From patchwork Tue Mar 7 21:31:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13164750 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C851AC678D5 for ; Tue, 7 Mar 2023 21:31:41 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231484AbjCGVbj (ORCPT ); Tue, 7 Mar 2023 16:31:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229548AbjCGVbh (ORCPT ); Tue, 7 Mar 2023 16:31:37 -0500 Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 278D35849A; Tue, 7 Mar 2023 13:31:36 -0800 (PST) Received: by mail-qv1-xf2e.google.com with SMTP id ne1so9875744qvb.9; Tue, 07 Mar 2023 13:31:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678224695; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=uR5PleXq3LjItpttm0fNa6NbIkqQPJZjrKTMGwB87kI=; b=NELzoh+VxKU1GW1YiHoFgVpLaf4QF/XIJn5RPw6pbcMhUB9t1yXmpO4oHqd3ivg0Pd PqDStIrJSblmG+LyPtp8nzA54a34xfj4jGib0KAqNsM2ROqB5F41S7cMvvL9Q+DVlI/n JZ9hKto14a8B23LCvPb7gngXcjDqcWm5eAxg4pmgMhqIqsHr2iRV/M9cdk8AOk1LoQzX UjYr1tCrIsURiGvIVKPGAR/fc6HDSfMuy8Xj6PVp2VL/baMRJrP1JuFOT58VLStCXNmg Pr0c+XbIPENdegaflVETd3PofTuiNXdvc87/pqTaEX6HXZcoHVxktDR43ZAFKqbi0Pfc qYsw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678224695; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=uR5PleXq3LjItpttm0fNa6NbIkqQPJZjrKTMGwB87kI=; b=HtQ2xZWyCCnOZEKV6OniUbKZIAXIpczhWjJkBl6iAZgEEiOvUkrShv0q6XQIP+hC2b IINmERQNKKFQh8VQ0bc93hqwI/KLIsQBO6zwtjGrpGDClEGfj3D2ugC01qBiTTxk0LJY N930COaeDHJ36NnLQGe+tcu7aYm2VLUtTCHQcS3ijgbErLUy/1/FK7vAEAe+cbtoNS9o LCklmxMvjlvXq9b9ZIk6KHLrRAQGFTK2IcaW3EhLtudRInDncqFBr+yRpZbTlAJoaSrx OWzlfvRLOZpdxRz85FcicvAVOe1huwMeARDPuwMdhcGjR5sQ7/Y805RoWxhZP+xsHtsS EV9A== X-Gm-Message-State: AO0yUKWIlMBMeV87vNDsEtg/soBB2cMWJ12wN/zdFs7cF+Ijrvd0FD2X IaiE/6JTrHdS0YN1Xdu85/vkmBmqRq8DXA== X-Google-Smtp-Source: AK7set+qSLYW48OfgiFsnrkFXCbJKrevbDD9p/ZIaO8AU/oCYixzGkd1Qgh2BUPEM51jf5EGqnRL/Q== X-Received: by 2002:a05:6214:c46:b0:56e:a756:912 with SMTP id r6-20020a0562140c4600b0056ea7560912mr24262145qvj.52.1678224695035; Tue, 07 Mar 2023 13:31:35 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id r125-20020a374483000000b006fcb77f3bd6sm10269329qka.98.2023.03.07.13.31.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 13:31:34 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole , Simon Horman Subject: [PATCHv2 nf-next 1/6] netfilter: bridge: call pskb_may_pull in br_nf_check_hbh_len Date: Tue, 7 Mar 2023 16:31:27 -0500 Message-Id: <1395e96f22b8eb3abb0593af644ac687ac746591.1678224658.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org When checking Hop-by-hop option header, if the option data is in nonlinear area, it should do pskb_may_pull instead of discarding the skb as a bad IPv6 packet. Signed-off-by: Xin Long Reviewed-by: Simon Horman Acked-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- net/bridge/br_netfilter_ipv6.