From patchwork Mon Feb 10 14:14:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 1235842 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=zx2c4.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=zx2c4.com header.i=@zx2c4.com header.a=rsa-sha1 header.s=mail header.b=oUmXqVFK; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 48GSbr6pSdz9sT9 for ; Tue, 11 Feb 2020 01:15:20 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728989AbgBJOPT (ORCPT ); Mon, 10 Feb 2020 09:15:19 -0500 Received: from frisell.zx2c4.com ([192.95.5.64]:46911 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727079AbgBJOPS (ORCPT ); Mon, 10 Feb 2020 09:15:18 -0500 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id de493da6; Mon, 10 Feb 2020 14:13:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=mail; bh=VjH1t5w6cI4+reaoP26FFSg/O 8U=; b=oUmXqVFKXEGXgIFJF6qgrv1GskSXVH6r4PSAJ4Mw0p1z4GZ850//I7mqH 0PFhUhsZuz1StkOmgaAymoN7wazl3vivZIoIHDzag4uBFwTlPNnuzcLecSc/Ao1V uV2U/NG+UnO+thEzVvgsok1xZ02tM7ZYVjwHZGbOgSg879czwWX1N2Ibqoy2xQXf laPIBDzVp3k2APsOIc1JlWti0epbeFCKUxFIXs4BKwkMeBUbPOHHAG91pY8ENEH5 ltOJbIosEUmsVyhDRAAc6qQ4X+CJDMpvZUMU/nCVNVkm0qNOv35ubra0nFxsaWGm Ze17VFb0IyNq3a6B+gfoOlmHzNimg== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 4a430e6a (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 10 Feb 2020 14:13:41 +0000 (UTC) From: "Jason A. Donenfeld" To: netdev@vger.kernel.org, davem@davemloft.net Cc: "Jason A. Donenfeld" , Florian Westphal Subject: [PATCH v2 net 1/5] icmp: introduce helper for NAT'd source address in network device context Date: Mon, 10 Feb 2020 15:14:19 +0100 Message-Id: <20200210141423.173790-2-Jason@zx2c4.com> In-Reply-To: <20200210141423.173790-1-Jason@zx2c4.com> References: <20200210141423.173790-1-Jason@zx2c4.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This introduces a helper function to be called only by network drivers that wraps calls to icmp[v6]_send in a conntrack transformation, in case NAT has been used. The transformation happens only on a non-shared skb, and the skb is fixed back up to its original state after, in case the calling code continues to use it. We don't want to pollute the non-driver path, though, so we introduce this as a helper to be called by places that actually make use of this, as suggested by Florian. Signed-off-by: Jason A. Donenfeld Cc: Florian Westphal --- include/linux/icmpv6.h | 6 ++++++ include/net/icmp.h | 6 ++++++ net/ipv4/icmp.c | 29 +++++++++++++++++++++++++++++ net/ipv6/ip6_icmp.c | 30 ++++++++++++++++++++++++++++++ 4 files changed, 71 insertions(+) diff --git a/include/linux/icmpv6.h b/include/linux/icmpv6.h index ef1cbb5f454f..93338fd54af8 100644 --- a/include/linux/icmpv6.h +++ b/include/linux/icmpv6.h @@ -31,6 +31,12 @@ static inline void icmpv6_send(struct sk_buff *skb, } #endif +#if IS_ENABLED(CONFIG_NF_NAT) +void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info); +#else +#define icmpv6_ndo_send icmpv6_send +#endif + extern int icmpv6_init(void); extern int icmpv6_err_convert(u8 type, u8 code, int *err); diff --git a/include/net/icmp.h b/include/net/icmp.h index 5d4bfdba9adf..9ac2d2672a93 100644 --- a/include/net/icmp.h +++ b/include/net/icmp.h @@ -43,6 +43,12 @@ static inline void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 __icmp_send(skb_in, type, code, info, &IPCB(skb_in)->opt); } +#if