From patchwork Fri Jun  7 18:55:04 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom Herbert <tom@herbertland.com>
X-Patchwork-Id: 1112171
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=herbertland.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=herbertland-com.20150623.gappssmtp.com
	header.i=@herbertland-com.20150623.gappssmtp.com
	header.b="xj1NfLfN"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45LBYz3xG8z9sBp
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat,  8 Jun 2019 04:55:51 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1729787AbfFGSzt (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 7 Jun 2019 14:55:49 -0400
Received: from mail-pg1-f196.google.com ([209.85.215.196]:45896 "EHLO
	mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1732083AbfFGSzr (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 7 Jun 2019 14:55:47 -0400
Received: by mail-pg1-f196.google.com with SMTP id w34so1601178pga.12
	for <netdev@vger.kernel.org>; Fri, 07 Jun 2019 11:55:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=herbertland-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=OqkWOX4LCkr1GiS0NEd3XdV9+Bg2GAYGC3wHGsctfs4=;
	b=xj1NfLfNCqFw8lMJ0emIJHmAGRCpVI6zLPvM9a+6T8mAlwgCOq9k4tqDoIRyP3kG1u
	d47J2KUBy2RIAC3KKPWIixxmn1oKR194cLWjYF0TVXq7oEJ1fd3NYoyMgDwochEvYOqL
	uy8gUn7r5Cf8broR5IyPZteKi4Ie0+eDGMkZOZz5Jg10+eedL0quMLk89NdgokmQluHa
	gSkeNgMEgfBFFtxUgLyGzWP1MDF7Id5O51xndCEkn9aeY9u9GsZDgLZSY+794JvoFJKD
	5lotDawgarKJ0J3MjImDodblKsVAB7aWAydS/TZMUGOX4NGz/2iDCzJG8ftIHn77A46R
	KexA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=OqkWOX4LCkr1GiS0NEd3XdV9+Bg2GAYGC3wHGsctfs4=;
	b=n5zHMmPPUE+3YY57i13+wKXxye2egP/U7WnSvL0jFZWojVyQ9xUJ6HECDMFUOsrEre
	LRI5dS3vWaMI9QjQYQpuWg+bywYYAuAbJfyzhUXDYTPbNBnvvLL6wU2G0/uG0d/U3Lns
	Lp+UgVB3foSv448tYACWMAs6W3dH7fIQFfXl7x0sCcS+tfJ0sGsSFCSDjmjCLjZOGYw7
	Lm84kciqATaeGVaPl5K+2xsDdK0Lx46ULGcHIPm2tzCqmfdP9bjDTKubbJ7Q8Tw6s4zY
	2j+H8DIYFCQEXSfZM+DP0LKhLgwaeKEiQPD+gceffPu0x5Re7rMoXgnm9dnfPuNKL8D2
	neZw==
X-Gm-Message-State: APjAAAWQlNHmx1xWfCxXn4zhvYNdLoKAUsdXb1HXq4fSGsvWl21PfNW4
	zn0Br5j9FfSeBpH2X2O19riwlqHaff8=
X-Google-Smtp-Source: 
 APXvYqycYTNh4Gh72Di6zzikLCIN1e/x/k0zEuxo62TetlfeHHssOExhZlaNAP0EUJESQ4hh2TsSsw==
X-Received: by 2002:a63:e250:: with SMTP id
	y16mr4311934pgj.392.1559933746947;
	Fri, 07 Jun 2019 11:55:46 -0700 (PDT)
Received: from localhost.localdomain (c-73-223-249-119.hsd1.ca.comcast.net.
	[73.223.249.119]) by smtp.gmail.com with ESMTPSA id
	i25sm3181933pfr.73.2019.06.07.11.55.45
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 07 Jun 2019 11:55:46 -0700 (PDT)
From: Tom Herbert <tom@herbertland.com>
X-Google-Original-From: Tom Herbert <tom@quantonium.net>
To: davem@davemloft.net, netdev@vger.kernel.org, dlebrun@google.com
Cc: Tom Herbert <tom@quantonium.net>
Subject: [RFC v2 PATCH 1/5] seg6: Fix TLV definitions
Date: Fri,  7 Jun 2019 11:55:04 -0700
Message-Id: <1559933708-13947-2-git-send-email-tom@quantonium.net>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1559933708-13947-1-git-send-email-tom@quantonium.net>
References: <1559933708-13947-1-git-send-email-tom@quantonium.net>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The definitions of TLVs in uapi/linux/seg6.h are out of date and
incomplete. Fix this.

TLV constants are defined for PAD1, PADN, and HMAC (the three defined in
draft-ietf-6man-segment-routing-header-19). The other TLV are unused and
and are marked as obsoleted.

Signed-off-by: Tom Herbert <tom@quantonium.net>
---
 include/uapi/linux/seg6.h | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/include/uapi/linux/seg6.h b/include/uapi/linux/seg6.h
index 286e8d6..3a7d324 100644
--- a/include/uapi/linux/seg6.h
+++ b/include/uapi/linux/seg6.h
@@ -38,10 +38,13 @@ struct ipv6_sr_hdr {
 #define SR6_FLAG1_ALERT		(1 << 4)
 #define SR6_FLAG1_HMAC		(1 << 3)
 
-#define SR6_TLV_INGRESS		1
-#define SR6_TLV_EGRESS		2
-#define SR6_TLV_OPAQUE		3
-#define SR6_TLV_PADDING		4
+
+#define SR6_TLV_INGRESS		1	/* obsoleted */
+#define SR6_TLV_EGRESS		2	/* obsoleted */
+#define SR6_TLV_OPAQUE		3	/* obsoleted */
+
+#define SR6_TLV_PAD1		0
+#define SR6_TLV_PADN		1
 #define SR6_TLV_HMAC		5
 
