From patchwork Wed Aug 21 21:21:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Herbert X-Patchwork-Id: 13772055 Received: from mail-pl1-f179.google.com (mail-pl1-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1F1C16EBE7 for ; Wed, 21 Aug 2024 21:22:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.179 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724275357; cv=none; b=lw2+mgyEVNEny5R6XjuAD+eedOOpHYP4Xj+1H1FoLWRT0iTPdWe6i1ryPwUYl1AZrnQpOrp0QFE1SBS5wRXFWiGpeHbdhj0mDh8Fh2HA1AKll61N3yKI/UZVEQ3chJjDWhvg5RcX4HjgSCuEFkEiuqeET/CFmVoTTd6jc0yGX4A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1724275357; c=relaxed/simple; bh=Z1VdPj6d3Aq/eKPH6l/XlmFe8HdfRo9QvZGV2DLPOyA=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=oRH9fXLC1W24quEnBwjz1w0Eeca2az7MQHDC215FDwD4rS/9snhHaX2vJzFhU2z8C59abkUK+OAL4Wrbi89cH0vPHXIEehDg+KhonVO3KecKJYsihX5S2r1GQR2RTn5EG7Hro5uk8+KLghElZ5vud3qO7AtfnIgO+RVl65pVmiA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=herbertland.com; spf=pass smtp.mailfrom=herbertland.com; dkim=pass (2048-bit key) header.d=herbertland.com header.i=@herbertland.com header.b=EfMqN3QM; arc=none smtp.client-ip=209.85.214.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=herbertland.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=herbertland.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=herbertland.com header.i=@herbertland.com header.b="EfMqN3QM" Received: by mail-pl1-f179.google.com with SMTP id d9443c01a7336-202146e9538so1216535ad.3 for ; Wed, 21 Aug 2024 14:22:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=herbertland.com; s=google; t=1724275355; x=1724880155; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=JUCAsJNLG6lNtD5vFpRzGgWdhHaPs59EZgR5f+AL2aQ=; b=EfMqN3QMc0t5ninP635dxbRyYO0247h2exVWIXDXsF/0yKxFL14HTjT5cEXOdUsa12 DaXEs8U4DmelesTgLuAwy6KIyd//crJdD2rWwO/EnRsFn5oue/DM4a6lC5AEHarqKMfo Q9uPWphQpALy1Cu28ypUGh1E5kOetPCKecgXXCag4994b5zpyfHtSRLKNus/B8UvWeX1 LGPwd96g+QaSU98kYIdaU6eyWA0sWyEnBS4+uX0nhpOhjZRiUMD8H6Eqox4ztsty8Bqr UKB+s+mIYUVyYdBkFiZbB+af6E88MXF2EI4KxvwXnKw4vn/WejsTOw3VZrN1YBvbBxjW 1D+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1724275355; x=1724880155; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=JUCAsJNLG6lNtD5vFpRzGgWdhHaPs59EZgR5f+AL2aQ=; b=Gr2SHkqJo+5j6cBbPb+S7091k4ArVgirlhKwiNrR6cE2ITF+NF77rXhtUNuvdcnjhu z0j9WxohPdFlT786VEhhFlkwVpOIhl960rdHRh8Mifm/hubaiAC5g4uoY3L1sr85h/YP mzkHRh8PatyKpsvUHWOkIvHsm7lSbrLURNHQSQOPn8pvmWZ3OFxQKU2K0NMFaMVnJ0jF sdn9QcfpcAeXGOuxAieE+jtbE+h14eHILRVCbr0QhodWcaKPGRR/FKEjzqqsRdJKlvOF YeiMpQV9lSm8JYymV31Eh2SeOgdbNo9zMNGyBcqtqF+S3gugzByys0GJdRt/jqd6xhiP gzDg== X-Forwarded-Encrypted: i=1; AJvYcCW7ZgpGWioyQbKk2S9cO7BzoK1o3GCm2gN6t1bpoGx14saQS3ScpeCMg/nzQtT/RMps+LMcuCY=@vger.kernel.org X-Gm-Message-State: AOJu0YyjL1g4PLx4APbf9S/wmQyUzOuDZYSt7Fg4OUh6htwutQ4KpnBu O3CBxKBGgzcAMMxOY8ceFJXOEN7eFIW0QFDYHE85D7C899/95/3nl9lQ4rDqOA== X-Google-Smtp-Source: AGHT+IFAS7VgCMPFcSztOlCKNLA5W2WZzwOHMGEL12hf1bpvgYUmokVjjNbumcCR56zmzKhj3aRhDA== X-Received: by 2002:a17:903:bcf:b0:201:ed48:f11a with SMTP id d9443c01a7336-20368094d0fmr32744795ad.42.1724275354864; Wed, 21 Aug 2024 14:22:34 -0700 (PDT) Received: from TomsPC.home ([2601:646:8300:55f0:7a19:cf52:b518:f0d2]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20385ae701dsm388265ad.236.2024.08.21.14.22.