From patchwork Sat Mar 4 00:12:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 1751680 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=plb9RvYX; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PT4zl2yRDz246Y for ; Sat, 4 Mar 2023 11:12:51 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229818AbjCDAMs (ORCPT ); Fri, 3 Mar 2023 19:12:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45744 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229532AbjCDAMr (ORCPT ); Fri, 3 Mar 2023 19:12:47 -0500 Received: from mail-qv1-xf30.google.com (mail-qv1-xf30.google.com [IPv6:2607:f8b0:4864:20::f30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9AD1920D3D; Fri, 3 Mar 2023 16:12:46 -0800 (PST) Received: by mail-qv1-xf30.google.com with SMTP id nf5so2909565qvb.5; Fri, 03 Mar 2023 16:12:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1677888765; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SWJ28UY4iLQdzHNxIZYl4ipNRNAO6xCEZ7X8+ikWSWw=; b=plb9RvYXgNpihupQiTpUZCp3TZZEWnuNmutuvlxZlRvhFjK48LMDHZfpIUCp8PHOVG msILcKO+92UpyrgfmKFJ2Bt3NqBLGxfRemjwZvp0msAMVeAGlzjQeYLGfzeQFfivCUI9 SLwRPwisaIDbDNSZehKkavU0JDaw1JzaACApd28+pBw0BlVklHLaHH867bRLA6RjzgJW +kqO0O96jGkqPgPTBLSBlvshr5emMo/uR700gCvmdKLc8FzRWg/6s212hcHAp54Tccvg 0XM2dwnVWHVvBEcs2M2aXD0/T7DZ9GOITLcM8BRgVKf+taKzL1TUn9LG18dWVFDeXJZl 32sg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677888765; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SWJ28UY4iLQdzHNxIZYl4ipNRNAO6xCEZ7X8+ikWSWw=; b=c9SrE796aVWb5DzmDyKpDn787fXhv57THWvIlyQB5+e5j4PNe/wI7c6YDNGoAQaAxI fBpslCB3QngvPu8w03ynW2d9jf7ml+57GI5kSnihMbIGRmABypvzCFBTLerHKAndK9xS 1zFgpefqCEcSM5vB2KZTTyrStcw+b5SgvNdl8psyBx3OWLWRmDFZmnddmn0pMPfMaV3C 4f4lGiHpuy6w2nPyvPaL7HI6F3XKdjrSt91q7fEUb7DmgxY57H990+ujwkAQb/tuUtEt sAu5ypQWtkFuslxD6qTXytVJPQDCcI8EaaK33QZMZ3PqEEteaATDhbGMPAc1fcOSDqYx ryRw== X-Gm-Message-State: AO0yUKU1y9nPYGN7StUcXd3bc+7EZJePTRDDeV/VH7/zFn04yJukVsJS Ic7GCE0E3x+2EkxV6za2eZ6zETZNoJ2BvA== X-Google-Smtp-Source: AK7set8CXh/w6X9apZgVAkYrb6+erIV3I9gmymlYUSotCqbqmfDD79dg+W4yWtg6rh+C0S1HAE7Rpg== X-Received: by 2002:a05:6214:260d:b0:53a:5812:143c with SMTP id gu13-20020a056214260d00b0053a5812143cmr7153449qvb.20.1677888765608; Fri, 03 Mar 2023 16:12:45 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id d79-20020ae9ef52000000b007296805f607sm2749242qkg.17.2023.03.03.16.12.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Mar 2023 16:12:45 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole Subject: [PATCH nf-next 1/6] netfilter: bridge: call pskb_may_pull in br_nf_check_hbh_len Date: Fri, 3 Mar 2023 19:12:37 -0500 Message-Id: <4c156bee64fa58bacb808cead7a7f43d531fd587.1677888566.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org When checking Hop-by-hop option header, if the option data is in nonlinear area, it should do pskb_may_pull instead of discarding the skb as a bad IPv6 packet. Signed-off-by: Xin Long Reviewed-by: Simon Horman Acked-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- net/bridge/br_netfilter_ipv6.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c index 6b07f30675bb..5cd3e4c35123 100644 --- a/net/bridge/br_netfilter_ipv6.c +++ b/net/bridge/br_netfilter_ipv6.c @@ -45,14 +45,18 @@ */ static int br_nf_check_hbh_len(struct sk_buff *skb) { - unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1); + int len, off = sizeof(struct ipv6hdr); + unsigned char *nh; u32 pkt_len; - const unsigned char *nh = skb_network_header(skb); - int off = raw - nh; - int len = (raw[1] + 1) << 3; - if ((raw + len) - skb->data > skb_headlen(skb)) + if (!pskb_may_pull(skb, off + 8)) goto bad; + nh = (u8 *)(ipv6_hdr(skb) + 1); + len = (nh[1] + 1) << 3; + + if (!pskb_may_pull(skb, off + len)) + goto bad; + nh = skb_network_header(skb); off += 2; len -= 2; From patchwork Sat Mar 4 00:12:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 1751681 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=LPCQzyf5; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PT4zr44Yzz23j7 for ; Sat, 4 Mar 2023 11:12:56 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229886AbjCDAMx (ORCPT ); Fri, 3 Mar 2023 19:12:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45756 