 #define sr_has_hmac(srh) ((srh)->flags & SR6_FLAG1_HMAC)

From patchwork Fri Jun  7 18:55:05 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom Herbert <tom@herbertland.com>
X-Patchwork-Id: 1112173
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=herbertland.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=herbertland-com.20150623.gappssmtp.com
	header.i=@herbertland-com.20150623.gappssmtp.com
	header.b="y8+mim6P"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45LBZ542sYz9sDB
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat,  8 Jun 2019 04:55:57 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1732011AbfFGSz4 (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 7 Jun 2019 14:55:56 -0400
Received: from mail-pf1-f194.google.com ([209.85.210.194]:39348 "EHLO
	mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1731177AbfFGSzw (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 7 Jun 2019 14:55:52 -0400
Received: by mail-pf1-f194.google.com with SMTP id j2so1686636pfe.6
	for <netdev@vger.kernel.org>; Fri, 07 Jun 2019 11:55:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=herbertland-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=AFsrz4MnIZhN/Ff2+bpCYCTdE107aPSUu5QDkNt++tc=;
	b=y8+mim6PJ6A/kmBtbnShJwlX60LMKV0W1ZEQ1aCiCnjDQR7jHXVMBOo/ecUacvAEtv
	qw5vU5LFE2EZuhh2wpLo74oiNlQ7psgzvXLCJ4qMgaFaZ3nHtAhHd1DZ4UhY5eqOYuOO
	alvoxLs1ju96r5DQ478CpeCYunv1CV6AVq61glnZJJg2SCYlN2XNYlCISUnRuLxMJyio
	Br4de5l6rbQtDmbosTTTbVR3aXJ/G6OMfY5bhnFZeefv0ddEcsJU7uXpweX8qUYC8MbK
	ksoM4n/t42vZGqJwTP462SvE5IU+oFI9dhDRlbfSToWJB6nRC8NBMfjbe78MoBL04Wx/
	wQLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=AFsrz4MnIZhN/Ff2+bpCYCTdE107aPSUu5QDkNt++tc=;
	b=VcWd3VBTFrDWBKwgRkIRNLHTKE3TfXWnBcP8zCqVdIJXy5A/GxBiZzSzH5U3RWxaFO
	TpqOshNfJzXUj4IAjLMmtcB39D/mCxL0nAWyHc8HmYZkJ53ew/JN5YGuCAQP/GMZNaUY
	fWQBj5RjdgtMBPN3fkEjUwTP490StsJvtnlDvTu4EBtOkI5uKk3pObp2E1acg6FAp9aY
	TbYbuGntbK2AVti+ULLlXBb4Z+OyCf1z7biByqRY8sGu6D+4Iabrx09pTlUWVTg9FycY
	pUzJN3crJGgczD9WhWhongaJ6AFfmS5cKbMPUIycdBK9goPgwnyqIkvxlws45+i7uxZP
	r7ug==
X-Gm-Message-State: APjAAAV77vZpgSvGqEW2qBvOhcCX5wv3TCEP5DQZWJ/CWhrBfamzuGBl
	hrAe/08BrV2CjwjQaESppQERYA==
X-Google-Smtp-Source: 
 APXvYqyPVioKwgCXdFICKW82N3w1+n5oKwRF/zz/EAgMMBT0pdjtVkEgTiOxveGCKCwvpCfHKjP2tQ==
X-Received: by 2002:a17:90a:5d15:: with SMTP id
	s21mr7375444pji.125.1559933751187;
	Fri, 07 Jun 2019 11:55:51 -0700 (PDT)
Received: from localhost.localdomain (c-73-223-249-119.hsd1.ca.comcast.net.
	[73.223.249.119]) by smtp.gmail.com with ESMTPSA id
	i25sm3181933pfr.73.2019.06.07.11.55.49
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 07 Jun 2019 11:55:50 -0700 (PDT)
From: Tom Herbert <tom@herbertland.com>
X-Google-Original-From: Tom Herbert <tom@quantonium.net>
To: davem@davemloft.net, netdev@vger.kernel.org, dlebrun@google.com
Cc: Tom Herbert <tom@quantonium.net>
Subject: [RFC v2 PATCH 2/5] seg6: Obsolete unused SRH flags
Date: Fri,  7 Jun 2019 11:55:05 -0700
Message-Id: <1559933708-13947-3-git-send-email-tom@quantonium.net>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1559933708-13947-1-git-send-email-tom@quantonium.net>
References: <1559933708-13947-1-git-send-email-tom@quantonium.net>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Currently no flags are defined for segment routing in
draft-ietf-6man-segment-routing-header-19. Mark them as being
obsolete.

The HMAC flag is the only one used by the stack. This needs
additional consideration. Rewrite sr_has_hmac in uapi/linux/seg6.h
to properly parse a segment routing header as opposed to relying
on the now obsolete flag.

Signed-off-by: Tom Herbert <tom@quantonium.net>
---
 include/uapi/linux/seg6.h | 43 ++++++++++++++++++++++++++++++++++++-------
 1 file changed, 36 insertions(+), 7 deletions(-)

diff --git a/include/uapi/linux/seg6.h b/include/uapi/linux/seg6.h
index 3a7d324..0d19a9c 100644
--- a/include/uapi/linux/seg6.h
+++ b/include/uapi/linux/seg6.h
@@ -33,11 +33,10 @@ struct ipv6_sr_hdr {
 	struct in6_addr segments[0];
 };
 
-#define SR6_FLAG1_PROTECTED	(1 << 6)
-#define SR6_FLAG1_OAM		(1 << 5)
-#define SR6_FLAG1_ALERT		(1 << 4)
-#define SR6_FLAG1_HMAC		(1 << 3)
-
+#define SR6_FLAG1_PROTECTED	(1 << 6)	/* obsoleted */
+#define SR6_FLAG1_OAM		(1 << 5)	/* obsoleted */
+#define SR6_FLAG1_ALERT		(1 << 4)	/* obsoleted */
+#define SR6_FLAG1_HMAC		(1 << 3)	/* obsoleted */
 
