| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Z68OQtAL2jiu/1Sg@gauss3.secunet.de>
Date: Fri, 14 Feb 2025 10:34:58 +0100
From: Steffen Klassert <steffen.klassert@...unet.com>
To: Leon Romanovsky <leon@...nel.org>
CC: Alexandre Cassen <acassen@...p.free.fr>, <netdev@...r.kernel.org>
Subject: Re: [RFC ipsec-next] xfrm: fix tunnel mode TX datapath in packet
offload mode
On Wed, Feb 05, 2025 at 08:41:02PM +0200, Leon Romanovsky wrote:
> From: Alexandre Cassen <acassen@...p.free.fr>
>
> +static int xfrm_dev_direct_output(struct sock *sk, struct xfrm_state *x,
> + struct sk_buff *skb)
> +{
> + struct dst_entry *dst = skb_dst(skb);
> + struct net *net = xs_net(x);
> + int err;
> +
> + dst = skb_dst_pop(skb);
> + if (!dst) {
> + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTERROR);
> + kfree_skb(skb);
> + return -EHOSTUNREACH;
> + }
> + skb_dst_set(skb, dst);
> + nf_reset_ct(skb);
> +
> + err = skb_dst(skb)->ops->local_out(net, sk, skb);
> + if (unlikely(err != 1)) {
> + kfree_skb(skb);
> + return err;
> + }
> +
> + /* In transport mode, network destination is
> + * directly reachable, while in tunnel mode,
> + * inner packet network may not be. In packet
> + * offload type, HW is responsible for hard
> + * header packet mangling so directly xmit skb
> + * to netdevice.
> + */
> + skb->dev = x->xso.dev;
> + __skb_push(skb, skb->dev->hard_header_len);
> + return dev_queue_xmit(skb);
I think this is absolutely the right thing for tunnel mode,
but on transport mode we might bypass some valid netfilter
rules.
Powered by blists - more mailing lists