lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 6 Jul 2022 09:07:36 +0200
From:   Matthias May <>
To:     Jakub Kicinski <>
CC:     <>, <>,
        <>, <>,
        <>, <>
Subject: Re: [PATCH net] ip_tunnel: allow to inherit from VLAN encapsulated IP

On 06/07/2022 03:25, Jakub Kicinski wrote:
> Please make sure to CC folks pointed out by scripts/
> On Tue, 5 Jul 2022 16:54:42 +0200 Matthias May wrote:
>> Subject: [PATCH net] ip_tunnel: allow to inherit from VLAN encapsulated IP frames
> net-next may be more appropriate, since this never worked.
> Unless it did, in which case we need a Fixes tag.

I'm not aware that this ever worked. I tested back to 4.4.302.
Will send v2 to net-next.

>> The current code allows to inherit the TOS, TTL, DF from the payload
>> when skb->protocol is ETH_P_IP or ETH_P_IPV6.
>> However when the payload is VLAN encapsulated (e.g because the tunnel
>> is of type GRETAP), then this inheriting does not work, because the
>> visible skb->protocol is of type ETH_P_8021Q.
>> Add a check on ETH_P_8021Q and subsequently check the payload protocol.
> Do we need to check for 8021AD as well?

Yeah that would make sense.
I can add the check for ETH_P_8021AD in v2.
Will have to find some hardware that is AD capable to test.

>> Signed-off-by: Matthias May <>
>> ---
>>   net/ipv4/ip_tunnel.c | 21 +++++++++++++--------
> Does ipv6 need the same treatment?

I don't think i changed anything regarding the behaviour for ipv6
by allowing to skip from the outer protocol to the payload protocol.
The previous code already
* got the TOS via ipv6_get_dsfield,
* the TTL was derived from the hop_limit,
* and DF does not exist for ipv6 so it doesn't check for ETH_P_IPV6.


Download attachment "OpenPGP_signature" of type "application/pgp-signature" (237 bytes)

Powered by blists - more mailing lists