 #define SR6_TLV_INGRESS		1	/* obsoleted */
 #define SR6_TLV_EGRESS		2	/* obsoleted */
@@ -47,12 +46,42 @@ struct ipv6_sr_hdr {
 #define SR6_TLV_PADN		1
 #define SR6_TLV_HMAC		5
 
-#define sr_has_hmac(srh) ((srh)->flags & SR6_FLAG1_HMAC)
-
 struct sr6_tlv {
 	__u8 type;
 	__u8 len;
 	__u8 data[0];
 };
 
+static inline int sr_hmac_offset(struct ipv6_sr_hdr *srh)
+{
+	unsigned char *opt = (unsigned char *)srh;
+	unsigned int off = sizeof(*srh) + ((srh->first_segment + 1) << 4);
+	int len = ((srh->hdrlen + 1) << 8) - off;
+	unsigned int optlen;
+
+	while (len > 0) {
+		switch (opt[off]) {
+		case SR6_TLV_PAD1:
+			optlen = 1;
+			break;
+		case SR6_TLV_HMAC:
+			return off;
+		default:
+			if (len < sizeof(struct sr6_tlv))
+				return 0;
+
+			optlen = sizeof(struct sr6_tlv) +
+				 ((struct sr6_tlv *)&opt[off])->len;
+			break;
+		}
+
+		off += optlen;
+		len -= optlen;
+	}
+
+	return 0;
+}
+
+#define sr_has_hmac(srh) (!!sr_hmac_offset(srh))
+
 #endif

From patchwork Fri Jun  7 18:55:06 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom Herbert <tom@herbertland.com>
X-Patchwork-Id: 1112177
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=herbertland.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=herbertland-com.20150623.gappssmtp.com
	header.i=@herbertland-com.20150623.gappssmtp.com
	header.b="Ft/i+yf7"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45LBZP2qdnz9sNd
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat,  8 Jun 2019 04:56:13 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1732311AbfFGS4B (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 7 Jun 2019 14:56:01 -0400
Received: from mail-pf1-f193.google.com ([209.85.210.193]:32970 "EHLO
	mail-pf1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1731177AbfFGSz6 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 7 Jun 2019 14:55:58 -0400
Received: by mail-pf1-f193.google.com with SMTP id x15so1707210pfq.0
	for <netdev@vger.kernel.org>; Fri, 07 Jun 2019 11:55:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=herbertland-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=F35bB8qVqL1kghXhAXBYlshqx70lIJ8NcnxFixYXJAU=;
	b=Ft/i+yf7D1FV7srBVD2twGrAiihIseiixCo56nMmWEblW1UTMMzuXFbgPlLatUboz5
	Zk7J+x6cXF0c7dovTTKOrLPrjbt0cfjHLPK67nLGFAxbO4kF399/poAPYnlsxjgR2nfk
	N7EPdOFXghDhdIJlGovUAHyZCUhIZ5x8nWypF8UfChuypoUDr/Zk6n7McqUHlBMCFXYt
	iRncdurmEs6W9pxzff5TkdTqOr8V6OnI71xgGmvxuM7cvHefYas41v/xGZZHYDxN/DGM
	Ks/i0LpCtSVEK2cGLNFEu3qou62GPZL7GDXw8BxABbtMujbuJoEbLXoY8DJvK1QvxzaP
	5/ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=F35bB8qVqL1kghXhAXBYlshqx70lIJ8NcnxFixYXJAU=;
	b=W+uN/dkWpBBiM98S3DyZiR9ewgeoI4PUEwVTel90k9TUylbrutrJEz+GFGhr92qyA2
	J76y8UvrurAASur0nG3J9hbu4jnXyEC692Vjpw9zqvkdTVP5Xv1G2g1dNvbbc2N8Lm+B
	UxQ/wu26UUchrMUkeGLwoiyLIv++hBBhwgKsD1b2dCqmTpX05frBTx5o/7NskLXhKmrO
	0uo1zIJGFWV1F8xPohbkrJdICc405OA02UXTZRlhgzAnbcb/iorcQQ/LjLjsItQuBca0
	klHtvCWbLS/yJy8FfYOp9vfEvTls+Wu6W9VdY+6/MBg1zB+f3uTrfD6X8A4HBxj4ID0a
	+T1A==
X-Gm-Message-State: APjAAAVplSmvBMHFxTlyPAyxwxIP13p3JuErqaOlp9V7LJ3HfGtwgVcQ
	Lt5bFFkaKBcxkEeFF5SjF8V2lA==
X-Google-Smtp-Source: 
 APXvYqz5VXTkZ2jwl7gq+3TXtmmHUkYMDcEb/LTJi8uEugKY5fZV2RRwjIcFyOIqIbaV3394aS0ung==
X-Received: by 2002:a63:a84c:: with SMTP id
	i12mr4473339pgp.115.1559933758058;
	Fri, 07 Jun 2019 11:55:58 -0700 (PDT)
Received: from localhost.localdomain (c-73-223-249-119.hsd1.ca.comcast.net.
	[73.223.249.119]) by smtp.gmail.com with ESMTPSA id
	i25sm3181933pfr.73.2019.06.07.11.55.56
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 07 Jun 2019 11:55:57 -0700 (PDT)
From: Tom Herbert <tom@herbertland.com>
X-Google-Original-From: Tom Herbert <tom@quantonium.net>
To: davem@davemloft.net, netdev@vger.kernel.org, dlebrun@google.com
Cc: Tom Herbert <tom@quantonium.net>
Subject: [RFC v2 PATCH 3/5] ipv6: Paramterize TLV parsing
Date: Fri,  7 Jun 2019 11:55:06 -0700
Message-Id: <1559933708-13947-4-git-send-email-tom@quantonium.net>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1559933708-13947-1-git-send-email-tom@quantonium.net>
References: <1559933708-13947-1-git-send-email-tom@quantonium.net>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Add parameters to ip6_parse_tlv that will allow leveraging the function
for parsing segment routing TLVs. The new parameters are offset of
TLVs, length of the TLV block, and a function that is called in the case
of an unrecognized option.