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229840AbjCDAMs (ORCPT ); Fri, 3 Mar 2023 19:12:48 -0500 Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9105C1F4A2; Fri, 3 Mar 2023 16:12:47 -0800 (PST) Received: by mail-qv1-xf32.google.com with SMTP id o3so2934937qvr.1; Fri, 03 Mar 2023 16:12:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1677888766; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Iu9clajkpxoMBkwULICMZCHvn1ew485ofbrS/sXvEbM=; b=LPCQzyf5sjmMz8m9ro+wRBl5g7QULngvpFJfFKL8C2pqwYtADGNEYVveijPdDJF9RA UrPrnh2BbHsgsZNKOBr/r2rV8QQfBPnPXLQks+UprFI1vvuBZchykfiJ5FLthZCdbhCg YiNQwXhCG4a5BIJciJ21/+djPldvf8knJWjc4KeJmtwGC02ce7rLrohYfaQsxoBXdIXo dhSd8u0wV4UlNV7JoDToYnjMfcelDAXk9WYofft4dzJnQzrkf9+Lv6L8fmvEwZd8/Geu jC722TlZEX6laevDPpm+3DeDe/F5yxa6ol9wnMqkMBi30PQNsdgmejqOieGX1gpYS05W yAWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677888766; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Iu9clajkpxoMBkwULICMZCHvn1ew485ofbrS/sXvEbM=; b=H8JbJWV+w3dsMIxqyx/HgXnEqilhSyh3LXV9Kc6tq0OAHKKy3FpGj7sS/hmwyaGQ32 q9/lux/QP+44CCIXashno+7AQY5T0BgyHLOJOMTNUt5hku7ANuYKR6NJ8fS8NPjUI4kT ekT6BAH+T15biGwLo8i5rWgMTwns3OG9gILWvzKLYXYovB7GiqQB3+xxoMJXGp4T2CVh XjXHJf7Ikb+EaOFJkAvqkP04jyxfP7cxZNf3v6+4j67gHbnp8q3Hx8e6p1IbFpMiXc6t 9VWyBi6DMcd2LCW4rmuDEPO3Kb2DQj24rBBMCuzUtPFgjEjkn2GdKlLL8t2t0lrXIf79 B8bA== X-Gm-Message-State: AO0yUKUqaGOfURfmnRy7VOoV4qT2TzxleyQqNoj0teHL8OiP/C/smP5H uGHqICH5gI5rAuk2j0T8aY2tF8+ho//wcA== X-Google-Smtp-Source: AK7set8w8MAveRC4LAY9ALJREi0Q2Ou3jLtaHPbUkmhWE5uBJjuKFfTnAjljzEyZK+BQMkFA6DFX8A== X-Received: by 2002:a05:6214:5299:b0:56e:f05c:9c70 with SMTP id kj25-20020a056214529900b0056ef05c9c70mr5815683qvb.44.1677888766484; Fri, 03 Mar 2023 16:12:46 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id d79-20020ae9ef52000000b007296805f607sm2749242qkg.17.2023.03.03.16.12.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Mar 2023 16:12:46 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole Subject: [PATCH nf-next 2/6] netfilter: bridge: check len before accessing more nh data Date: Fri, 3 Mar 2023 19:12:38 -0500 Message-Id: X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org In the while loop of br_nf_check_hbh_len(), similar to ip6_parse_tlv(), before accessing 'nh[off + 1]', it should add a check 'len < 2'; and before parsing IPV6_TLV_JUMBO, it should add a check 'optlen > len', in case of overflows. Signed-off-by: Xin Long Reviewed-by: Simon Horman Acked-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- net/bridge/br_netfilter_ipv6.c | 47 ++++++++++++++++------------------ 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c index 5cd3e4c35123..50f564c33551 100644 --- a/net/bridge/br_netfilter_ipv6.c +++ b/net/bridge/br_netfilter_ipv6.c @@ -50,54 +50,51 @@ static int br_nf_check_hbh_len(struct sk_buff *skb) u32 pkt_len; if (!pskb_may_pull(skb, off + 8)) - goto bad; + return -1; nh = (u8 *)(ipv6_hdr(skb) + 1); len = (nh[1] + 1) << 3; if (!pskb_may_pull(skb, off + len)) - goto bad; + return -1; nh = skb_network_header(skb); off += 2; len -= 2; - while (len > 0) { - int optlen = nh[off + 1] + 2; - - switch (nh[off]) { - case IPV6_TLV_PAD1: - optlen = 1; - break; + int optlen; - case IPV6_TLV_PADN: - break; + if (nh[off] == IPV6_TLV_PAD1) { + off++; + len--; + continue; + } + if (len < 2) + return -1; + optlen = nh[off + 1] + 2; + if (optlen > len) + return -1; - case IPV6_TLV_JUMBO: + if (nh[off] == IPV6_TLV_JUMBO) { if (nh[off + 1] != 4 || (off & 3) != 2) - goto bad; + return -1; pkt_len = ntohl(*(__be32 *)(nh + off + 2)); if (pkt_len <= IPV6_MAXPLEN || ipv6_hdr(skb)->payload_len) - goto bad; + return -1; if (pkt_len > skb->len - sizeof(struct ipv6hdr)) - goto bad; + return -1; if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr))) - goto bad; + return -1; nh = skb_network_header(skb); - break; - default: - if (optlen > len) - goto bad; - break; } off += optlen; len -= optlen; } - if (len == 0) - return 0; -bad: - return -1; + if (len) + return -1; + + return 0; } int br_validate_ipv6(struct net *net, struct sk_buff *skb) From patchwork Sat Mar 4 00:12:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 1751682 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=KBCtTQZ4; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PT4zr73hSz246Y