IS_ENABLED(CONFIG_NF_NAT) +void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info); +#else +#define icmp_ndo_send icmp_send +#endif + int icmp_rcv(struct sk_buff *skb); int icmp_err(struct sk_buff *skb, u32 info); int icmp_init(void); diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 18068ed42f25..5ca36181d4f4 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -748,6 +748,35 @@ out:; } EXPORT_SYMBOL(__icmp_send); +#if IS_ENABLED(CONFIG_NF_NAT) +#include +void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info) +{ + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; + struct nf_conn *ct; + __be32 orig_ip; + + ct = nf_ct_get(skb_in, &ctinfo); + if (ct) { + if (skb_shared(skb_in)) { + skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC); + if (unlikely(!skb_in)) + return; + } + orig_ip = ip_hdr(skb_in)->saddr; + ip_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.ip; + } + icmp_send(skb_in, type, code, info); + if (ct) { + if (cloned_skb) + consume_skb(cloned_skb); + else + ip_hdr(skb_in)->saddr = orig_ip; + } +} +EXPORT_SYMBOL(icmp_ndo_send); +#endif static void icmp_socket_deliver(struct sk_buff *skb, u32 info) { diff --git a/net/ipv6/ip6_icmp.c b/net/ipv6/ip6_icmp.c index 02045494c24c..ee364d61b789 100644 --- a/net/ipv6/ip6_icmp.c +++ b/net/ipv6/ip6_icmp.c @@ -45,4 +45,34 @@ void icmpv6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info) rcu_read_unlock(); } EXPORT_SYMBOL(icmpv6_send); + +#if IS_ENABLED(CONFIG_NF_NAT) +#include +void icmpv6_ndo_send(struct sk_buff *skb_in, u8 type, u8 code, __u32 info) +{ + struct sk_buff *cloned_skb = NULL; + enum ip_conntrack_info ctinfo; + struct in6_addr orig_ip; + struct nf_conn *ct; + + ct = nf_ct_get(skb_in, &ctinfo); + if (ct) { + if (skb_shared(skb_in)) { + skb_in = cloned_skb = skb_clone(skb_in, GFP_ATOMIC); + if (unlikely(!skb_in)) + return; + } + orig_ip = ipv6_hdr(skb_in)->saddr; + ipv6_hdr(skb_in)->saddr = ct->tuplehash[0].tuple.src.u3.in6; + } + icmpv6_send(skb_in, type, code, info); + if (ct) { + if (cloned_skb) + consume_skb(cloned_skb); + else + ipv6_hdr(skb_in)->saddr = orig_ip; + } +} +EXPORT_SYMBOL(icmpv6_ndo_send); +#endif #endif From patchwork Mon Feb 10 14:14:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 1235843 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=zx2c4.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=zx2c4.com header.i=@zx2c4.com header.a=rsa-sha1 header.s=mail header.b=GNANlymw; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 48GSbs70tWz9sT8 for ; Tue, 11 Feb 2020 01:15:21 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729126AbgBJOPV (ORCPT ); Mon, 10 Feb 2020 09:15:21 -0500 Received: from frisell.zx2c4.com ([192.95.5.64]:46911 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727079AbgBJOPU (ORCPT ); Mon, 10 Feb 2020 09:15:20 -0500 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 40660c54; Mon, 10 Feb 2020 14:13:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=mail; bh=JzV6toZzstw9vzB/ziu+YJh5G mY=; b=GNANlymw9Y3vA+xIyurrnFRwFlIA4mIlaALOcSpBdHVMwzu61vaeJZjJd 9RqHWpEvbEwoY1CT/jequMOc8eeqqsVOM9Ei1KrkwnRqP9deZ3ki67h59vDH18so YrkmYOKHoPEa/Esgh+HyQwR7YUifLS8lPnE4k9oa5rHM92bf8tz1H5lXh7KH7ELU lyvtNDElIgIq4mF+vgV9HWzl5bk88IlnKMdFvegz4jFwhGyi9jr8k/MOdiA90HJF wBgCj/G0+arZJz3eVGx1rr4yhNNpdlg4PIOp7H5LPVGViWprxgaS99i62AqXqQv4 