Signed-off-by: Tom Herbert <tom@quantonium.net>
---
 net/ipv6/exthdrs.c | 35 ++++++++++++++++++++++++-----------
 1 file changed, 24 insertions(+), 11 deletions(-)

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 20291c2..a394d20 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -112,15 +112,26 @@ static bool ip6_tlvopt_unknown(struct sk_buff *skb, int optoff,
 	return false;
 }
 
-/* Parse tlv encoded option header (hop-by-hop or destination) */
+/* Parse tlv encoded option header (hop-by-hop or destination)
+ *
+ * Arguments:
+ *   procs - TLV proc structure
+ *   skb - skbuff containing TLVs
+ *   max_count - absolute value is maximum nuber of TLVs. If less than zero
+ *		 then unknown TLVs are disallowed regardless of disposition
+ *		 indicated by TLV type
+ *   off - offset of first TLV relative to the first byte of the extension
+ *	   header which is transport header of the skb
+ *   len - length of TLV block
+ *   unknown_opt - function called when unknown option is encountered
+ */
 
 static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
-			  struct sk_buff *skb,
-			  int max_count)
+			  struct sk_buff *skb, int max_count, int off, int len,
+			  bool (*unknown_opt)(struct sk_buff *skb, int optoff,
+					      bool disallow_unknowns))
 {
-	int len = (skb_transport_header(skb)[1] + 1) << 3;
 	const unsigned char *nh = skb_network_header(skb);
-	int off = skb_network_header_len(skb);
 	const struct tlvtype_proc *curr;
 	bool disallow_unknowns = false;
 	int tlv_count = 0;
@@ -131,11 +142,11 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
 		max_count = -max_count;
 	}
 
-	if (skb_transport_offset(skb) + len > skb_headlen(skb))
+	if (skb_transport_offset(skb) + off + len > skb_headlen(skb))
 		goto bad;
 
-	off += 2;
-	len -= 2;
+	/* Offset relative to network header for parse loop */
+	off += skb_network_header_len(skb);
 
 	while (len > 0) {
 		int optlen = nh[off + 1] + 2;
@@ -187,7 +198,7 @@ static bool ip6_parse_tlv(const struct tlvtype_proc *procs,
 				}
 			}
 			if (curr->type < 0 &&
-			    !ip6_tlvopt_unknown(skb, off, disallow_unknowns))
+			    !unknown_opt(skb, off, disallow_unknowns))
 				return false;
 
 			padlen = 0;
@@ -309,7 +320,8 @@ static int ipv6_destopt_rcv(struct sk_buff *skb)
 #endif
 
 	if (ip6_parse_tlv(tlvprocdestopt_lst, skb,
-			  init_net.ipv6.sysctl.max_dst_opts_cnt)) {
+			  init_net.ipv6.sysctl.max_dst_opts_cnt,
+			  2, extlen - 2, ip6_tlvopt_unknown)) {
 		skb->transport_header += extlen;
 		opt = IP6CB(skb);
 #if IS_ENABLED(CONFIG_IPV6_MIP6)
@@ -848,7 +860,8 @@ int ipv6_parse_hopopts(struct sk_buff *skb)
 
 	opt->flags |= IP6SKB_HOPBYHOP;
 	if (ip6_parse_tlv(tlvprochopopt_lst, skb,
-			  init_net.ipv6.sysctl.max_hbh_opts_cnt)) {
+			  init_net.ipv6.sysctl.max_hbh_opts_cnt,
+			  2, extlen - 2, ip6_tlvopt_unknown)) {
 		skb->transport_header += extlen;
 		opt = IP6CB(skb);
 		opt->nhoff = sizeof(struct ipv6hdr);