for ; Sat, 4 Mar 2023 11:12:56 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229879AbjCDAMw (ORCPT ); Fri, 3 Mar 2023 19:12:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45780 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229848AbjCDAMt (ORCPT ); Fri, 3 Mar 2023 19:12:49 -0500 Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 89D0D20D3D; Fri, 3 Mar 2023 16:12:48 -0800 (PST) Received: by mail-qt1-x832.google.com with SMTP id s12so4807796qtq.11; Fri, 03 Mar 2023 16:12:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1677888767; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Bk6+YBR983JyQwllGJ82zvIQOjlCZFKU6yx52rHjP08=; b=KBCtTQZ4+S/BA2pezxtPA/TQyl4+x+VaX7FfYWCEqC0U303cN/OAz6kqFxFMWVB1gQ s70d/f9K09hLL+suxIcmlQK0LJ0cDMn3hghizkMZfe5zPJN5UoBvYjzbKUrB3xsEKHdA aKSj22d6RYnmCl64TpjOzvKlZAg3kIqf0a6FnQ7J4pwKGAH3b9INA7sM7lMTt4TEu5dV G44YCTjsJIj5lGsUgWWSQ8DlsUNs5ejy2fc/HO+D4Ovj/+Z1u4/Vi1TW9wm0J0XjkerJ fmgGRO8hAsE/Vu0lBkEqLX40eQdTz6l7SXvicV3hdozzgib4oliwDaN4ZU3BakdVwMgo cQFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677888767; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Bk6+YBR983JyQwllGJ82zvIQOjlCZFKU6yx52rHjP08=; b=0bXEkcMR2z4DHH02s0Nz99hrskzX9mM9BdKQA284KSF4FiZSPwiGNh8P3PJmUq+1C3 4beXhDVZ4Gi0EnaTWg7A2OsSP2cxrYxzAIUxjTAbcSixHBOW/VOhQLI/BlT00ktjJV0E a4pK3B3WqCy/UtLcOhduaZ6PBeLxPB6z3vE3ZLYIp19y3/ufV8lIPHKdGoScDN1LrwFP 6D9K9F/xD5yZJXd/4PJ2kKnHyX63Ls+kN+YL/LAbW8mt9p18t/t/d+0hoF4snVJxHT49 goy37HJ3dW3TsIRqmPjOp1intG5k2meVEwRiaVRIEuhg3YYyYkpDeTC8W0z2d8SjkHV2 h2lQ== X-Gm-Message-State: AO0yUKV92taH9tyG6ykNlXCGaUHVQtB01cxO1r+uvLJMnUimuMnXaPr4 oH+xVbaT+Iw4m8nX6eJG3z4liipokkF+7w== X-Google-Smtp-Source: AK7set/W2jfHT+nvHW4TDjrGMEhF1onLtCsnhbX1oNJPIbSpxso/q/iDdUf2rv94w7z0vV2Uvboldg== X-Received: by 2002:a05:622a:54c:b0:3bf:d9d2:484f with SMTP id m12-20020a05622a054c00b003bfd9d2484fmr6548391qtx.11.1677888767428; Fri, 03 Mar 2023 16:12:47 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id d79-20020ae9ef52000000b007296805f607sm2749242qkg.17.2023.03.03.16.12.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Mar 2023 16:12:47 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole Subject: [PATCH nf-next 3/6] netfilter: bridge: move pskb_trim_rcsum out of br_nf_check_hbh_len Date: Fri, 3 Mar 2023 19:12:39 -0500 Message-Id: <688b6037c640efeb6141d4646cc9dc1b657796e7.1677888566.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org br_nf_check_hbh_len() is a function to check the Hop-by-hop option header, and shouldn't do pskb_trim_rcsum() there. This patch is to pass pkt_len out to br_validate_ipv6() and do pskb_trim_rcsum() after calling br_validate_ipv6() instead. Signed-off-by: Xin Long Reviewed-by: Simon Horman Acked-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- net/bridge/br_netfilter_ipv6.c | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c index 50f564c33551..07289e4f3213 100644 --- a/net/bridge/br_netfilter_ipv6.c +++ b/net/bridge/br_netfilter_ipv6.c @@ -43,11 +43,11 @@ /* We only check the length. A bridge shouldn't do any hop-by-hop stuff * anyway */ -static int br_nf_check_hbh_len(struct sk_buff *skb) +static int br_nf_check_hbh_len(struct sk_buff *skb, u32 *plen) { int len, off = sizeof(struct ipv6hdr); unsigned char *nh; - u32 pkt_len; + u32 pkt_len = 0; if (!pskb_may_pull(skb, off + 8)) return -1; @@ -83,10 +83,6 @@ static int br_nf_check_hbh_len(struct sk_buff *skb) return -1; if (pkt_len > skb->len - sizeof(struct ipv6hdr)) return -1; - if (pskb_trim_rcsum(skb, - pkt_len + sizeof(struct ipv6hdr))) - return -1; - nh = skb_network_header(skb); } off += optlen; len -= optlen; @@ -94,6 +90,8 @@ static int br_nf_check_hbh_len(struct sk_buff *skb) if (len) return -1; + if (pkt_len) + *plen = pkt_len; return 0; } @@ -116,22 +114,19 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb) goto inhdr_error; pkt_len = ntohs(hdr->payload_len); + if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb, &pkt_len)) + goto drop; - if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) { - if (pkt_len + ip6h_len > skb->len) { - __IP6_INC_STATS(net, idev, - IPSTATS_MIB_INTRUNCATEDPKTS); - goto