| Message ID | 4f0d0955-8bfc-486e-a44f-0e12af8a403f@strongswan.org (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels | expand |
Le 15/03/2024 à 13:25, Tobias Brunner a écrit : > Since the referenced commit, the xfrm_inner_extract_output() function > uses the skb's protocol field to determine the address family. So not > setting it for IPv4 raw sockets meant that such packets couldn't be > tunneled via IPsec anymore. > > IPv6 raw sockets are not affected as they already set the protocol since > 9c9c9ad5fae7 ("ipv6: set skb->protocol on tcp, raw and ip6_append_data > genereated skbs"). > > Fixes: 5f24f41e8ea6 ("xfrm: Remove inner/outer modes from input path")This is the input part, I presume you were thinking to the output part: Fixes: f4796398f21b ("xfrm: Remove inner/outer modes from output path") > Signed-off-by: Tobias Brunner <tobias@strongswan.org> > --- > net/ipv4/raw.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c > index 42ac434cfcfa..322e389021c3 100644 > --- a/net/ipv4/raw.c > +++ b/net/ipv4/raw.c > @@ -357,6 +357,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, > goto error; > skb_reserve(skb, hlen); > > + skb->protocol = htons(ETH_P_IP); > skb->priority = READ_ONCE(sk->sk_priority); > skb->mark = sockc->mark; > skb->tstamp = sockc->transmit_time; For !ipsec packet, dst_output()/ ip_output() is called. This last function set skb->protocol to htons(ETH_P_IP). What about doing the same in xfrm4_output() to avoid missing another path? Regards, Nicolas
>> Since the referenced commit, the xfrm_inner_extract_output() function >> uses the skb's protocol field to determine the address family. So not >> setting it for IPv4 raw sockets meant that such packets couldn't be >> tunneled via IPsec anymore. >> >> IPv6 raw sockets are not affected as they already set the protocol since >> 9c9c9ad5fae7 ("ipv6: set skb->protocol on tcp, raw and ip6_append_data >> genereated skbs"). >> >> Fixes: 5f24f41e8ea6 ("xfrm: Remove inner/outer modes from input path")This is the input part, I presume you were thinking to the output part: > Fixes: f4796398f21b ("xfrm: Remove inner/outer modes from output path") Right, will fix. >> Signed-off-by: Tobias Brunner <tobias@strongswan.org> >> --- >> net/ipv4/raw.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c >> index 42ac434cfcfa..322e389021c3 100644 >> --- a/net/ipv4/raw.c >> +++ b/net/ipv4/raw.c >> @@ -357,6 +357,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, >> goto error; >> skb_reserve(skb, hlen); >> >> + skb->protocol = htons(ETH_P_IP); >> skb->priority = READ_ONCE(sk->sk_priority); >> skb->mark = sockc->mark; >> skb->tstamp = sockc->transmit_time; > For !ipsec packet, dst_output()/ ip_output() is called. This last function set > skb->protocol to htons(ETH_P_IP). > What about doing the same in xfrm4_output() to avoid missing another path? I took this approach because it worked and it aligns the code with the IPv6 version. Whether the code path would actually pass through the function you mention before hitting the problematic one I don't know. Regards, Tobias
On 3/15/24 8:31 AM, Tobias Brunner wrote: >>> diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c >>> index 42ac434cfcfa..322e389021c3 100644 >>> --- a/net/ipv4/raw.c >>> +++ b/net/ipv4/raw.c >>> @@ -357,6 +357,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, >>> goto error; >>> skb_reserve(skb, hlen); >>> >>> + skb->protocol = htons(ETH_P_IP); >>> skb->priority = READ_ONCE(sk->sk_priority); >>> skb->mark = sockc->mark; >>> skb->tstamp = sockc->transmit_time; >> For !ipsec packet, dst_output()/ ip_output() is called. This last function set >> skb->protocol to htons(ETH_P_IP). >> What about doing the same in xfrm4_output() to avoid missing another path? > > I took this approach because it worked and it aligns the code with the > IPv6 version. I agree with that; setting it in raw_send_hdrinc makes it consistent across protocols. Reviewed-by: David Ahern <dsahern@kernel.org>
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c index 42ac434cfcfa..322e389021c3 100644 --- a/net/ipv4/raw.c +++ b/net/ipv4/raw.c @@ -357,6 +357,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4, goto error; skb_reserve(skb, hlen); + skb->protocol = htons(ETH_P_IP); skb->priority = READ_ONCE(sk->sk_priority); skb->mark = sockc->mark; skb->tstamp = sockc->transmit_time;
Since the referenced commit, the xfrm_inner_extract_output() function uses the skb's protocol field to determine the address family. So not setting it for IPv4 raw sockets meant that such packets couldn't be tunneled via IPsec anymore. IPv6 raw sockets are not affected as they already set the protocol since 9c9c9ad5fae7 ("ipv6: set skb->protocol on tcp, raw and ip6_append_data genereated skbs"). Fixes: 5f24f41e8ea6 ("xfrm: Remove inner/outer modes from input path") Signed-off-by: Tobias Brunner <tobias@strongswan.org> --- net/ipv4/raw.c | 1 + 1 file changed, 1 insertion(+)