From patchwork Fri Jun  7 18:55:07 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom Herbert <tom@herbertland.com>
X-Patchwork-Id: 1112175
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=herbertland.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=herbertland-com.20150623.gappssmtp.com
	header.i=@herbertland-com.20150623.gappssmtp.com
	header.b="rEf7xZve"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45LBZD65lTz9sBp
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat,  8 Jun 2019 04:56:04 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1732322AbfFGS4C (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 7 Jun 2019 14:56:02 -0400
Received: from mail-pl1-f195.google.com ([209.85.214.195]:35373 "EHLO
	mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1732315AbfFGS4B (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 7 Jun 2019 14:56:01 -0400
Received: by mail-pl1-f195.google.com with SMTP id p1so1164868plo.2
	for <netdev@vger.kernel.org>; Fri, 07 Jun 2019 11:56:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=herbertland-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=dh0v8NlMU4slcGoO8w6KC0w7gjiaiNp9Ew5oQIG65tw=;
	b=rEf7xZveRqzql7Sr4ZYdMBx5Cc6OCj6srDfgOWYvzkrvdMPqxUi8vG5nwsB1TL9ad+
	ri4q5Eqd8aAgOPCKlySBcz3+vMHBlDSXpOUsS/gS4mygxBS0ZpXMF+GVE/QJ3uvZnkUB
	cTyN3p95SONI9cuh6IgE8JJb1YUgctEM5P8wF/PyjOGJnvTr5QP52X5ApmpNo0upkuv8
	KdXyQtZq1rA8ulYvNgIPq/MTmDY1Gx+B1l7NBJrfsryEebK4R+SEBA8fakZt7dcpChC6
	KApXP2gyA9ggMZ3vX4wPnDWf19JQSPvVKLo+36NEyBPDYRQ0I2um8l4sv5pigo7k1/hj
	cvnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=dh0v8NlMU4slcGoO8w6KC0w7gjiaiNp9Ew5oQIG65tw=;
	b=E86rTQ8NNAsyshln5wFrC5YrOoji+SnSWg3ywTGGRI81rkDjPR5UWPatu24q8V0qbY
	E0sq7to1v6bAv7khDquZtl6yFYziliqMemBHZRkYTGi1G0WFZK6NGFU5H4/TObi1/zBV
	3BRNhZaijOENm63+cAc3qxwDa3BlRuaGMR3CQ8ScBh+CSuzuwxoUHB5kCrz/xunPa7n3
	/nHRNkW8R0d31zDoMlcVjbW+O3DiyOMZLjFWYaBt64beoD3LU+ZYqGykTDoxDNqgYTQU
	RMxwbXudXGqDl/5/FldW6VtdRY/ab5Lw4Kz9WmiVwbNgNjxL6m8Hm9oUgbI5TPFu6PSb
	RrnQ==
X-Gm-Message-State: APjAAAX9CsRU2qr5VywJRHQ+A0vBBz5rSgK+TtQRMwGD3Q7cf3OkKDJf
	KkOhfZ6G1oaYRFpTJRJoPk2uvg==
X-Google-Smtp-Source: 
 APXvYqzl1FEC6MmJrUUbOLYAG4TNevSltqYsAmaCuEOFMtnhDUQvWKv95vKV624FAkHTgLbJwkKatA==
X-Received: by 2002:a17:902:8bc1:: with SMTP id
	r1mr56317333plo.163.1559933760609;
	Fri, 07 Jun 2019 11:56:00 -0700 (PDT)
Received: from localhost.localdomain (c-73-223-249-119.hsd1.ca.comcast.net.
	[73.223.249.119]) by smtp.gmail.com with ESMTPSA id
	i25sm3181933pfr.73.2019.06.07.11.55.59
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 07 Jun 2019 11:55:59 -0700 (PDT)
From: Tom Herbert <tom@herbertland.com>
X-Google-Original-From: Tom Herbert <tom@quantonium.net>
To: davem@davemloft.net, netdev@vger.kernel.org, dlebrun@google.com
Cc: Tom Herbert <tom@quantonium.net>
Subject: [RFC v2 PATCH 4/5] seg6: Add sysctl limits for segment routing
	header
Date: Fri,  7 Jun 2019 11:55:07 -0700
Message-Id: <1559933708-13947-5-git-send-email-tom@quantonium.net>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1559933708-13947-1-git-send-email-tom@quantonium.net>
References: <1559933708-13947-1-git-send-email-tom@quantonium.net>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

These are analoguous to the sysctls that were defined for IPv6
Destination and Hop-by-Hop Options.

Signed-off-by: Tom Herbert <tom@quantonium.net>
---
 include/net/ipv6.h         | 31 ++++++++++++++++++-------------
 include/net/netns/ipv6.h   |  2 ++
 net/ipv6/af_inet6.c        |  2 ++
 net/ipv6/sysctl_net_ipv6.c | 16 ++++++++++++++++
 4 files changed, 38 insertions(+), 13 deletions(-)

diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 0d34f6e..0633e50 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -52,45 +52,50 @@
 #define IPV6_DEFAULT_HOPLIMIT   64
 #define IPV6_DEFAULT_MCASTHOPS	1
 
-/* Limits on Hop-by-Hop and Destination options.
+/* Limits on Hop-by-Hop, Destination, and Segment Routing TLV options.
  *
  * Per RFC8200 there is no limit on the maximum number or lengths of options in
  * Hop-by-Hop or Destination options other then the packet must fit in an MTU.
- * We allow configurable limits in order to mitigate potential denial of
- * service attacks.
+ * Similarly, TLVs in a segment routing header lack a specific limit. We allow
+ * configurable limits in order to mitigate potential denial of service attacks.
  *
  * There are three limits that may be set:
  *   - Limit the number of options in a Hop-by-Hop or Destination options
- *     extension header
+ *     extension header, or the number of TLVs in a Segment Routing Header.
  *   - Limit the byte length of a Hop-by-Hop or Destination options extension
- *     header
- *   - Disallow unknown options
+ *     header, or the length of TLV block in a Segment Routing Header.
+ *   - Disallow unknown options.
  *
  * The limits are expressed in corresponding sysctls:
  *
  * ipv6.sysctl.max_dst_opts_cnt
  * ipv6.sysctl.max_hbh_opts_cnt
+ * ipv6.sysctl.max_srh_opts_cnt
  * ipv6.sysctl.max_dst_opts_len
  * ipv6.sysctl.max_hbh_opts_len
+ * ipv6.sysctl.max_srh_opts_len
  *
  * max_*_opts_cnt is the number of TLVs that are allowed for Destination
- * options or Hop-by-Hop options. If the number is less than zero then unknown
- * TLVs are disallowed and the number of known options that are allowed is the
- * absolute value. Setting the value to INT_MAX indicates no limit.
+ * Options or Hop-by-Hop Options, or the number of TLVs in Segment Routing
+ * TLVs. If the number is less than zero then unknown TLVs are disallowed and
+ * the number of known options that are allowed is the absolute value. Setting
+ * the value to INT_MAX indicates no limit.
  *
- * max_*_opts_len is the length limit in bytes of a Destination or
- * Hop-by-Hop options extension header. Setting the value to INT_MAX
- * indicates no length limit.
+ * max_*_opts_len is the length limit in bytes of a Destination or Hop-by-Hop,
+ * options extension header, or the length of the TLV block in a Segment
+ * Routing Header. Setting the value to INT_MAX indicates no length limit.
  *
  * If a limit is exceeded when processing an extension header the packet is
- * silently discarded.
+ * discarded and an appropriate ICMP error is sent.
  */
 