drop; - } - if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) { - __IP6_INC_STATS(net, idev, - IPSTATS_MIB_INDISCARDS); - goto drop; - } - hdr = ipv6_hdr(skb); + if (pkt_len + ip6h_len > skb->len) { + __IP6_INC_STATS(net, idev, + IPSTATS_MIB_INTRUNCATEDPKTS); + goto drop; } - if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb)) + if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) { + __IP6_INC_STATS(net, idev, + IPSTATS_MIB_INDISCARDS); goto drop; + } memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); /* No IP options in IPv6 header; however it should be From patchwork Sat Mar 4 00:12:40 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 1751683 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=i+gGxMb9; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PT4zv6Fngz23j7 for ; Sat, 4 Mar 2023 11:12:59 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229899AbjCDAM6 (ORCPT ); Fri, 3 Mar 2023 19:12:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45798 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229864AbjCDAMu (ORCPT ); Fri, 3 Mar 2023 19:12:50 -0500 Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F9111F4A2; Fri, 3 Mar 2023 16:12:49 -0800 (PST) Received: by mail-qv1-xf2d.google.com with SMTP id o3so2934967qvr.1; Fri, 03 Mar 2023 16:12:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1677888768; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mZ0vhTutGGK9agR9K+MeMFv3WJrBT1StcvjUsNJ0JeU=; b=i+gGxMb9zeC7JYwZy76adVkW5RbiosfdklzCJieR7NZZoNs89nao3+LrZWaIEj9lGE In+V9Z5ggyfpr+zMqq04pqBdWdxY0UgmEH2o0JfcYF0GsBOC6AAbqJ85tSxLdrcIIL4F UeoEq4n9UHq1R1DWdjJ0ZWHhKpc+kcyoR90C0dhudyyQSFsAGjL4HxHUcPciPahN9RRg BYbJijwbo77ZfU79jmXgOLHwSOGC9vniALrz7AWep00d43hAiDBbktonqOBP4EnA4wqq aFbRV2npNN0SAh0yE7OY4XU5zBEfEmWiVp4UQqJZp58Fe4j04XKkerxMEyp5aw80XwXo NJKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677888768; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mZ0vhTutGGK9agR9K+MeMFv3WJrBT1StcvjUsNJ0JeU=; b=2ApFSHXh9e/w9/8vp+lVwoiMSdLY+5Kq6tnLjH7kVUI4ibEUZbFJgvbAacLoZGNWZM XZqPMrCx36aez2OqREV7eRo4ZRUBgJCVzfFUKNf3V04IvJKerYIrMrfbTscVmWpIFORD btEccj1EiWgcpmVQpt7efP03ZiTmM+SNSrHU794s9oRYmlfbXfE04Ay1ah3YZXXVjRvG Kit4M9yBxK9eTTCOspF+d0JlQ9sjuzvkEJHC8IzJ8yJbzNFGzQmw+9GvKU7dmsn5KV36 GESmwilj17UGF4cwn7nSB6uleyP4ViLo09krQSKsPUQn0ex/XZQZhilf4p6o1wAzgU1w 6ptw== X-Gm-Message-State: AO0yUKXkXjeNkFYNzFgwEtq0vrLlaSlBYA8jjd3PcHL6227iYjjvdMoF 7Q9tpm3c1sBmI5yIuCF6kCl5g+q9uk1SGw== X-Google-Smtp-Source: AK7set/QTB32NVLdGVNIVUw08bMIyY5m1ozy+bD8ChxPEueacrrg+TqoncfPLWpwGarzsWFzPCp4Vw== X-Received: by 2002:a05:6214:3012:b0:56e:a88f:70d0 with SMTP id ke18-20020a056214301200b0056ea88f70d0mr4549691qvb.27.1677888768309; Fri, 03 Mar 2023 16:12:48 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id d79-20020ae9ef52000000b007296805f607sm2749242qkg.17.2023.03.03.16.12.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Mar 2023 16:12:48 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole Subject: [PATCH nf-next 4/6] netfilter: move br_nf_check_hbh_len to utils Date: Fri, 3 Mar 2023 19:12:40 -0500 Message-Id: <84b12a8d761ac804794f6a0e08011eff4c2c0a3a.1677888566.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Rename br_nf_check_hbh_len() to nf_ip6_check_hbh_len() and move it to netfilter utils, so that it can be used by other modules, like ovs and tc. Signed-off-by: Xin Long Reviewed-by: Simon Horman Reviewed-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- include/linux/netfilter_ipv6.h | 2 ++ net/bridge/br_netfilter_ipv6.c | 57 +--------------------------------- net/netfilter/utils.c | 54 ++++++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+), 56 deletions(-) diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 48314ade1506..7834c0be2831 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h @@ -197,6 +197,8 @@ static inline int nf_cookie_v6_check(const struct ipv6hdr *iph, __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, u_int8_t protocol); +int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen); + int ipv6_netfilter_init(void); void ipv6_netfilter_fini(void); diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c index 07289e4f3213..550039dfc31a 100644 --- a/net/bridge/br_netfilter_ipv6.c +++ b/net/bridge/br_netfilter_ipv6.c @@ -40,61 +40,6 @@ #include #endif -/* We only check the length. A bridge shouldn't do any hop-by-hop stuff - * anyway - */ -static int br_nf_check_hbh_len(struct sk_buff *skb, u32 *plen) -{ - int len, off = sizeof(struct ipv6hdr); - unsigned char *nh; - u32 pkt_len = 0; - - if (!pskb_may_pull(skb, off + 8)) - return -1; - nh = (u8 *)(ipv6_hdr(skb) + 1); - len = (nh[1] + 1) << 3; - - if (!pskb_may_pull(skb, off + len)) - return -1; - nh = skb_network_header(skb); - - off += 2; - len -= 2; - while (len > 0) { - int optlen; - - if (nh[off] == IPV6_TLV_PAD1) { - off++; - len--; - continue; - } - if (len < 2) - return -1; - optlen = nh[off + 1] + 2; - if (optlen > len) - return -1; - - if (nh[off] == IPV6_TLV_JUMBO) { - if (nh[off + 1] != 4 || (off & 3) != 2) - return -1; - pkt_len = ntohl(*(__be32 *)(nh + off + 2)); - if (pkt_len <= IPV6_MAXPLEN || - ipv6_hdr(skb)->payload_len) - return -1; - if (pkt_len > skb->len - sizeof(struct ipv6hdr)) - return -1; - } - off += optlen; - len -= optlen; - } - if (len) - return -1; - - if (pkt_len) - *plen = pkt_len; - return 0; -} - int br_validate_ipv6(struct net *net, struct sk_buff *skb) { const struct ipv6hdr *hdr; @@ -114,7 +59,7 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb) goto inhdr_error; pkt_len = ntohs(hdr->payload_len); - if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb, &pkt_len)) + if (hdr->nexthdr == NEXTHDR_HOP && nf_ip6_check_hbh_len(skb, &pkt_len)) goto drop; if (pkt_len + ip6h_len > skb->len) { diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c index 2182d361e273..04f4bd661774 100644 --- a/net/netfilter/utils.c +++ b/net/netfilter/utils.c @@ -215,3 +215,57 @@ int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry) } return ret; } + +/* Only get and check the lengths, not do any hop-by-hop stuff. */ +int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen) +{ + int len, off = sizeof(struct ipv6hdr); + unsigned char *nh; + u32 pkt_len = 0; + + if (!pskb_may_pull(skb, off + 8)) + return -ENOMEM; + nh = (u8 *)(ipv6_hdr(skb) + 1); + len = (nh[1] + 1) << 3; + + if (!pskb_may_pull(skb, off + len)) + return -ENOMEM; + nh = skb_network_header(skb); + + off += 2; + len -= 2; + while (len > 0) { + int optlen; + + if (nh[off] == IPV6_TLV_PAD1) { + off++; + len--; + continue; + } + if (len < 2) + return -EBADMSG; + optlen = nh[off + 1] + 2; + if (optlen > len) + return -EBADMSG; + + if (nh[off] == IPV6_TLV_JUMBO) { + if (nh[off + 1] != 4 || (off & 3) != 2) + return -EBADMSG; + pkt_len = ntohl(*(__be32 *)(nh + off + 2)); + if (pkt_len <= IPV6_MAXPLEN || + ipv6_hdr(skb)->payload_len) + return -EBADMSG; + if (pkt_len > skb->len - sizeof(struct ipv6hdr)) + return -EBADMSG; + } + off += optlen; + len -= optlen; + } + if (len) + return -EBADMSG; + + if (pkt_len) + *plen = pkt_len; + return 0; +} +EXPORT_SYMBOL_GPL(nf_ip6_check_hbh_len); From patchwork Sat Mar 4 00:12:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 1751684 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=gEXt2Uya; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PT4zx2wyxz23j7 for ; Sat, 4 Mar 2023 11:13:01 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229909AbjCDAM7 (ORCPT ); Fri, 3 Mar 2023 19:12:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45852 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229876AbjCDAMv (ORCPT ); Fri, 3 Mar 2023 19:12:51 -0500 Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3EE55227AF; Fri, 3 Mar 2023 16:12:50 -0800 (PST) Received: by mail-qt1-x836.google.com with SMTP id l13so4863998qtv.3; Fri, 03 Mar 2023 16:12:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1677888769; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MYWAYiusa6VD7bjKhgAG8p39BgVNjOvNfptsOrDP/rY=; b=gEXt2Uya0ndh+iJwuLZaCVgy37CPQ/RrYxtyO3Ie9OWYTEXOo3qHb/7Lc9VgTElzx9 6QLBE8q4vLfjiFufRajjEq7oIZQ//fsKdWlOwdVheMrhsMVtv9E6e6OkfEk1Fu+UZ0sf S8NF/n8ESXMUEkODGRhBIpOVaNVx9fUtzK0qwHNCko5S3fAheKzLCGiq5Tmx0jSl47Uw XuuJTJUkyIvJ9noLnH12JyGjJVkce7qbSdK5gq56bhspluHJ+xIfTEPLbbDdPt1L8jbi b76hAqIxn7WUA9ZlymPs1Zhn9Lj1VvEpQWmD+v025xx4N4fftrygJ88qVu4S1PAKiB2o DfLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677888769; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MYWAYiusa6VD7bjKhgAG8p39BgVNjOvNfptsOrDP/rY=; b=QdTnVU3tSf1jbVz1rKhrMNMaBf53Re99Ayp7tzw2X1n1VjKv9B0E5c6LKWQ9SvOXtR l2AQp3443gw6+49vzXU6h/B1nBni0ILefJFuXPVJRIEgivhOolDIbxXl/vw+1As6Kg8n oNr+jKlADNf3s/Vx7jtYa02S1Vry+d6x96I53iZBjyeDKoTumIk6ymU9CnGqv6eDI6PI Qt4KExLKHfFbO1NHDVxQi4UhHhIl5KzAGmiz86NQcgwd8KvvaVmLbojd828TVx+8utdY HoyFeFyLWantLPAcgAQLjd6AsGWBR6XuBlYhDIlLgwe7zKFkh02n+yeEdd1Gd0sxCWn3 j9jg== X-Gm-Message-State: AO0yUKUeLtr5k2AzZs33PapUDUAaFwQxVpvoqxFXgOqQ5I1diA5wT8or znpLcxK4R2njD2URwTFolJxsmNuNpWVFRQ== X-Google-Smtp-Source: AK7set/fADldKyETJnFbkmCncvyo6n3bpQFZW0XezopmYbweRmZ5sVPCKK3aUmMb8x8OWnfvErKdOg== X-Received: by 2002:a05:622a:1a86:b0:3bf:c355:9ad4 with SMTP id s6-20020a05622a1a8600b003bfc3559ad4mr6688740qtc.34.1677888769173; Fri, 03 Mar 2023 16:12:49 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id d79-20020ae9ef52000000b007296805f607sm2749242qkg.17.2023.03.03.16.12.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Mar 2023 16:12:48 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole Subject: [PATCH nf-next 5/6] netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim Date: Fri, 3 Mar 2023 19:12:41 -0500 Message-Id: <5411027934a79f0430edb905ad4b434ec6b8396e.1677888566.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org For IPv6 Jumbo packets, the ipv6_hdr(skb)->payload_len is always 0, and its real payload_len ( > 65535) is saved in hbh exthdr. With 0 length for the jumbo packets, all data and exthdr will be trimmed in nf_ct_skb_network_trim(). This patch is to call nf_ip6_check_hbh_len() to get real pkt_len of the IPv6 packet, similar to br_validate_ipv6(). Signed-off-by: Xin Long Reviewed-by: Simon Horman Reviewed-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- net/netfilter/nf_conntrack_ovs.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_ovs.c b/net/netfilter/nf_conntrack_ovs.c index 52b776bdf526..2016a3b05f86 100644 --- a/net/netfilter/nf_conntrack_ovs.c +++ b/net/netfilter/nf_conntrack_ovs.c @@ -6,6 +6,7 @@ #include #include #include +#include /* 'skb' should already be pulled to nh_ofs. */ int nf_ct_helper(struct sk_buff *skb, struct nf_conn *ct, @@ -114,14 +115,20 @@ EXPORT_SYMBOL_GPL(nf_ct_add_helper); int nf_ct_skb_network_trim(struct sk_buff *skb, int family) { unsigned int len; + int err; switch (family) { case NFPROTO_IPV4: len = skb_ip_totlen(skb); break; case NFPROTO_IPV6: - len = sizeof(struct ipv6hdr) - + ntohs(ipv6_hdr(skb)->payload_len); + len = ntohs(ipv6_hdr(skb)->payload_len); + if (ipv6_hdr(skb)->nexthdr == NEXTHDR_HOP) { + err = nf_ip6_check_hbh_len(skb, &len); + if (err) + return err; + } + len += sizeof(struct ipv6hdr); break; default: len = skb->len; From patchwork Sat Mar 4 00:12:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 1751685 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2620:137:e000::1:20; helo=out1.vger.email; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=qMmhH316; dkim-atps=neutral Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by legolas.ozlabs.org (Postfix) with ESMTP id 4PT4zx75Lrz23j7 for ; Sat, 4 Mar 2023 11:13:01 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229826AbjCDANA (ORCPT ); Fri, 3 Mar 2023 19:13:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46370 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229696AbjCDAM5 (ORCPT ); Fri, 3 Mar 2023 19:12:57 -0500 Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A4729268E; Fri, 3 Mar 2023 16:12:51 -0800 (PST) Received: by mail-qt1-x82f.google.com with SMTP id r5so4857087qtp.4; Fri, 03 Mar 2023 16:12:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1677888770; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=i4u4zN80f7tcAvVyt7THDAii+UFiTWyh0CLCh3yTArU=; b=qMmhH316fm2+9EjhIhUEhayKGHDU4ZwLtGO4FH17fr3y+y9d5wiCOgCjv/xd8VDHBk YMkw+dFX308it5+CRIkZwlkZi45xN94H6Uv2YNVgG5KceCvVKAl6SDKAASEAVV4Uuur/ jUFTsTnHhYsPw8v7AbZ80gqBelDrPLtZyDuwRY+kklPiQxpvh/3sG8J269NhTAkOCSYo M6o2gSnOTr/wYJ9fMa9bK+Wpg9BFV+eYYMxPtTwf8teRuOO1lSpGebQU4Yg9gNWmZF7W 1mP9d5wCmh6yZ8cKgDuzGhcBHNbJfDztJWGkZuhSJVy65zt3Bqa0CGjJ08NtIVZiZqol mtWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1677888770; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=i4u4zN80f7tcAvVyt7THDAii+UFiTWyh0CLCh3yTArU=; b=X/aQ6OTYPDTgIKqyXUthtMA77iFIF06ww4LifzYIopqtyv5JG2injRQdzPVMatJfZf