lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZN0AjcCdPx35cu+q@moon.secunet.de>
Date: Wed, 16 Aug 2023 18:59:57 +0200
From: Antony Antony <antony.antony@...unet.com>
To: Eyal Birger <eyal.birger@...il.com>
CC: <antony.antony@...unet.com>, Steffen Klassert
	<steffen.klassert@...unet.com>, Herbert Xu <herbert@...dor.apana.org.au>,
	<devel@...ux-ipsec.org>, <netdev@...r.kernel.org>
Subject: Re: [PATCH v4 ipsec-next 2/3] xfrm: Support GRO for IPv4 ESP in UDP
 encapsulation.

Hi Eyal,

Thanks for your quick review. I have addressed the points you raised for
both v4 and send v5 patches.

On Wed, Aug 16, 2023 at 14:15:01 +0300, Eyal Birger wrote:
> Hi Antony,
> 
> On Wed, Aug 16, 2023 at 12:57 PM Antony Antony
> <antony.antony@...unet.com> wrote:
> >
> > From: Steffen Klassert <steffen.klassert@...unet.com>
> >
> > This patch enables the GRO codepath for IPv4 ESP in UDP encapsulated
> > packets. Decapsulation happens at L2 and saves a full round through
> > the stack for each packet. This is also needed to support HW offload
> > for ESP in UDP encapsulation.
> >
> > Signed-off-by: Steffen Klassert <steffen.klassert@...unet.com>
> > Co-developed-by: Antony Antony <antony.antony@...unet.com>
> > Signed-off-by: Antony Antony <antony.antony@...unet.com>
> > ---
> >  include/net/gro.h       |  2 +-
> >  include/net/xfrm.h      |  4 ++
> >  net/ipv4/esp4_offload.c |  6 ++-
> >  net/ipv4/udp.c          | 16 ++++++-
> >  net/ipv4/xfrm4_input.c  | 98 ++++++++++++++++++++++++++++++++---------
> >  5 files changed, 103 insertions(+), 23 deletions(-)
> >
> > diff --git a/include/net/gro.h b/include/net/gro.h
> > index a4fab706240d..41c12c5d1ea1 100644
> > --- a/include/net/gro.h
> > +++ b/include/net/gro.h
> > @@ -29,7 +29,7 @@ struct napi_gro_cb {
> >         /* Number of segments aggregated. */
> >         u16     count;
> >
> > -       /* Used in ipv6_gro_receive() and foo-over-udp */
> > +       /* Used in ipv6_gro_receive() and foo-over-udp and esp-in-udp */
> >         u16     proto;
> >
> >         /* jiffies when first packet was created/queued */
> > diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> > index 33ee3f5936e6..e980f442ddcd 100644
> > --- a/include/net/xfrm.h
> > +++ b/include/net/xfrm.h
> > @@ -1671,6 +1671,8 @@ void xfrm_local_error(struct sk_buff *skb, int mtu);
> >  int xfrm4_extract_input(struct xfrm_state *x, struct sk_buff *skb);
> >  int xfrm4_rcv_encap(struct sk_buff *skb, int nexthdr, __be32 spi,
> >                     int encap_type);
> > +struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
> > +                                       struct sk_buff *skb);
> 
> Why does this function need to be declared twice in this file?

no need. Actully the following patch was removed it:) It is fixed in v5.