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Aug 2024 14:22:34 -0700 (PDT) From: Tom Herbert To: davem@davemloft.net, kuba@kernel.org, edumazet@google.com, netdev@vger.kernel.org, felipe@sipanda.io, willemdebruijn.kernel@gmail.com, pablo@netfilter.org, laforge@gnumonks.org, xeb@mail.ru Cc: Tom Herbert Subject: [PATCH net-next v3 00/13] flow_dissector: Dissect UDP encapsulation protocols Date: Wed, 21 Aug 2024 14:21:59 -0700 Message-Id: <20240821212212.1795357-1-tom@herbertland.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Add support in flow_dissector for dissecting into UDP encapsulations like VXLAN. __skb_flow_dissect_udp is called for IPPROTO_UDP. The flag FLOW_DISSECTOR_F_PARSE_UDP_ENCAPS enables parsing of UDP encapsulations. If the flag is set when parsing a UDP packet then a socket lookup is performed. The offset of the base network header, either an IPv4 or IPv6 header, is tracked and passed to __skb_flow_dissect_udp so that it can perform the socket lookup. If a socket is found and it's for a UDP encapsulation (encap_type is set in the UDP socket) then a switch is performed on the encap_type value (cases are UDP_ENCAP_* values) Changes in the patch set: - Unconstantify struct net argument in flowdis functions so we can call UDP socket lookup functions - Dissect ETH_P_TEB in main flow dissector loop, move ETH_P_TEB check out of __skb_flow_dissect_gre and process it in main loop - Add UDP_ENCAP constants for tipc, fou, gue, sctp, rxe, pfcp, wireguard, bareudp, vxlan, vxlan_gpe, geneve, and amt - For the various UDP encapsulation protocols, Instead of just setting UDP tunnel encap type to 1, set it to the corresponding UDP_ENCAP constant. This allows identify the encapsulation protocol for a UDP socket by the encap_type - Add function __skb_flow_dissect_udp in flow_dissector and call it for UDP packets. If a UDP encapsulation is present then the function returns either FLOW_DISSECT_RET_PROTO_AGAIN or FLOW_DISSECT_RET_IPPROTO_AGAIN - Add flag FLOW_DISSECTOR_F_PARSE_UDP_ENCAPS that indicates UDP encapsulations should be dissected - Add __skb_flow_dissect_vxlan which is called when encap_type is UDP_ENCAP_VXLAN or UDP_ENCAP_VXLAN_GPE. Dissect VXLAN and return a next protocol and offset - Add __skb_flow_dissect_fou which is called when encap_type is UDP_ENCAP_FOU. Dissect FOU and return a next protocol and offset - Add support for ESP, L2TP, and SCTP in UDP in __skb_flow_dissect_udp. All we need to do is return FLOW_DISSECT_RET_IPPROTO_AGAIN and the corresponding IP protocol number - Add __skb_flow_dissect_geneve which is called when encap_type is UDP_ENCAP_GENEVE. Dissect geneve and return a next protocol and offset - Add __skb_flow_dissect_gue which is called when encap_type is UDP_ENCAP_GUE. Dissect gue and return a next protocol and offset - Add __skb_flow_dissect_gtp which is called when encap_type is UDP_ENCAP_GTP. Dissect gtp and return a next protocol and offset Tested: Verified fou, gue, vxlan, and