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c index 6b07f30675bb..afd1c718b683 100644 --- a/net/bridge/br_netfilter_ipv6.c +++ b/net/bridge/br_netfilter_ipv6.c @@ -45,14 +45,18 @@ */ static int br_nf_check_hbh_len(struct sk_buff *skb) { - unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1); + int len, off = sizeof(struct ipv6hdr); + unsigned char *nh; u32 pkt_len; - const unsigned char *nh = skb_network_header(skb); - int off = raw - nh; - int len = (raw[1] + 1) << 3; - if ((raw + len) - skb->data > skb_headlen(skb)) + if (!pskb_may_pull(skb, off + 8)) goto bad; + nh = (unsigned char *)(ipv6_hdr(skb) + 1); + len = (nh[1] + 1) << 3; + + if (!pskb_may_pull(skb, off + len)) + goto bad; + nh = skb_network_header(skb); off += 2; len -= 2; From patchwork Tue Mar 7 21:31:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13164751 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 07312C6FD1E for ; Tue, 7 Mar 2023 21:31:49 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231569AbjCGVbq (ORCPT ); Tue, 7 Mar 2023 16:31:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230151AbjCGVbi (ORCPT ); Tue, 7 Mar 2023 16:31:38 -0500 Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 27162193FA; Tue, 7 Mar 2023 13:31:37 -0800 (PST) Received: by mail-qt1-x82b.google.com with SMTP id z6so16144846qtv.0; Tue, 07 Mar 2023 13:31:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678224696; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ogYvOem5ByGIupaTnmQOmli663SH44C06UoSXA/Fe2g=; b=TThzENbMIZ27EdGdcalTZwwHWizlepPmyTF4TAn40HDqIjeeVnu4yqWPVTdEHAFt+M UybjdykILgtpLjRbPdpzOiwGetUC/DjbEKHMy2zxzFFq8BY2iOAHi+o5k1hVdglF0AoR xlsviVz9LU8NnJLn4N3rKQyiKplwI4b1bYPYKRB+dnRfWte/6AePJIebdHh60stuboWU AHAo4ZKSm3Yl6n8v4miRoDQze0mHiby9luXiHTCZ8t5IdGooHjxD89x17MzCKT84KaDm zVcvTA5hCiUB3+Ryh/xNNq46/l7P1AGI3u4tzyjdxpAuITrkAHt8WU2kq7H1gK6HLXZI 98Gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678224696; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ogYvOem5ByGIupaTnmQOmli663SH44C06UoSXA/Fe2g=; b=Dy6dSpmgdNxSNORRyBfyOa3CrsLuUqCA0XRUpsFdRU8k+CXaXacN+4MvN5+pB3sRqn GxsBgKQXnAxhPqYNyBFFOA1XInDW3alvcQ0XrdQjjNzp70jhATcOfM2Iq28NqShy7BAs GVFeeYhddbtIW53a+/bbF9mpgFcP7kBftj3jJnF0yO1+Ulv4HPgytSC+oB9Vg86YCO8C fV6bwyj57jIX7h+MpAg5Ym4WWgknN/zsSOt/WUFvPpVH3haTZ4kbmRzOOwej67u8JJ32 T0LMPy/KPka0jRy6nod4/hPtOHJfFBl5bpSHtuiFTG9Ahej93B8XOYuMrEob1prOUS+i nUAA== X-Gm-Message-State: AO0yUKX5lXzyqC2fqxwQlfBbDt9Mw/JloBZwIHSvl1vH3HU+2X0HDTc2 PH0Evj5nzkpsTHrDZ9bHqwapyBXD/01cQg== X-Google-Smtp-Source: AK7set9NRPVu6LmVeT1Yejqwo7vNEr7UkxdQhN16sHKrzd9OtIoziBfXsk5EqfrmGbjFVEVsj5XK3w== X-Received: by 2002:ac8:5c90:0:b0:3b6:9c63:5ca1 with SMTP id r16-20020ac85c90000000b003b69c635ca1mr27495526qta.43.1678224696074; Tue, 07 Mar 2023 13:31:36 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id r125-20020a374483000000b006fcb77f3bd6sm10269329qka.98.2023.03.07.13.31.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 13:31:35 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole , Simon Horman Subject: [PATCHv2 nf-next 2/6] netfilter: bridge: check len before accessing more nh data Date: Tue, 7 Mar 2023 16:31:28 -0500 Message-Id: <886b94408ada2f8c92eeb679425a0c7cb9422901.1678224658.