 /* Default limits for Hop-by-Hop and Destination options */
 #define IP6_DEFAULT_MAX_DST_OPTS_CNT	 8
 #define IP6_DEFAULT_MAX_HBH_OPTS_CNT	 8
+#define IP6_DEFAULT_MAX_SRH_OPTS_CNT	 8
 #define IP6_DEFAULT_MAX_DST_OPTS_LEN	 INT_MAX /* No limit */
 #define IP6_DEFAULT_MAX_HBH_OPTS_LEN	 INT_MAX /* No limit */
+#define IP6_DEFAULT_MAX_SRH_OPTS_LEN	 INT_MAX /* No limit */
 
 /*
  *	Addr type
diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index 022a0fd..2cb53b3 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -47,8 +47,10 @@ struct netns_sysctl_ipv6 {
 	int flowlabel_reflect;
 	int max_dst_opts_cnt;
 	int max_hbh_opts_cnt;
+	int max_srh_opts_cnt;
 	int max_dst_opts_len;
 	int max_hbh_opts_len;
+	int max_srh_opts_len;
 	int seg6_flowlabel;
 	bool skip_notify_on_dev_down;
 };
diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
index ceab2fe2..d8dc360 100644
--- a/net/ipv6/af_inet6.c
+++ b/net/ipv6/af_inet6.c
@@ -862,8 +862,10 @@ static int __net_init inet6_net_init(struct net *net)
 	net->ipv6.sysctl.flowlabel_state_ranges = 0;
 	net->ipv6.sysctl.max_dst_opts_cnt = IP6_DEFAULT_MAX_DST_OPTS_CNT;
 	net->ipv6.sysctl.max_hbh_opts_cnt = IP6_DEFAULT_MAX_HBH_OPTS_CNT;
+	net->ipv6.sysctl.max_srh_opts_cnt = IP6_DEFAULT_MAX_SRH_OPTS_CNT;
 	net->ipv6.sysctl.max_dst_opts_len = IP6_DEFAULT_MAX_DST_OPTS_LEN;
 	net->ipv6.sysctl.max_hbh_opts_len = IP6_DEFAULT_MAX_HBH_OPTS_LEN;
+	net->ipv6.sysctl.max_srh_opts_len = IP6_DEFAULT_MAX_SRH_OPTS_LEN;
 	atomic_set(&net->ipv6.fib6_sernum, 1);
 
 	err = ipv6_init_mibs(net);
diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
index 6d86fac..5fee576 100644
--- a/net/ipv6/sysctl_net_ipv6.c
+++ b/net/ipv6/sysctl_net_ipv6.c
@@ -162,6 +162,20 @@ static struct ctl_table ipv6_table_template[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+	{
+		.procname	= "max_srh_opts_number",
+		.data		= &init_net.ipv6.sysctl.max_srh_opts_cnt,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
+	{
+		.procname	= "max_srh_tlvs_length",
+		.data		= &init_net.ipv6.sysctl.max_srh_opts_len,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec
+	},
 	{ }
 };
 
@@ -228,6 +242,8 @@ static int __net_init ipv6_sysctl_net_init(struct net *net)
 	ipv6_table[13].data = &net->ipv6.sysctl.max_hbh_opts_len;
 	ipv6_table[14].data = &net->ipv6.sysctl.multipath_hash_policy,
 	ipv6_table[15].data = &net->ipv6.sysctl.seg6_flowlabel;
+	ipv6_table[16].data = &net->ipv6.sysctl.max_srh_opts_cnt;
+	ipv6_table[17].data = &net->ipv6.sysctl.max_srh_opts_len;
 
 	ipv6_route_table = ipv6_route_sysctl_init(net);
 	if (!ipv6_route_table)