geneve are properly dissected for IPv4 and IPv6 cases. This includes testing ETH_P_TEB case v2: - Add #if IS_ENABLED(CONFIG_IPV6) around IPv6 cases when dissecting UDP. Also, c all ipv6_bpf_stub->udp6_lib_lookup instead of udp6_lib_lookup directly since udp6_lib_lookup in the IPv6 module - Drop patch to unconstantify struct net argument in flowdis functions, edumazet added const to ne argument in UDP socket lookup functions - As support in flowdis ipproto switch for no-next-hdr. Just exit flowdis on good result when this is seen - Merge patches that move TEB processing out of GRE and moved into main protocol switch - Rename bpoff in UDP flow dissector functions to be base_nhoff for clarity - Parse GTPv1 extension headers (part of this is moving gtp_parse_exthdrs to a header file - Exit flowdis on good result if NPDU or SEQ GTPv1 flags are set v3: - Add udp6_lib_lookup to ipv6_stubs - Call ipv6_stubs->udp6_lib_lookup instead of ipv6_bpf_stubs variant - Use _HF_ variants of VLXAN flags (those in network byte order) - Use encap type from socket to determine if a packet is VXLAN-GPE instead of getting this from flags - Protect both IPv4 and IPv6 cases with #ifdef CONFIG_INET - Added a comment why UDP_ENCAP constants are in uapi - Added a comment in ETH_P_TEB case why NET_IP_ALIGN is needed - Add a check in __skb_flow_dissect_udp that the netns for the skb device is the same as the caller's netns, and also only dissect UDP is we haven't yet encountered any encapsulation. The goal is to ensure that the socket lookup is being done in the right netns. Encapsulations may push packets into different name spaces, so this scheme is restricting UDP dieesction to cases where there are not name spaces or at least the original name space. This should capture the majority of use cases for UDP encaps, if we do encounter a UDP encapsulation within a different namespace then the only effect is we don't attempt UDP dissection Tom Herbert (13): ipv6: Add udp6_lib_lookup to IPv6 stubs flow_dissector: Parse ETH_P_TEB and move out of GRE udp_encaps: Add new UDP_ENCAP constants udp_encaps: Set proper UDP_ENCAP types in tunnel setup flow_dissector: UDP encap infrastructure flow_dissector: Parse vxlan in UDP flow_dissector: Parse foo-over-udp (FOU) flow_dissector: Parse ESP, L2TP, and SCTP in UDP flow_dissector: Parse Geneve in UDP flow_dissector: Parse GUE in UDP gtp: Move gtp_parse_exthdrs into net/gtp.h flow_dissector: Parse gtp in UDP flow_dissector: Add case in ipproto switch for NEXTHDR_NONE drivers/infiniband/sw/rxe/rxe_net.c | 2 +- drivers/net/amt.c | 2 +- drivers/net/bareudp.c | 2 +- drivers/net/geneve.c | 2 +- drivers/net/gtp.c | 37 --- drivers/net/pfcp.c | 2 +- drivers/net/vxlan/vxlan_core.c | 3 +- drivers/net/wireguard/socket.c | 2 +- include/net/flow_dissector.h | 1 + include/net/fou.h | 16 + include/net/gtp.h | 38 +++ include/net/ipv6_stubs.h | 5 + include/uapi/linux/udp.h | 19 +- net/core/flow_dissector.c | 468 ++++++++++++++++++++++++++-- net/ipv4/fou_core.c | 19 +- net/ipv6/af_inet6.c | 1 + net/sctp/protocol.c | 2 +- net/tipc/udp_media.c | 2 +- 18 files changed, 533 insertions(+), 90 deletions(-)