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org In the while loop of br_nf_check_hbh_len(), similar to ip6_parse_tlv(), before accessing 'nh[off + 1]', it should add a check 'len < 2'; and before parsing IPV6_TLV_JUMBO, it should add a check 'optlen > len', in case of overflows. Signed-off-by: Xin Long Reviewed-by: Simon Horman Acked-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- net/bridge/br_netfilter_ipv6.c | 45 +++++++++++++++------------------- 1 file changed, 20 insertions(+), 25 deletions(-) diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c index afd1c718b683..8be3c5c8b925 100644 --- a/net/bridge/br_netfilter_ipv6.c +++ b/net/bridge/br_netfilter_ipv6.c @@ -50,54 +50,49 @@ static int br_nf_check_hbh_len(struct sk_buff *skb) u32 pkt_len; if (!pskb_may_pull(skb, off + 8)) - goto bad; + return -1; nh = (unsigned char *)(ipv6_hdr(skb) + 1); len = (nh[1] + 1) << 3; if (!pskb_may_pull(skb, off + len)) - goto bad; + return -1; nh = skb_network_header(skb); off += 2; len -= 2; - while (len > 0) { - int optlen = nh[off + 1] + 2; - - switch (nh[off]) { - case IPV6_TLV_PAD1: - optlen = 1; - break; + int optlen; - case IPV6_TLV_PADN: - break; + if (nh[off] == IPV6_TLV_PAD1) { + off++; + len--; + continue; + } + if (len < 2) + return -1; + optlen = nh[off + 1] + 2; + if (optlen > len) + return -1; - case IPV6_TLV_JUMBO: + if (nh[off] == IPV6_TLV_JUMBO) { if (nh[off + 1] != 4 || (off & 3) != 2) - goto bad; + return -1; pkt_len = ntohl(*(__be32 *)(nh + off + 2)); if (pkt_len <= IPV6_MAXPLEN || ipv6_hdr(skb)->payload_len) - goto bad; + return -1; if (pkt_len > skb->len - sizeof(struct ipv6hdr)) - goto bad; + return -1; if (pskb_trim_rcsum(skb, pkt_len + sizeof(struct ipv6hdr))) - goto bad; + return -1; nh = skb_network_header(skb); - break; - default: - if (optlen > len) - goto bad; - break; } off += optlen; len -= optlen; } - if (len == 0) - return 0; -bad: - return -1; + + return len ? -1 : 0; } int br_validate_ipv6(struct net *net, struct sk_buff *skb) From patchwork Tue Mar 7 21:31:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13164752 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8BF1CC74A44 for ; Tue, 7 Mar 2023 21:31:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231521AbjCGVbs (ORCPT ); Tue, 7 Mar 2023 16:31:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39134 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231500AbjCGVbj (ORCPT ); Tue, 7 Mar 2023 16:31:39 -0500 Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2804BA400D; Tue, 7 Mar 2023 13:31:38 -0800 (PST) Received: by mail-qt1-x835.google.com with SMTP id h19so16050072qtk.7; Tue, 07 Mar 2023 13:31:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678224697; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/iHtE2tw64SM6OF7PMkqYu16FzPep7pukGcXdQ+vlQ4=; b=KtwmLGXzb4ksSL0ZHuf8FeQ6ycwIGCrfw8EOKtcMTs0wzqvXNZ2glFpatY1q8mvpir v/aeuzX4OLkBoQGtnBIVJN22O94RRC00CRghFx2P82pVZAX1tnePLHr6h6+3INiMJnUo x+gdno2QMEOA0TxuQiNSX8pciGN2cycKA7aw8wYJ3r9XjQ+znGarQN1vaFS/X9utN1aE F4Q6mASjcsBHwoUPgqTgR7N0FerTFfKCdnaSWmTXnIVQ0lBaynmJrJjI/w6wgY9IhDcd 3wfmrXceBDkxZ6EmTcW/Vf3AXUuI9If1Hx2mJMO9QXeug8+mphqhD7oFQFFB5vrR/ZsZ 3mdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678224697; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/iHtE2tw64SM6OF7PMkqYu16FzPep7pukGcXdQ+vlQ4=; b=MtBLB+dFsYPhopAqBxHkeK2472NYCbnQLkmAmGprItMPD7qVwt1X8ojId2x7Ktku22 