10+UKMh7UrFJ8kge37YdbRCA4bu4g== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 9fb1664a (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 10 Feb 2020 14:13:42 +0000 (UTC) From: "Jason A. Donenfeld" To: netdev@vger.kernel.org, davem@davemloft.net Cc: "Jason A. Donenfeld" , Harald Welte Subject: [PATCH v2 net 2/5] gtp: use icmp_ndo_send helper Date: Mon, 10 Feb 2020 15:14:20 +0100 Message-Id: <20200210141423.173790-3-Jason@zx2c4.com> In-Reply-To: <20200210141423.173790-1-Jason@zx2c4.com> References: <20200210141423.173790-1-Jason@zx2c4.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Because gtp is calling icmp from network device context, it should use the ndo helper so that the rate limiting applies correctly. Signed-off-by: Jason A. Donenfeld Cc: Harald Welte --- drivers/net/gtp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c index af07ea760b35..672cd2caf2fb 100644 --- a/drivers/net/gtp.c +++ b/drivers/net/gtp.c @@ -546,8 +546,8 @@ static int gtp_build_skb_ip4(struct sk_buff *skb, struct net_device *dev, mtu < ntohs(iph->tot_len)) { netdev_dbg(dev, "packet too big, fragmentation needed\n"); memset(IPCB(skb), 0, sizeof(*IPCB(skb))); - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, - htonl(mtu)); + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, + htonl(mtu)); goto err_rt; } From patchwork Mon Feb 10 14:14:21 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 1235844 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=zx2c4.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=zx2c4.com header.i=@zx2c4.com header.a=rsa-sha1 header.s=mail header.b=n3YLXU6/; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 48GSbw3wlZz9sT9 for ; Tue, 11 Feb 2020 01:15:24 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729145AbgBJOPY (ORCPT ); Mon, 10 Feb 2020 09:15:24 -0500 Received: from frisell.zx2c4.com ([192.95.5.64]:46911 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727079AbgBJOPW (ORCPT ); Mon, 10 Feb 2020 09:15:22 -0500 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id ca70e53b; Mon, 10 Feb 2020 14:13:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=mail; bh=6IxQnhqna6P4699fOE6/+Cvkl kY=; b=n3YLXU6/2CaDkap5U1etT7L3ak89C7TzxvaDWZ2GngD7B0yTMNq5mLlub k8N7WykBPk8ICvxijVB3c5eRDnqYnTNrpYYA91Glu4/voDc+M1hQPD85HULncPuf 5yCrUMYqVCmYbk8ypOcbH7P8FskaNIJLsd7LcvWtBrTDK+YgTc2hemc9zVhwJuxa akdfAdzgkXxFWoTNqn+L27t2yWzJ41uIadX+z7OUBDhP/ShVmxTX+ANxTqy8oMhV f09xc1uMnX0H5/tF+eEcs2gWujW/nh8QC95emSJvAXvBqvSwlon8aXk9Oo+27wzW nOEDAFUND2Dx5/eQAIoLYyGYq2hVQ== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 97722a5e (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 10 Feb 2020 14:13:44 +0000 (UTC) From: "Jason A. Donenfeld" To: netdev@vger.kernel.org, davem@davemloft.net Cc: "Jason A. Donenfeld" , Shannon Nelson Subject: [PATCH v2 net 3/5] sunvnet: use icmp_ndo_send helper Date: Mon, 10 Feb 2020 15:14:21 +0100 Message-Id: <20200210141423.173790-4-Jason@zx2c4.com> In-Reply-To: <20200210141423.173790-1-Jason@zx2c4.com> References: <20200210141423.173790-1-Jason@zx2c4.