_REASON_IP_INNOROUTES /* packet size is too big, corresponding to * IPSTATS_MIB_INTOOBIGERRORS */ SKB_DROP_REASON_PKT_TOO_BIG In order to simply the definition and assignment for 'enum skb_drop_reason', some helper functions are introduced in the 1th patch. I'm not such if this is necessary, but it makes the code simpler. For example, we can replace the code: if (reason == SKB_DROP_REASON_NOT_SPECIFIED) reason = SKB_DROP_REASON_IP_INHDR; with: SKB_DR_OR(reason, IP_INHDR); In the 6th patch, the statistics for skb in ipv6_hop_jum() is removed, as I think it is redundant. There are two call chains for ipv6_hop_jumbo(). The first one is: ipv6_destopt_rcv() -> ip6_parse_tlv() -> ipv6_hop_jumbo() On this call chain, the drop statistics will be done in ipv6_destopt_rcv() with 'IPSTATS_MIB_INHDRERRORS' if ipv6_hop_jumbo() returns false. The second call chain is: ip6_rcv_core() -> ipv6_parse_hopopts() -> ip6_parse_tlv() And the drop statistics will also be done in ip6_rcv_core() with 'IPSTATS_MIB_INHDRERRORS' if ipv6_hop_jumbo() returns false. Therefore, the statistics in ipv6_hop_jumbo() is redundant, which means the drop is counted twice. The statistics in ipv6_hop_jumbo() is almost the same as the outside, except the 'IPSTATS_MIB_INTRUNCATEDPKTS', which seems that we have to ignore it. ====================================================================== Here is a basic test for IPv6 forwarding packet drop that monitored by 'dropwatch' tool: drop at: ip6_forward+0x81a/0xb70 (0xffffffff86c73f8a) origin: software input port ifindex: 7 timestamp: Wed Apr 13 11:51:06 2022 130010176 nsec protocol: 0x86dd length: 94 original length: 94 drop reason: IP_INADDRERRORS The origin cause of this case is that IPv6 doesn't allow to forward the packet with LOCAL-LINK saddr, and results the 'IP_INADDRERRORS' drop reason. Menglong Dong (9): skb: add some helpers for skb drop reasons net: ipv4: add skb drop reasons to ip_error() net: ipv6: add skb drop reasons to ip6_pkt_drop() net: ip: add skb drop reasons to ip forwarding net: icmp: introduce function icmpv6_param_prob_reason() net: ipv6: remove redundant statistics in ipv6_hop_jumbo() net: ipv6: add skb drop reasons to TLV parse net: ipv6: add skb drop reasons to ip6_rcv_core() net: ipv6: add skb drop reasons to ip6_protocol_deliver_rcu() include/linux/icmpv6.h | 11 +++++++++-- include/linux/skbuff.h | 21 ++++++++++++++++++++ include/trace/events/skb.h | 3 +++ net/ipv4/ip_forward.c | 13 ++++++++++--- net/ipv4/route.c | 6 +++++- net/ipv6/exthdrs.c | 39 +++++++++++++++++++++---------------- net/ipv6/icmp.c | 7 ++++--- net/ipv6/ip6_input.c | 40 ++++++++++++++++++++++++++------------ net/ipv6/ip6_output.c | 9 ++++++--- net/ipv6/route.c | 6 +++++- 10 files changed, 113 insertions(+), 42 deletions(-) -- 2.35.1
Powered by blists - more mailing lists