From patchwork Fri Jun  7 18:55:08 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tom Herbert <tom@herbertland.com>
X-Patchwork-Id: 1112176
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=herbertland.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=herbertland-com.20150623.gappssmtp.com
	header.i=@herbertland-com.20150623.gappssmtp.com
	header.b="exRzuM1B"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 45LBZJ07Fjz9sBp
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat,  8 Jun 2019 04:56:08 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1732328AbfFGS4F (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 7 Jun 2019 14:56:05 -0400
Received: from mail-pl1-f195.google.com ([209.85.214.195]:42065 "EHLO
	mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1732323AbfFGS4D (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 7 Jun 2019 14:56:03 -0400
Received: by mail-pl1-f195.google.com with SMTP id go2so1151060plb.9
	for <netdev@vger.kernel.org>; Fri, 07 Jun 2019 11:56:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=herbertland-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=liKEgyX2d4glE6rP0aMaMB1pOxJnFBtpKyYuMVv92cE=;
	b=exRzuM1Bk1KyJ57sMSJ3yA1nOnfPlq2LEztskpo7ndNVFaDv24IyEGxzNAtPf/WMWs
	R7NexcGeHbi1aFUKwmaIVS8x4b1VrDslyIqYuacOdBpojutC5YZrNy6q4yvRuAfTsd/k
	e6/Y0jMpPJ/jsxdlpUnJUHmw3QuJYwpKZZ/FtGf1uGG+Nl0w9gyMoWUaGem4dachJMuf
	ZneWEGbJI1eWsqd0kWCps/crq/buTBq9Csvs8JcSLiR9gqHugzYOEQkcPVvqLBdTDdVx
	SMzZXnsau14MdlBJmUpz5WrQcGPWDgUP+tYjng+r3GBDsYpTA9Dg78s+muvb4oeHbuIe
	I6xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=liKEgyX2d4glE6rP0aMaMB1pOxJnFBtpKyYuMVv92cE=;
	b=CtFY6op/cIKGiY/weC6rAr0iEezLDOZJQ5NEItDRJA+agOULrkBj32jrNRM1DhbOwu
	nDsRTGhEcCM8DFKSXl2HIFQRdkMd29EmkoxPlu/We92E+yXevlVfFuTnApj07FU8l9EQ
	4G7xSTCFNKVyR/44WKh8BWaZ2P58Ewnlu9l2BTVoOLLt/fyU9gwtERipz8E6foDLz2ff
	5o5Xex/ZEMgSHYZtpoh5cCPkPEihWubpYhlLX7q0M2+D+3uFiJYrzuAWuyLVzlKJEmUo
	+q8xGJHx3PPuvo6c4Eyj2CcKEjJKRA5MN5pg25s8OPDli54SoxXal/BFhcGlx0n2Iz/y
	l9Hw==
X-Gm-Message-State: APjAAAVZe/YUIhQBLpSypNhV9LqCf3nkD7V7f4pakrjuQmWH/yi6AQ6C
	bF4pukwYVGeVhMbglz2aenl2PcIIqxA=
X-Google-Smtp-Source: 
 APXvYqwLxHwwGhoYEuTUAfFnpHOG+nMu4qgqOssCoxXAFJXrnr9uYAVvO3mc5B1C5AjVSKPhcQiebA==
X-Received: by 2002:a17:902:868f:: with SMTP id
	g15mr57204402plo.67.1559933762800;
	Fri, 07 Jun 2019 11:56:02 -0700 (PDT)
Received: from localhost.localdomain (c-73-223-249-119.hsd1.ca.comcast.net.
	[73.223.249.119]) by smtp.gmail.com with ESMTPSA id
	i25sm3181933pfr.73.2019.06.07.11.56.01
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 07 Jun 2019 11:56:02 -0700 (PDT)
From: Tom Herbert <tom@herbertland.com>
X-Google-Original-From: Tom Herbert <tom@quantonium.net>
To: davem@davemloft.net, netdev@vger.kernel.org, dlebrun@google.com
Cc: Tom Herbert <tom@quantonium.net>
Subject: [RFC v2 PATCH 5/5] seg6: Leverage ip6_parse_tlv
Date: Fri,  7 Jun 2019 11:55:08 -0700
Message-Id: <1559933708-13947-6-git-send-email-tom@quantonium.net>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1559933708-13947-1-git-send-email-tom@quantonium.net>
References: <1559933708-13947-1-git-send-email-tom@quantonium.net>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Call ip6_parse_tlv from segment routing receive function to properly
parse TLVs and to leverage to existing implementation that already
parses Destination and Hop-by-Hop Options. This includes applying
the denial of service mitigations and limits to processing segment
routing TLVs.

Signed-off-by: Tom Herbert <tom@quantonium.net>
---
 include/net/seg6.h      |  5 +++++
 include/net/seg6_hmac.h |  2 +-
 net/ipv6/exthdrs.c      | 51 ++++++++++++++++++++++++++++++++++++++++++++++---
 net/ipv6/seg6_hmac.c    | 16 +++-------------
 net/ipv6/seg6_local.c   | 21 ++++++++++++++------
 5 files changed, 72 insertions(+), 23 deletions(-)

diff --git a/include/net/seg6.h b/include/net/seg6.h
index 8b2dc68..b7d8a94 100644
--- a/include/net/seg6.h
+++ b/include/net/seg6.h
@@ -38,6 +38,11 @@ static inline void update_csum_diff16(struct sk_buff *skb, __be32 *from,
 	skb->csum = ~csum_partial((char *)diff, sizeof(diff), ~skb->csum);
 }
 
+static inline unsigned int seg6_tlv_offset(struct ipv6_sr_hdr *srh)
+{
+	return sizeof(*srh) + ((srh->first_segment + 1) << 4);
+}
+
 struct seg6_pernet_data {
 	struct mutex lock;
 	struct in6_addr __rcu *tun_src;
diff --git a/include/net/seg6_hmac.h b/include/net/seg6_hmac.h
index 7fda469..6ad33e2 100644
--- a/include/net/seg6_hmac.h
+++ b/include/net/seg6_hmac.h
@@ -53,7 +53,7 @@ extern int seg6_hmac_info_add(struct net *net, u32 key,
 extern int seg6_hmac_info_del(struct net *net, u32 key);
 extern int seg6_push_hmac(struct net *net, struct in6_addr *saddr,
 			  struct ipv6_sr_hdr *srh);
-extern bool seg6_hmac_validate_skb(struct sk_buff *skb);
+extern bool seg6_hmac_validate_skb(struct sk_buff *skb, int optoff);
 extern int seg6_hmac_init(void);
 extern void seg6_hmac_exit(void);
 extern int seg6_hmac_net_init(struct net *net);
diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index a394d20..7d14c0d 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -112,7 +112,8 @@ static bool ip6_tlvopt_unknown(struct sk_buff *skb, int optoff,
 	return false;
 }
 
-/* Parse tlv encoded option header (hop-by-hop or destination)
+/* Parse tlv encoded option header (hop-by-hop, destination, or
+ * segment routing header)
  *
  * Arguments:
  *   procs - TLV proc structure
@@ -365,14 +366,42 @@ static void seg6_update_csum(struct sk_buff *skb)
 			   (__be32 *)addr);
 }
 