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Because sunvnet is calling icmp from network device context, it should use the ndo helper so that the rate limiting applies correctly. While we're at it, doing the additional route lookup before calling icmp_ndo_send is superfluous, since this is the job of the icmp code in the first place. Signed-off-by: Jason A. Donenfeld Cc: Shannon Nelson --- drivers/net/ethernet/sun/sunvnet_common.c | 23 ++++------------------- 1 file changed, 4 insertions(+), 19 deletions(-) diff --git a/drivers/net/ethernet/sun/sunvnet_common.c b/drivers/net/ethernet/sun/sunvnet_common.c index c23ce838ff63..8dc6c9ff22e1 100644 --- a/drivers/net/ethernet/sun/sunvnet_common.c +++ b/drivers/net/ethernet/sun/sunvnet_common.c @@ -1350,27 +1350,12 @@ sunvnet_start_xmit_common(struct sk_buff *skb, struct net_device *dev, if (vio_version_after_eq(&port->vio, 1, 3)) localmtu -= VLAN_HLEN; - if (skb->protocol == htons(ETH_P_IP)) { - struct flowi4 fl4; - struct rtable *rt = NULL; - - memset(&fl4, 0, sizeof(fl4)); - fl4.flowi4_oif = dev->ifindex; - fl4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos); - fl4.daddr = ip_hdr(skb)->daddr; - fl4.saddr = ip_hdr(skb)->saddr; - - rt = ip_route_output_key(dev_net(dev), &fl4); - if (!IS_ERR(rt)) { - skb_dst_set(skb, &rt->dst); - icmp_send(skb, ICMP_DEST_UNREACH, - ICMP_FRAG_NEEDED, - htonl(localmtu)); - } - } + if (skb->protocol == htons(ETH_P_IP)) + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, + htonl(localmtu)); #if IS_ENABLED(CONFIG_IPV6) else if (skb->protocol == htons(ETH_P_IPV6)) - icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, localmtu); + icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, localmtu); #endif goto out_dropped; } From patchwork Mon Feb 10 14:14:22 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 1235845 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=zx2c4.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=zx2c4.com header.i=@zx2c4.com header.a=rsa-sha1 header.s=mail header.b=UyrABgfn; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 48GSbx2x0Xz9sTF for ; Tue, 11 Feb 2020 01:15:25 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729153AbgBJOPY (ORCPT ); Mon, 10 Feb 2020 09:15:24 -0500 Received: from frisell.zx2c4.com ([192.95.5.64]:46911 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727831AbgBJOPX (ORCPT ); Mon, 10 Feb 2020 09:15:23 -0500 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id c3f22eda; Mon, 10 Feb 2020 14:13:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=mail; bh=l05ky+REA+M+7GRJvz85D2lrR VQ=; b=UyrABgfnhkcYV6+Pe0ZeBhUo3jqU2lBhynHdrmkjN0VXaAWdxVALYg6WA tC1qGv52toLOjvShNq8534eKu0j1TnUTZTw/MBg3v/B2LTd32yDYofiCBgy8jEV0 fWJqTZnRx+Zg7LegJMKnsfSLgUMA5yx+GP04GowHWVMtS5XwXqCFM+Qfzdi4DPy3 J3PY89qHS2cyg5NZAp3GBB8YSyHlV++otg1wZRgdaKB2be3DDpV+avLzEtbRdtBf GGjmNfT8sYD8m6L/e46MUrsac596RkmxhbqpEK6ttGII/v2Jfm/e/ovtyJXdRDuW 0WDGJkP41ESmeiyNPoAsBAdhUFPxw== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id e597b062 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 10 Feb 2020 14:13:46 +0000 (UTC) From: "Jason A. Donenfeld" To: netdev@vger.kernel.org, davem@davemloft.net Cc: "Jason A. Donenfeld" Subject: [PATCH v2 net 4/5] wireguard: use icmp_ndo_send helper Date: Mon, 10 Feb 2020 15:14:22 +0100 Message-Id: <20200210141423.173790-5-Jason@zx2c4.com> In-Reply-To: <20200210141423.173790-1-Jason@zx2c4.com> References: <20200210141423.173790-1-Jason@zx2c4.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Because wireguard is calling icmp from network device context, it should use the ndo helper so that the rate limiting applies correctly. Signed-off-by: Jason A. Donenfeld --- drivers/net/wireguard/device.