| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aIidIq2EM--Ugp6f@gmail.com>
Date: Tue, 29 Jul 2025 12:06:26 +0200
From: Mahe Tardy <mahe.tardy@...il.com>
To: Martin KaFai Lau <martin.lau@...ux.dev>
Cc: alexei.starovoitov@...il.com, andrii@...nel.org, ast@...nel.org,
bpf@...r.kernel.org, coreteam@...filter.org, daniel@...earbox.net,
fw@...len.de, john.fastabend@...il.com, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org, oe-kbuild-all@...ts.linux.dev,
pablo@...filter.org, lkp@...el.com
Subject: Re: [PATCH bpf-next v3 3/4] bpf: add bpf_icmp_send_unreach
cgroup_skb kfunc
On Mon, Jul 28, 2025 at 06:05:26PM -0700, Martin KaFai Lau wrote:
> On 7/28/25 2:43 AM, Mahe Tardy wrote:
> > This is needed in the context of Tetragon to provide improved feedback
> > (in contrast to just dropping packets) to east-west traffic when blocked
> > by policies using cgroup_skb programs.
> >
> > This reuse concepts from netfilter reject target codepath with the
> > differences that:
> > * Packets are cloned since the BPF user can still return SK_PASS from
> > the cgroup_skb progs and the current skb need to stay untouched
>
> This needs more details. Which field(s) of the skb are changed by the kfunc,
> the skb_dst_set in ip[6]_route_reply_fetch_dst() and/or the code path in the
> icmp[v6]_send() ?
Okay I can add that: "ip[6]_route_reply_fetch_dst set the dst of the skb
by using the saddr as a daddr and routing it", I don't think
icmp[v6]_send touches the skb?
>
> > (cgroup_skb hooks only allow read-only skb payload).
> > * Since cgroup_skb programs are called late in the stack, checksums do
> > not need to be computed or verified, and IPv4 fragmentation does not
> > need to be checked (ip_local_deliver should take care of that
> > earlier).
> >
> > Signed-off-by: Mahe Tardy <mahe.tardy@...il.com>
> > ---
> > net/core/filter.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++
> > 1 file changed, 61 insertions(+)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 7a72f766aacf..050872324575 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -85,6 +85,10 @@
> > #include <linux/un.h>
> > #include <net/xdp_sock_drv.h>
> > #include <net/inet_dscp.h>
> > +#include <linux/icmp.h>
> > +#include <net/icmp.h>
> > +#include <net/route.h>
> > +#include <net/ip6_route.h>
> >
> > #include "dev.h"
> >
> > @@ -12148,6 +12152,53 @@ __bpf_kfunc int bpf_sock_ops_enable_tx_tstamp(struct bpf_sock_ops_kern *skops,
> > return 0;
> > }
> >
> > +__bpf_kfunc int bpf_icmp_send_unreach(struct __sk_buff *__skb, int code)
> > +{
> > + struct sk_buff *skb = (struct sk_buff *)__skb;
> > + struct sk_buff *nskb;
> > +
> > + switch (skb->protocol) {
> > + case htons(ETH_P_IP):
> > + if (code < 0 || code > NR_ICMP_UNREACH)
> > + return -EINVAL;
> > +
> > + nskb = skb_clone(skb, GFP_ATOMIC);
> > + if (!nskb)
> > + return -ENOMEM;
> > +
> > + if (ip_route_reply_fetch_dst(nskb) < 0) {
> > + kfree_skb(nskb);
> > + return -EHOSTUNREACH;
> > + }
> > +
> > + icmp_send(nskb, ICMP_DEST_UNREACH, code, 0);
> > + kfree_skb(nskb);
> > + break;
> > +#if IS_ENABLED(CONFIG_IPV6)
> > + case htons(ETH_P_IPV6):
> > + if (code < 0 || code > ICMPV6_REJECT_ROUTE)
> > + return -EINVAL;
> > +
> > + nskb = skb_clone(skb, GFP_ATOMIC);
> > + if (!nskb)
> > + return -ENOMEM;
> > +
> > + if (ip6_route_reply_fetch_dst(nskb) < 0) {
>
> From a very quick look at icmpv6_send(), it does its own route lookup. I
> haven't looked at the v4 yet.
>
> I am likely missing some details. Can you explain why it needs to do a
> lookup before calling icmpv6_send()?
>From my understanding, I need to do this to invert the daddr with the
saddr to send the unreach message back to the sender.
>
> > + kfree_skb(nskb);
> > + return -EHOSTUNREACH;
> > + }
> > +
> > + icmpv6_send(nskb, ICMPV6_DEST_UNREACH, code, 0);
> > + kfree_skb(nskb);
> > + break;
> > +#endif
> > + default:
> > + return -EPROTONOSUPPORT;
> > + }
> > +
> > + return SK_DROP;
> > +}
> > +
Powered by blists - more mailing lists