> 
> >  int xfrm4_transport_finish(struct sk_buff *skb, int async);
> >  int xfrm4_rcv(struct sk_buff *skb);
> >
> > @@ -1711,6 +1713,8 @@ int xfrm6_output(struct net *net, struct sock *sk, struct sk_buff *skb);
> >  void xfrm6_local_rxpmtu(struct sk_buff *skb, u32 mtu);
> >  int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
> >  int xfrm6_udp_encap_rcv(struct sock *sk, struct sk_buff *skb);
> > +struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
> > +                                       struct sk_buff *skb);
> >  int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval,
> >                      int optlen);
> >  #else
> > diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
> > index 77bb01032667..34ebfdf0e986 100644
> > --- a/net/ipv4/esp4_offload.c
> > +++ b/net/ipv4/esp4_offload.c
> > @@ -32,6 +32,7 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
> >         int offset = skb_gro_offset(skb);
> >         struct xfrm_offload *xo;
> >         struct xfrm_state *x;
> > +       int encap_type = 0;
> >         __be32 seq;
> >         __be32 spi;
> >
> > @@ -69,6 +70,9 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
> >
> >         xo->flags |= XFRM_GRO;
> >
> > +       if (NAPI_GRO_CB(skb)->proto == IPPROTO_UDP)
> > +               encap_type = UDP_ENCAP_ESPINUDP;
> > +
> >         XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
> >         XFRM_SPI_SKB_CB(skb)->family = AF_INET;
> >         XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
> > @@ -76,7 +80,7 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
> >
> >         /* We don't need to handle errors from xfrm_input, it does all
> >          * the error handling and frees the resources on error. */
> > -       xfrm_input(skb, IPPROTO_ESP, spi, 0);
> > +       xfrm_input(skb, IPPROTO_ESP, spi, encap_type);
> >
> >         return ERR_PTR(-EINPROGRESS);
> >  out_reset:
> > diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> > index aa32afd871ee..337607b17ebd 100644
> > --- a/net/ipv4/udp.c
> > +++ b/net/ipv4/udp.c
> > @@ -2681,6 +2681,17 @@ void udp_destroy_sock(struct sock *sk)
> >         }
> >  }
> >
> > +static void set_xfrm_gro_udp_encap_rcv(__u16 encap_type, unsigned short family,
> > +                                      struct udp_sock *up)
> > +{
> > +#ifdef CONFIG_XFRM
> > +       if (up->gro_enabled && encap_type == UDP_ENCAP_ESPINUDP) {
> > +               if (family == AF_INET)
> > +                       up->gro_receive = xfrm4_gro_udp_encap_rcv;
> > +       }
> > +#endif
> > +}
> > +
> >  /*
> >   *     Socket option code for UDP
> >   */
> > @@ -2730,12 +2741,14 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
> >                 case 0:
> >  #ifdef CONFIG_XFRM
> >                 case UDP_ENCAP_ESPINUDP:
> > +                       set_xfrm_gro_udp_encap_rcv(val, sk->sk_family, up);
> > +                       fallthrough;
> >                 case UDP_ENCAP_ESPINUDP_NON_IKE:
> >  #if IS_ENABLED(CONFIG_IPV6)
> >                         if (sk->sk_family == AF_INET6)
> >                                 up->encap_rcv = ipv6_stub->xfrm6_udp_encap_rcv;
> > -                       else
> >  #endif
> > +                       if (sk->sk_family == AF_INET)
> 
> Why is this change needed?

It is not necessary. I removed it in v5.

> 
> >                                 up->encap_rcv = xfrm4_udp_encap_rcv;
> >  #endif
> >                         fallthrough;
> > @@ -2773,6 +2786,7 @@ int udp_lib_setsockopt(struct sock *sk, int level, int optname,
> >                         udp_tunnel_encap_enable(sk->sk_socket);
> >                 up->gro_enabled = valbool;
> >                 up->accept_udp_l4 = valbool;
> > +               set_xfrm_gro_udp_encap_rcv(up->encap_type, sk->sk_family, up);
> >                 release_sock(sk);
> >                 break;
> >
> > diff --git a/net/ipv4/xfrm4_input.c b/net/ipv4/xfrm4_input.c
> > index ad2afeef4f10..b57f477c745e 100644
> > --- a/net/ipv4/xfrm4_input.c
> > +++ b/net/ipv4/xfrm4_input.c
> > @@ -17,6 +17,8 @@
> >  #include <linux/netfilter_ipv4.h>
> >  #include <net/ip.h>
> >  #include <net/xfrm.h>
> > +#include <net/protocol.h>
> > +#include <net/gro.h>
> >
> >  static int xfrm4_rcv_encap_finish2(struct net *net, struct sock *sk,
> >                                    struct sk_buff *skb)
> > @@ -72,14 +74,7 @@ int xfrm4_transport_finish(struct sk_buff *skb, int async)
> >         return 0;
> >  }
> >
> > -/* If it's a keepalive packet, then just eat it.
> > - * If it's an encapsulated packet, then pass it to the
> > - * IPsec xfrm input.
> > - * Returns 0 if skb passed to xfrm or was dropped.
> > - * Returns >0 if skb should be passed to UDP.
> > - * Returns <0 if skb should be resubmitted (-ret is protocol)
> > - */
> > -int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
> > +static int __xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb, bool pull)
> >  {
> >         struct udp_sock *up = udp_sk(sk);
> >         struct udphdr *uh;
> > @@ -90,8 +85,8 @@ int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
> >         __be32 *udpdata32;
> >         __u16 encap_type = up->encap_type;
> >
> > -       /* if this is not encapsulated socket, then just return now */
> > -       if (!encap_type)
> > +       /* if unknown encap_type then just return now */
> > +       if (encap_type != UDP_ENCAP_ESPINUDP && encap_type != UDP_ENCAP_ESPINUDP_NON_IKE)
> 
> This change is unclear to me - the patch adds support for GRO on
> UDP_ENCAP_ESPINUDP.

yes.
> How can we now get other encap types here? and why wasn't the old condition ok?

In the current code the old check is enoguh. I removed new code in v5.

