lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 22 Mar 2023 15:04:14 +0800
From:   Vladimir Nikishkin <vladimir@...ishkin.pw>
To:     netdev@...r.kernel.org
Cc:     davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, eng.alaamohamedsoliman.am@...il.com,
        gnault@...hat.com, razor@...ckwall.org,
        Vladimir Nikishkin <vladimir@...ishkin.pw>
Subject: [PATCH net-next v4] vxlan: try to send a packet normally if local bypass fails

In vxlan_core, if an fdb entry is pointing to a local
address with some port, the system tries to get the packet to
deliver the packet to the vxlan directly, bypassing the network
stack.

This patch makes it still try canonical delivery, if there is no
linux kernel vxlan listening on this port. This will be useful
for the cases when there is some userspace daemon expecting
vxlan packets for post-processing, or some other implementation
of vxlan.

Signed-off-by: Vladimir Nikishkin <vladimir@...ishkin.pw>
---
 Documentation/networking/vxlan.rst | 13 ++++++++++
 drivers/net/vxlan/vxlan_core.c     | 39 ++++++++++++++++++++++++++++--
 2 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/Documentation/networking/vxlan.rst b/Documentation/networking/vxlan.rst
index 2759dc1cc525..0ac5681093ef 100644
--- a/Documentation/networking/vxlan.rst
+++ b/Documentation/networking/vxlan.rst
@@ -86,3 +86,16 @@ offloaded ports can be interrogated with `ethtool`::
       Types: geneve, vxlan-gpe
       Entries (1):
           port 1230, vxlan-gpe
+
+=================
+Sysctls
+=================
+
+One sysctl influences the behaviour of the vxlan driver.
+
+ - `vxlan.disable_local_bypass`
+
+If set to 1, and if there is a packet destined to the local address, for which the
+driver cannot find a corresponding vni, it is forwarded to the userspace networking
+stack. This is useful if there is some userspace UDP tunnel waiting for such
+packets.
diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
index 561fe1b314f5..cef15b9d3c9e 100644
--- a/drivers/net/vxlan/vxlan_core.c
+++ b/drivers/net/vxlan/vxlan_core.c
@@ -15,6 +15,7 @@
 #include <linux/igmp.h>
 #include <linux/if_ether.h>
 #include <linux/ethtool.h>
+#include <linux/sysctl.h>
 #include <net/arp.h>
 #include <net/ndisc.h>
 #include <net/gro.h>
@@ -53,6 +54,30 @@ static bool log_ecn_error = true;
 module_param(log_ecn_error, bool, 0644);
 MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
 
+static int disable_local_bypass;
+struct ctl_table_header *vxlan_sysctl_header;
+static struct ctl_table vxlan_sysctl_child[] = {
+	{
+		.procname = "disable_local_bypass",
+		.data = &disable_local_bypass,
+		.maxlen = sizeof(int),
+		.mode = 0644,
+		.proc_handler = &proc_dointvec_minmax,
+		.extra1 = SYSCTL_ZERO,
+		.extra2 = SYSCTL_ONE,
+	},
+	{}
+};
+
+static struct ctl_table vxlan_sysctl_parent[] = {
+	{
+		.procname = "vxlan",
+		.mode = 0555,
+		.child = vxlan_sysctl_child,
+	},
+	{}
+};
+
 unsigned int vxlan_net_id;
 
 const u8 all_zeros_mac[ETH_ALEN + 2];
@@ -2355,18 +2380,21 @@ static int encap_bypass_if_local(struct sk_buff *skb, struct net_device *dev,
 	    !(rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))) {
 		struct vxlan_dev *dst_vxlan;
 
-		dst_release(dst);
 		dst_vxlan = vxlan_find_vni(vxlan->net, dst_ifindex, vni,
 					   daddr->sa.sa_family, dst_port,
 					   vxlan->cfg.flags);
-		if (!dst_vxlan) {
+		if (!dst_vxlan && !disable_local_bypass) {
+			dst_release(dst);
 			dev->stats.tx_errors++;
 			vxlan_vnifilter_count(vxlan, vni, NULL,
 					      VXLAN_VNI_STATS_TX_ERRORS, 0);
 			kfree_skb(skb);
 
 			return -ENOENT;
+		} else if (!dst_vxlan && disable_local_bypass) {
+			return 0;
 		}
+		dst_release(dst);
 		vxlan_encap_bypass(skb, vxlan, dst_vxlan, vni, true);
 		return 1;
 	}
@@ -4671,6 +4699,12 @@ static struct pernet_operations vxlan_net_ops = {
 static int __init vxlan_init_module(void)
 {
 	int rc;
+	vxlan_sysctl_header =
+		register_sysctl_table(vxlan_sysctl_parent);
+	if (!vxlan_sysctl_header) {
+		pr_alert("Error: Failed to register vxlan sysctl subtree\n");
+		return -EFAULT;
+	}
 
 	get_random_bytes(&vxlan_salt, sizeof(vxlan_salt));
 
@@ -4706,6 +4740,7 @@ late_initcall(vxlan_init_module);
 
 static void __exit vxlan_cleanup_module(void)
 {
+	unregister_sysctl_table(vxlan_sysctl_header);
 	vxlan_vnifilter_uninit();
 	rtnl_link_unregister(&vxlan_link_ops);
 	unregister_switchdev_notifier(&vxlan_switchdev_notifier_block);
-- 
2.35.7

--
Fastmail.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