UAw/ScijE6+oF0AQkOXMWmmY5C2CtZAQJgoYoO1ITX880CuIF/bVtzqPCW+reNIFjsOj AWdLJEO+o/6qvuxQMaPiM7H4Gs3cc5DuQyCjRF8BG9YAqWUJS/vss34OaQYY4WEIzsA7 wg+5x16P7CeTUZY2Sj/Moay/DEz3oUwe8sIIrsm1be56HlVRAaSwcKfUe4A/fy+kO36W Et0INmX1yIVmO+TEeswzA1KouxevhrLwkK4Fv02nikxa/d4A1/J4MXTdN52zxHfFOX23 zO2Q== X-Gm-Message-State: AO0yUKUThinEHk1GGHQBLR90djQO8gSGq4jHu+IkiHhRBnsKibv9/iml 40/0vKYZWntdTDnL0MeJd7DOeVTwNxLfww== X-Google-Smtp-Source: AK7set+vkfXgY5drvynmvbq6Q4KSNK3cXR3fV6Q/++aEF54U1b6ACiedKIJM+Vq8qBeoWl45BSVPOQ== X-Received: by 2002:ac8:5fd0:0:b0:3bf:d51e:b14 with SMTP id k16-20020ac85fd0000000b003bfd51e0b14mr5443837qta.46.1677888770137; Fri, 03 Mar 2023 16:12:50 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id d79-20020ae9ef52000000b007296805f607sm2749242qkg.17.2023.03.03.16.12.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Mar 2023 16:12:49 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole Subject: [PATCH nf-next 6/6] selftests: add a selftest for big tcp Date: Fri, 3 Mar 2023 19:12:42 -0500 Message-Id: <05ccf9eec0b79e62d52ae65a096126546d84bea6.1677888566.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This test runs on the client-router-server topo, and monitors the traffic on the RX devices of router and server while sending BIG TCP packets with netperf from client to server. Meanwhile, it changes 'tso' on the TX devs and 'gro' on the RX devs. Then it checks if any BIG TCP packets appears on the RX devs with 'ip/ip6tables -m length ! --length 0:65535' for each case. Note that we also add tc action ct in link1 ingress to cover the ipv6 jumbo packets process in nf_ct_skb_network_trim() of nf_conntrack_ovs. Signed-off-by: Xin Long Reviewed-by: Aaron Conole --- tools/testing/selftests/net/Makefile | 1 + tools/testing/selftests/net/big_tcp.sh | 180 +++++++++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100755 tools/testing/selftests/net/big_tcp.sh diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index 6cd8993454d7..099741290184 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -48,6 +48,7 @@ TEST_PROGS += l2_tos_ttl_inherit.sh TEST_PROGS += bind_bhash.sh TEST_PROGS += ip_local_port_range.sh TEST_PROGS += rps_default_mask.sh +TEST_PROGS += big_tcp.sh TEST_PROGS_EXTENDED := in_netns.sh setup_loopback.sh setup_veth.sh TEST_PROGS_EXTENDED += toeplitz_client.sh toeplitz.sh TEST_GEN_FILES = socket nettest diff --git a/tools/testing/selftests/net/big_tcp.sh b/tools/testing/selftests/net/big_tcp.sh new file mode 100755 index 000000000000..cde9a91c4797 --- /dev/null +++ b/tools/testing/selftests/net/big_tcp.sh @@ -0,0 +1,180 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# Testing For IPv4 and IPv6 BIG TCP. +# TOPO: CLIENT_NS (link0)<--->(link1) ROUTER_NS (link2)<--->(link3) SERVER_NS + +CLIENT_NS=$(mktemp -u client-XXXXXXXX) +CLIENT_IP4="198.51.100.1" +CLIENT_IP6="2001:db8:1::1" + +SERVER_NS=$(mktemp -u server-XXXXXXXX) +SERVER_IP4="203.0.113.1" +SERVER_IP6="2001:db8:2::1" + +ROUTER_NS=$(mktemp -u router-XXXXXXXX) +SERVER_GW4="203.0.113.2" +CLIENT_GW4="198.51.100.2" +SERVER_GW6="2001:db8:2::2" +CLIENT_GW6="2001:db8:1::2" + +MAX_SIZE=128000 +CHK_SIZE=65535 + +# Kselftest framework requirement - SKIP code is 4. +ksft_skip=4 + +setup() { + ip netns add $CLIENT_NS + ip netns add $SERVER_NS + ip netns add $ROUTER_NS + ip -net $ROUTER_NS link add link1 type veth peer name link0 netns $CLIENT_NS + ip -net $ROUTER_NS link add link2 type veth peer name link3 netns $SERVER_NS + + ip -net $CLIENT_NS link set link0 up + ip -net $CLIENT_NS link set link0 mtu 1442 + ip -net $CLIENT_NS addr add $CLIENT_IP4/24 dev link0 + ip -net $CLIENT_NS addr add $CLIENT_IP6/64 dev link0 nodad + ip -net $CLIENT_NS route add $SERVER_IP4 dev link0 via $CLIENT_GW4 + ip -net $CLIENT_NS route add $SERVER_IP6 dev link0 via $CLIENT_GW6 + ip -net $CLIENT_NS link set dev link0 \ + gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE + ip -net $CLIENT_NS link set dev link0 \ + gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE + ip net exec $CLIENT_NS sysctl -wq net.ipv4.tcp_window_scaling=10 + + ip -net $ROUTER_NS link set link1 up + ip -net $ROUTER_NS link set link2 up + ip -net $ROUTER_NS addr add $CLIENT_GW4/24 dev link1 + ip -net $ROUTER_NS addr add $CLIENT_GW6/64 dev link1 nodad + ip -net $ROUTER_NS addr add $SERVER_GW4/24 dev link2 + ip -net $ROUTER_NS addr add $SERVER_GW6/64 dev link2 nodad + ip -net $ROUTER_NS link set dev link1 \ + gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE + ip -net $ROUTER_NS link set dev link2 \ + gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE + ip -net $ROUTER_NS link set dev link1 \ + gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE + ip -net $ROUTER_NS link set dev link2 \ + gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE + # test for nf_ct_skb_network_trim in nf_conntrack_ovs used by TC ct action. + ip net exec $ROUTER_NS tc qdisc add dev link1 ingress + ip net exec $ROUTER_NS tc filter add dev link1 ingress \ + proto ip flower ip_proto tcp action ct + ip net exec $ROUTER_NS tc filter add dev link1 ingress \ + proto ipv6 flower ip_proto tcp action ct + ip net exec $ROUTER_NS sysctl -wq net.ipv4.ip_forward=1 + ip net exec $ROUTER_NS sysctl -wq net.ipv6.conf.all.forwarding=1 + + ip -net $SERVER_NS link set link3 up + ip -net $SERVER_NS addr add $SERVER_IP4/24 dev link3 + ip -net $SERVER_NS addr add $SERVER_IP6/64 dev link3 nodad + ip -net $SERVER_NS route add $CLIENT_IP4 dev link3 via $SERVER_GW4 + ip -net $SERVER_NS route add $CLIENT_IP6 dev link3 via $SERVER_GW6 + ip -net $SERVER_NS link set dev link3 \ + gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE + ip -net $SERVER_NS link set dev link3 \ + gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE + ip net exec $SERVER_NS sysctl -wq net.ipv4.tcp_window_scaling=10 + ip net exec $SERVER_NS netserver 2>&1 >/dev/null +} + +cleanup() { + ip net exec $SERVER_NS pkill netserver + ip -net $ROUTER_NS link del link1 + ip -net $ROUTER_NS link del link2 + ip netns del "$CLIENT_NS" + ip netns del "$SERVER_NS" + ip netns del "$ROUTER_NS" +} + +start_counter() { + local ipt="iptables" + local iface=$1 + local netns=$2 + + [ "$NF" = "6" ] && ipt="ip6tables" + ip net exec $netns $ipt -t raw -A PREROUTING -i $iface \ + -m length ! --length 0:$CHK_SIZE -j ACCEPT +} + +check_counter() { + local ipt="iptables" + local iface=$1 + local netns=$2 + + [ "$NF" = "6" ] && ipt="ip6tables" + test `ip net exec $netns $ipt -t raw -L -v |grep $iface | awk '{print $1}'` != "0" +} + +stop_counter() { + local ipt="iptables" + local iface=$1 + local netns=$2 + + [ "$NF" = "6" ] && ipt="ip6tables" + ip net exec $netns $ipt -t raw -D PREROUTING -i $iface \ + -m length ! --length 0:$CHK_SIZE -j ACCEPT +} + +do_netperf() { + local serip=$SERVER_IP4 + local netns=$1 + + [ "$NF" = "6" ] && serip=$SERVER_IP6 + ip net exec $netns netperf -$NF -t TCP_STREAM -H $serip 2>&1 >/dev/null +} + +do_test() { + local cli_tso=$1 + local gw_gro=$2 + local gw_tso=$3 + local ser_gro=$4 + local ret="PASS" + + ip net exec $CLIENT_NS ethtool -K link0 tso $cli_tso + ip net exec $ROUTER_NS ethtool -K link1 gro $gw_gro + ip net exec $ROUTER_NS ethtool -K link2 tso $gw_tso + ip net exec $SERVER_NS ethtool -K link3 gro $ser_gro + + start_counter link1 $ROUTER_NS + start_counter link3 $SERVER_NS + do_netperf $CLIENT_NS + + if check_counter link1 $ROUTER_NS; then + check_counter link3 $SERVER_NS || ret="FAIL_on_link3" + else + ret="FAIL_on_link1" + fi + + stop_counter link1 $ROUTER_NS + stop_counter link3 $SERVER_NS + printf "%-9s %-8s %-8s %-8s: [%s]\n" \ + $cli_tso $gw_gro $gw_tso $ser_gro $ret + test $ret = "PASS" +} + +testup() { + echo "CLI GSO | GW GRO | GW GSO | SER GRO" && \ + do_test "on" "on" "on" "on" && \ + do_test "on" "off" "on" "off" && \ + do_test "off" "on" "on" "on" && \ + do_test "on" "on" "off" "on" && \ + do_test "off" "on" "off" "on" +} + +if ! netperf -V &> /dev/null; then + echo "SKIP: Could not run test without netperf tool" + exit $ksft_skip +fi + +if ! ip link help 2>&1 | grep gso_ipv4_max_size &> /dev/null; then + echo "SKIP: Could not run test without gso/gro_ipv4_max_size supported in ip-link" + exit $ksft_skip +fi + +trap cleanup EXIT +setup && echo "Testing for BIG TCP:" && \ +NF=4 testup && echo "***v4 Tests Done***" && \ +NF=6 testup && echo "***v6 Tests Done***" +exit $?