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireguard/device.c b/drivers/net/wireguard/device.c index 16b19824b9ad..43db442b1373 100644 --- a/drivers/net/wireguard/device.c +++ b/drivers/net/wireguard/device.c @@ -203,9 +203,9 @@ static netdev_tx_t wg_xmit(struct sk_buff *skb, struct net_device *dev) err: ++dev->stats.tx_errors; if (skb->protocol == htons(ETH_P_IP)) - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0); else if (skb->protocol == htons(ETH_P_IPV6)) - icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); + icmpv6_ndo_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_ADDR_UNREACH, 0); kfree_skb(skb); return ret; } From patchwork Mon Feb 10 14:14:23 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 1235846 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=zx2c4.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=zx2c4.com header.i=@zx2c4.com header.a=rsa-sha1 header.s=mail header.b=BgH17Baw; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 48GSc024Lbz9sT8 for ; Tue, 11 Feb 2020 01:15:28 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728359AbgBJOP1 (ORCPT ); Mon, 10 Feb 2020 09:15:27 -0500 Received: from frisell.zx2c4.com ([192.95.5.64]:46911 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727434AbgBJOP0 (ORCPT ); Mon, 10 Feb 2020 09:15:26 -0500 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 00978ed8; Mon, 10 Feb 2020 14:13:49 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=mail; bh=wfT3X7qXqNUU0/0EQjnwE4gcH QY=; b=BgH17Baw9mm7gtUdQ6q0Floaw0Z45PT3ip3MEiicUt3DEaZXBopaDoc8N DJ7jZIsKpWNeJ8ujbnV90qKBmxR56sFIyrCw+zHn9bk7osSQEERRmnSvs9awF390 CEdhB2dQwFvK7GZdxfA9UGZcD9Td3K/rtZLcdWD9B2p5Old0xSWuZr4C5mAhuQ9k OdoJwQMGSLf8mK/KIGXxwzFmXmLoapujMcB85PS/B2QaHq5r8XVASK8uu2nVGfQ3 b05loncOVxxJ+ZNGkwovxnUBF8K4LxAl7NaP4zpvNT6Izdq1TlFYX+FAu2gsz2JI tWKLgsoBkwHECP50QM/B1cIlKykdQ== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 50f5887d (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 10 Feb 2020 14:13:48 +0000 (UTC) From: "Jason A. Donenfeld" To: netdev@vger.kernel.org, davem@davemloft.net Cc: "Jason A. Donenfeld" , Nicolas Dichtel , Steffen Klassert Subject: [PATCH v2 net 5/5] xfrm: interface: use icmp_ndo_send helper Date: Mon, 10 Feb 2020 15:14:23 +0100 Message-Id: <20200210141423.173790-6-Jason@zx2c4.com> In-Reply-To: <20200210141423.173790-1-Jason@zx2c4.com> References: <20200210141423.173790-1-Jason@zx2c4.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Because xfrmi is calling icmp from network device context, it should use the ndo helper so that the rate limiting applies correctly. Signed-off-by: Jason A. Donenfeld Cc: Nicolas Dichtel Cc: Steffen Klassert --- net/xfrm/xfrm_interface.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c index dc651a628dcf..3361e3ac5714 100644 --- a/net/xfrm/xfrm_interface.c +++ b/net/xfrm/xfrm_interface.c @@ -300,10 +300,10 @@ xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) if (mtu < IPV6_MIN_MTU) mtu = IPV6_MIN_MTU; - icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); + icmpv6_ndo_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); } else { - icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, - htonl(mtu)); + icmp_ndo_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, + htonl(mtu)); } dst_release(dst); From patchwork Mon Feb 10 19:30:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Jason A. Donenfeld" X-Patchwork-Id: 1235979 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=zx2c4.