> 
> >                 return 1;
> >
> >         /* If this is a paged skb, make sure we pull up
> > @@ -110,7 +105,7 @@ int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
> >         case UDP_ENCAP_ESPINUDP:
> >                 /* Check if this is a keepalive packet.  If so, eat it. */
> >                 if (len == 1 && udpdata[0] == 0xff) {
> > -                       goto drop;
> > +                       return -EINVAL;
> >                 } else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
> >                         /* ESP Packet without Non-ESP header */
> >                         len = sizeof(struct udphdr);
> > @@ -121,7 +116,7 @@ int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
> >         case UDP_ENCAP_ESPINUDP_NON_IKE:
> >                 /* Check if this is a keepalive packet.  If so, eat it. */
> >                 if (len == 1 && udpdata[0] == 0xff) {
> > -                       goto drop;
> > +                       return -EINVAL;
> >                 } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
> >                            udpdata32[0] == 0 && udpdata32[1] == 0) {
> >
> > @@ -139,7 +134,7 @@ int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
> >          * protocol to ESP, and then call into the transform receiver.
> >          */
> >         if (skb_unclone(skb, GFP_ATOMIC))
> > -               goto drop;
> > +               return -EINVAL;
> >
> >         /* Now we can update and verify the packet length... */
> >         iph = ip_hdr(skb);
> > @@ -147,24 +142,87 @@ int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
> >         iph->tot_len = htons(ntohs(iph->tot_len) - len);
> >         if (skb->len < iphlen + len) {
> >                 /* packet is too small!?! */
> > -               goto drop;
> > +               return -EINVAL;
> >         }
> >
> >         /* pull the data buffer up to the ESP header and set the
> >          * transport header to point to ESP.  Keep UDP on the stack
> >          * for later.
> >          */
> > -       __skb_pull(skb, len);
> > -       skb_reset_transport_header(skb);
> > +       if (pull) {
> > +               __skb_pull(skb, len);
> > +               skb_reset_transport_header(skb);
> > +       } else {
> > +               skb_set_transport_header(skb, len);
> > +       }
> >
> >         /* process ESP */
> > -       return xfrm4_rcv_encap(skb, IPPROTO_ESP, 0, encap_type);
> > -
> > -drop:
> > -       kfree_skb(skb);
> >         return 0;
> >  }
> >
> > +/* If it's a keepalive packet, then just eat it.
> > + * If it's an encapsulated packet, then pass it to the
> > + * IPsec xfrm input.
> > + * Returns 0 if skb passed to xfrm or was dropped.
> > + * Returns >0 if skb should be passed to UDP.
> > + * Returns <0 if skb should be resubmitted (-ret is protocol)
> > + */
> > +int xfrm4_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
> > +{
> > +       int ret;
> > +
> > +       ret = __xfrm4_udp_encap_rcv(sk, skb, true);
> > +       if (!ret)
> > +               return xfrm4_rcv_encap(skb, IPPROTO_ESP, 0,
> > +                                      udp_sk(sk)->encap_type);
> > +
> > +       if (ret < 0) {
> > +               kfree_skb(skb);
> > +               return 0;
> > +       }
> > +
> > +       return ret;
> > +}
> > +
> > +struct sk_buff *xfrm4_gro_udp_encap_rcv(struct sock *sk, struct list_head *head,
> > +                                       struct sk_buff *skb)
> > +{
> > +       int offset = skb_gro_offset(skb);
> > +       const struct net_offload *ops;
> > +       struct sk_buff *pp = NULL;
> > +       int ret;
> > +
> > +       offset = offset - sizeof(struct udphdr);
> > +
> > +       if (!pskb_pull(skb, offset))
> > +               return NULL;
> > +
> > +       rcu_read_lock();
> > +       ops = rcu_dereference(inet_offloads[IPPROTO_ESP]);
> > +       if (!ops || !ops->callbacks.gro_receive)
> > +               goto out;
> > +
> > +       ret = __xfrm4_udp_encap_rcv(sk, skb, false);
> > +       if (ret)
> > +               goto out;
> > +
> > +       skb_push(skb, offset);
> > +       NAPI_GRO_CB(skb)->proto = IPPROTO_UDP;
> > +
> > +       pp = call_gro_receive(ops->callbacks.gro_receive, head, skb);
> > +       rcu_read_unlock();
> > +
> > +       return pp;
> > +
> > +out:
> > +       rcu_read_unlock();
> > +       skb_push(skb, offset);
> > +       NAPI_GRO_CB(skb)->same_flow = 0;
> > +       NAPI_GRO_CB(skb)->flush = 1;
> > +
> > +       return NULL;
> > +}
> > +
> >  int xfrm4_rcv(struct sk_buff *skb)
> >  {
> >         return xfrm4_rcv_spi(skb, ip_hdr(skb)->protocol, 0);
> > --
> > 2.30.2
> >

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