| Message ID | 99c1ec6ed0212992474d19f4e15ef5d077fe99b3.1602144804.git.lucien.xin@gmail.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | [ipsec] xfrm: interface: fix the priorities for ipip and ipv6 tunnels | expand |
On Thu, Oct 08, 2020 at 04:13:24PM +0800, Xin Long wrote: > As Nicolas noticed in his case, when xfrm_interface module is installed > the standard IP tunnels will break in receiving packets. > > This is caused by the IP tunnel handlers with a higher priority in xfrm > interface processing incoming packets by xfrm_input(), which would drop > the packets and return 0 instead when anything wrong happens. > > Rather than changing xfrm_input(), this patch is to adjust the priority > for the IP tunnel handlers in xfrm interface, so that the packets would > go to xfrmi's later than the others', as the others' would not drop the > packets when the handlers couldn't process them. > > Note that IPCOMP also defines its own IPIP tunnel handler and it calls > xfrm_input() as well, so we must make its priority lower than xfrmi's, > which means having xfrmi loaded would still break IPCOMP. We may seek > another way to fix it in xfrm_input() in the future. > > Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler") > FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler") > Signed-off-by: Xin Long <lucien.xin@gmail.com> Applied, thanks a lot Xin!
Le 13/10/2020 à 11:28, Steffen Klassert a écrit : > On Thu, Oct 08, 2020 at 04:13:24PM +0800, Xin Long wrote: >> As Nicolas noticed in his case, when xfrm_interface module is installed >> the standard IP tunnels will break in receiving packets. >> >> This is caused by the IP tunnel handlers with a higher priority in xfrm >> interface processing incoming packets by xfrm_input(), which would drop >> the packets and return 0 instead when anything wrong happens. >> >> Rather than changing xfrm_input(), this patch is to adjust the priority >> for the IP tunnel handlers in xfrm interface, so that the packets would >> go to xfrmi's later than the others', as the others' would not drop the >> packets when the handlers couldn't process them. >> >> Note that IPCOMP also defines its own IPIP tunnel handler and it calls >> xfrm_input() as well, so we must make its priority lower than xfrmi's, >> which means having xfrmi loaded would still break IPCOMP. We may seek >> another way to fix it in xfrm_input() in the future. >> >> Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> >> Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> >> Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler") >> FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler") >> Signed-off-by: Xin Long <lucien.xin@gmail.com> > > Applied, thanks a lot Xin! > Is it possible to queue this for stable branches? Thank you, Nicolas
On Tue, Oct 13, 2020 at 02:41:18PM +0200, Nicolas Dichtel wrote: > Le 13/10/2020 à 11:28, Steffen Klassert a écrit : > > On Thu, Oct 08, 2020 at 04:13:24PM +0800, Xin Long wrote: > >> As Nicolas noticed in his case, when xfrm_interface module is installed > >> the standard IP tunnels will break in receiving packets. > >> > >> This is caused by the IP tunnel handlers with a higher priority in xfrm > >> interface processing incoming packets by xfrm_input(), which would drop > >> the packets and return 0 instead when anything wrong happens. > >> > >> Rather than changing xfrm_input(), this patch is to adjust the priority > >> for the IP tunnel handlers in xfrm interface, so that the packets would > >> go to xfrmi's later than the others', as the others' would not drop the > >> packets when the handlers couldn't process them. > >> > >> Note that IPCOMP also defines its own IPIP tunnel handler and it calls > >> xfrm_input() as well, so we must make its priority lower than xfrmi's, > >> which means having xfrmi loaded would still break IPCOMP. We may seek > >> another way to fix it in xfrm_input() in the future. > >> > >> Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > >> Tested-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > >> Fixes: da9bbf0598c9 ("xfrm: interface: support IPIP and IPIP6 tunnels processing with .cb_handler") > >> FIxes: d7b360c2869f ("xfrm: interface: support IP6IP6 and IP6IP tunnels processing with .cb_handler") > >> Signed-off-by: Xin Long <lucien.xin@gmail.com> > > > > Applied, thanks a lot Xin! > > > Is it possible to queue this for stable branches? Yes, it will go to stable after it is intergated into the mainline.
diff --git a/net/ipv4/xfrm4_tunnel.c b/net/ipv4/xfrm4_tunnel.c index dc19aff..fb0648e 100644 --- a/net/ipv4/xfrm4_tunnel.c +++ b/net/ipv4/xfrm4_tunnel.c @@ -64,14 +64,14 @@ static int xfrm_tunnel_err(struct sk_buff *skb, u32 info) static struct xfrm_tunnel xfrm_tunnel_handler __read_mostly = { .handler = xfrm_tunnel_rcv, .err_handler = xfrm_tunnel_err, - .priority = 3, + .priority = 4, }; #if IS_ENABLED(CONFIG_IPV6) static struct xfrm_tunnel xfrm64_tunnel_handler __read_mostly = { .handler = xfrm_tunnel_rcv, .err_handler = xfrm_tunnel_err, - .priority = 2, + .priority = 3, }; #endif diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c index 25b7ebd..f696d46 100644 --- a/net/ipv6/xfrm6_tunnel.c +++ b/net/ipv6/xfrm6_tunnel.c @@ -303,13 +303,13 @@ static const struct xfrm_type xfrm6_tunnel_type = { static struct xfrm6_tunnel xfrm6_tunnel_handler __read_mostly = { .handler = xfrm6_tunnel_rcv, .err_handler = xfrm6_tunnel_err, - .priority = 2, + .priority = 3, }; static struct xfrm6_tunnel xfrm46_tunnel_handler __read_mostly = { .handler = xfrm6_tunnel_rcv, .err_handler = xfrm6_tunnel_err, - .priority = 2, + .priority = 3, }; static int __net_init xfrm6_tunnel_net_init(struct net *net) diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c index a8f6611..0bb7963 100644 --- a/net/xfrm/xfrm_interface.c +++ b/net/xfrm/xfrm_interface.c @@ -830,14 +830,14 @@ static struct xfrm6_tunnel xfrmi_ipv6_handler __read_mostly = { .handler = xfrmi6_rcv_tunnel, .cb_handler = xfrmi_rcv_cb, .err_handler = xfrmi6_err, - .priority = -1, + .priority = 2, }; static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = { .handler = xfrmi6_rcv_tunnel, .cb_handler = xfrmi_rcv_cb, .err_handler = xfrmi6_err, - .priority = -1, + .priority = 2, }; #endif @@ -875,14 +875,14 @@ static struct xfrm_tunnel xfrmi_ipip_handler __read_mostly = { .handler = xfrmi4_rcv_tunnel, .cb_handler = xfrmi_rcv_cb, .err_handler = xfrmi4_err, - .priority = -1, + .priority = 3, }; static struct xfrm_tunnel xfrmi_ipip6_handler __read_mostly = { .handler = xfrmi4_rcv_tunnel, .cb_handler = xfrmi_rcv_cb, .err_handler = xfrmi4_err, - .priority = -1, + .priority = 2, }; #endif