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=zx2c4.com header.i=@zx2c4.com header.a=rsa-sha1 header.s=mail header.b=vENkfId5; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 48Gbb85vc4z9sRJ for ; Tue, 11 Feb 2020 06:30:12 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727538AbgBJTaL (ORCPT ); Mon, 10 Feb 2020 14:30:11 -0500 Received: from frisell.zx2c4.com ([192.95.5.64]:39921 "EHLO frisell.zx2c4.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727029AbgBJTaK (ORCPT ); Mon, 10 Feb 2020 14:30:10 -0500 Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e19eca6f; Mon, 10 Feb 2020 19:28:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=zx2c4.com; h=from:to:cc :subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; s=mail; bh=tPApO6i+zldL+F05ZjvxlsXOB 4I=; b=vENkfId5DGuP3ywatALaA9YOWu71A36RVpWK/iFObW4nJ2yt6Bu8p6Qxu sIqU9HU5Ds3J7gJrBUCvOpAYsoXW4Wwj6yT48Oi32wL1NT36eOoT5dvaVzp6ZUKi c9OiX+whQq+SRe9A6/UvadZm05sREwtMF+aLUmXptwene2r3YYFhsfKiaHxJiw3c irLxzJRViyDSIwjOT2/F4DqAYc5n+LRjXGZNjIMjbJNSIn//ZksyDsFGmsLChu7W cNomUx6smKRHPx/Ks4hfQZa8MjBt9n2hDVOoyhhWUW1jo5HjwibiiHC81jTgQxA2 1sFr72BiID8OLxVO88d8e4j630fhw== Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 4eb8ccee (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256:NO); Mon, 10 Feb 2020 19:28:31 +0000 (UTC) From: "Jason A. Donenfeld" To: davem@davemloft.net, netdev@vger.kernel.org Cc: "Jason A. Donenfeld" Subject: [PATCH v2 net 6/5] wireguard: selftests: ensure that icmp src address is correct with NAT Date: Mon, 10 Feb 2020 20:30:00 +0100 Message-Id: <20200210193000.453727-1-Jason@zx2c4.com> In-Reply-To: <20200210141423.173790-1-Jason@zx2c4.com> References: <20200210141423.173790-1-Jason@zx2c4.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This is a small test to ensure that icmp_ndo_send is actually doing the right with with regards to the source address. It measure this by ensuring that there are a sufficient number of non-errors returned in a row, which should be impossible with proper rate limiting. Signed-off-by: Jason A. Donenfeld --- Here's a test for the WireGuard path of the series I submitted earlier today. This test correctly fails when using the old code, and succeeds when using the new code. If the "6/5" stupidity disrupts patchwork, no need to respond, and I'll just resubmit this later. tools/testing/selftests/wireguard/netns.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh index f5ab1cda8bb5..4e31d5b1bf7f 100755 --- a/tools/testing/selftests/wireguard/netns.sh +++ b/tools/testing/selftests/wireguard/netns.sh @@ -297,7 +297,17 @@ ip1 -4 rule add table main suppress_prefixlength 0 n1 ping -W 1 -c 100 -f 192.168.99.7 n1 ping -W 1 -c 100 -f abab::1111 +# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route. +n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2 +n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit. +n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward' +ip0 -4 route add 192.168.241.1 via 10.0.0.100 +n2 wg set wg0 peer "$pub1" remove +[[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]] + n0 iptables -t nat -F +n0 iptables -t filter -F +n2 iptables -t nat -F ip0 link del vethrc ip0 link del vethrs ip1 link del wg0