+static bool seg6_recv_hmac(struct sk_buff *skb, int optoff)
+{
+	if (!seg6_hmac_validate_skb(skb, optoff)) {
+		kfree_skb(skb);
+		return false;
+	}
+
+	return true;
+}
+
+static const struct tlvtype_proc tlvprocsrhopt_lst[] = {
+#ifdef CONFIG_IPV6_SEG6_HMAC
+	{
+		.type	= SR6_TLV_HMAC,
+		.func	= seg6_recv_hmac,
+	},
+#endif
+	{-1,			NULL}
+};
+
+static bool seg6_srhopt_unknown(struct sk_buff *skb, int optoff,
+				bool disallow_unknowns)
+{
+	/* Unknown segment routing header options are ignored */
+
+	return !disallow_unknowns;
+}
+
 static int ipv6_srh_rcv(struct sk_buff *skb)
 {
 	struct inet6_skb_parm *opt = IP6CB(skb);
 	struct net *net = dev_net(skb->dev);
+	int accept_seg6, tlvoff, tlvlen;
 	struct ipv6_sr_hdr *hdr;
 	struct inet6_dev *idev;
 	struct in6_addr *addr;
-	int accept_seg6;
 
 	hdr = (struct ipv6_sr_hdr *)skb_transport_header(skb);
 
@@ -387,8 +416,24 @@ static int ipv6_srh_rcv(struct sk_buff *skb)
 		return -1;
 	}
 
+	tlvoff = seg6_tlv_offset(hdr);
+	tlvlen = ipv6_optlen((struct ipv6_opt_hdr *)hdr) - tlvoff;
+
+	if (tlvlen) {
+		if (tlvlen > net->ipv6.sysctl.max_srh_opts_len) {
+			kfree_skb(skb);
+			return -1;
+		}
+
+		if (!ip6_parse_tlv(tlvprocsrhopt_lst, skb,
+				   init_net.ipv6.sysctl.max_srh_opts_cnt,
+				   tlvoff, tlvlen, seg6_srhopt_unknown))
+			return -1;
+	}
+
 #ifdef CONFIG_IPV6_SEG6_HMAC
-	if (!seg6_hmac_validate_skb(skb)) {
+	if (idev->cnf.seg6_require_hmac > 0 && !sr_has_hmac(hdr)) {
+		/* mandatory check but no HMAC tlv */
 		kfree_skb(skb);
 		return -1;
 	}
diff --git a/net/ipv6/seg6_hmac.c b/net/ipv6/seg6_hmac.c
index 8546f94..18f82f2 100644
--- a/net/ipv6/seg6_hmac.c
+++ b/net/ipv6/seg6_hmac.c
@@ -240,7 +240,7 @@ EXPORT_SYMBOL(seg6_hmac_compute);
  *
  * called with rcu_read_lock()
  */
-bool seg6_hmac_validate_skb(struct sk_buff *skb)
+bool seg6_hmac_validate_skb(struct sk_buff *skb, int optoff)
 {
 	u8 hmac_output[SEG6_HMAC_FIELD_LEN];
 	struct net *net = dev_net(skb->dev);
@@ -251,23 +251,13 @@ bool seg6_hmac_validate_skb(struct sk_buff *skb)
 
 	idev = __in6_dev_get(skb->dev);
 
-	srh = (struct ipv6_sr_hdr *)skb_transport_header(skb);
-
-	tlv = seg6_get_tlv_hmac(srh);
-
-	/* mandatory check but no tlv */
-	if (idev->cnf.seg6_require_hmac > 0 && !tlv)
-		return false;
-
 	/* no check */
 	if (idev->cnf.seg6_require_hmac < 0)
 		return true;
 
-	/* check only if present */
-	if (idev->cnf.seg6_require_hmac == 0 && !tlv)
-		return true;
+	srh = (struct ipv6_sr_hdr *)skb_transport_header(skb);
 
-	/* now, seg6_require_hmac >= 0 && tlv */
+	tlv = (struct sr6_tlv_hmac *)(skb_network_header(skb) + optoff);
 
 	hinfo = seg6_hmac_info_lookup(net, be32_to_cpu(tlv->hmackeyid));
 	if (!hinfo)
diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c
index 78155fd..d486ed8 100644
--- a/net/ipv6/seg6_local.c
+++ b/net/ipv6/seg6_local.c
@@ -92,6 +92,19 @@ static struct ipv6_sr_hdr *get_srh(struct sk_buff *skb)
 	return srh;
 }
 
+static bool seg6_local_hmac_validate_skb(struct sk_buff *skb,
+					 struct ipv6_sr_hdr *srh)
+{
+#ifdef CONFIG_IPV6_SEG6_HMAC
+	int off = sr_hmac_offset(srh);
+
+	return off ? seg6_hmac_validate_skb(skb, off) :
+		     (__in6_dev_get(skb->dev)->cnf.seg6_require_hmac <= 0);
+#else
+	return true;
+#endif
+}
+
 static struct ipv6_sr_hdr *get_and_validate_srh(struct sk_buff *skb)
 {
 	struct ipv6_sr_hdr *srh;
@@ -103,10 +116,8 @@ static struct ipv6_sr_hdr *get_and_validate_srh(struct sk_buff *skb)
 	if (srh->segments_left == 0)
 		return NULL;
 
-#ifdef CONFIG_IPV6_SEG6_HMAC
-	if (!seg6_hmac_validate_skb(skb))
+	if (!seg6_local_hmac_validate_skb(skb, srh))
 		return NULL;
-#endif
 
 	return srh;
 }
@@ -120,10 +131,8 @@ static bool decap_and_validate(struct sk_buff *skb, int proto)
 	if (srh && srh->segments_left > 0)
 		return false;
 
-#ifdef CONFIG_IPV6_SEG6_HMAC
-	if (srh && !seg6_hmac_validate_skb(skb))
+	if (srh && !seg6_local_hmac_validate_skb(skb, srh))
 		return false;
-#endif
 
 	if (ipv6_find_hdr(skb, &off, proto, NULL, NULL) < 0)
 		return false;