y3Vau5WMvgxJADJWcGSItoGVjnNBPLkTA9FmWbc+J4CqBjiD1eIP2v/WS81uT6VjGaU3 Uu1L/CeKSmhQ3gPA2ck2k2zudhidRM1GLElDwKjuCDC025WtvryPckZlfIwc520zqXn5 MbVejpsAwBC1wTwHp/1N60dgBahv5DdsyXUAUckIvJEoLA2BSPTnOcf5sIOE6y+L6T4L u9Vmis5akqxP9XzOPewFY7FTiui5XKnD4I0FTq7fIottT2bxdeTzgIKS0/jTruVbrDx/ WwLw== X-Gm-Message-State: AO0yUKXI5qoHWaJYzgu8KOdd7HsMpD1iW+3sHyNsFbC6Nobfi0SMLe2k yz4H5P++12WVdWvzPodbvp8u5xRRAWby7Q== X-Google-Smtp-Source: AK7set85ZQtLJfKnloGg64oxBR/hZModB46KXwQIcaUFx0mwR7LR+1j+yLNu6jD7eOgJh2Y0THZwoQ== X-Received: by 2002:a05:622a:58e:b0:3b9:bf7f:66ff with SMTP id c14-20020a05622a058e00b003b9bf7f66ffmr25701044qtb.67.1678224697070; Tue, 07 Mar 2023 13:31:37 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id r125-20020a374483000000b006fcb77f3bd6sm10269329qka.98.2023.03.07.13.31.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 13:31:36 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole , Simon Horman Subject: [PATCHv2 nf-next 3/6] netfilter: bridge: move pskb_trim_rcsum out of br_nf_check_hbh_len Date: Tue, 7 Mar 2023 16:31:29 -0500 Message-Id: <8b829c2e59f486705fcaf0b5981f7d830638bba0.1678224658.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org br_nf_check_hbh_len() is a function to check the Hop-by-hop option header, and shouldn't do pskb_trim_rcsum() there. This patch is to pass pkt_len out to br_validate_ipv6() and do pskb_trim_rcsum() after calling br_validate_ipv6() instead. Signed-off-by: Xin Long Reviewed-by: Simon Horman Acked-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- net/bridge/br_netfilter_ipv6.c | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c index 8be3c5c8b925..a0d6dfb3e255 100644 --- a/net/bridge/br_netfilter_ipv6.c +++ b/net/bridge/br_netfilter_ipv6.c @@ -43,11 +43,10 @@ /* We only check the length. A bridge shouldn't do any hop-by-hop stuff * anyway */ -static int br_nf_check_hbh_len(struct sk_buff *skb) +static int br_nf_check_hbh_len(struct sk_buff *skb, u32 *plen) { int len, off = sizeof(struct ipv6hdr); unsigned char *nh; - u32 pkt_len; if (!pskb_may_pull(skb, off + 8)) return -1; @@ -75,6 +74,8 @@ static int br_nf_check_hbh_len(struct sk_buff *skb) return -1; if (nh[off] == IPV6_TLV_JUMBO) { + u32 pkt_len; + if (nh[off + 1] != 4 || (off & 3) != 2) return -1; pkt_len = ntohl(*(__be32 *)(nh + off + 2)); @@ -83,10 +84,7 @@ static int br_nf_check_hbh_len(struct sk_buff *skb) return -1; if (pkt_len > skb->len - sizeof(struct ipv6hdr)) return -1; - if (pskb_trim_rcsum(skb, - pkt_len + sizeof(struct ipv6hdr))) - return -1; - nh = skb_network_header(skb); + *plen = pkt_len; } off += optlen; len -= optlen; @@ -114,22 +112,19 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb) goto inhdr_error; pkt_len = ntohs(hdr->payload_len); + if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb, &pkt_len)) + goto drop; - if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) { - if (pkt_len + ip6h_len > skb->len) { - __IP6_INC_STATS(net, idev, - IPSTATS_MIB_INTRUNCATEDPKTS); - goto drop; - } - if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) { - __IP6_INC_STATS(net, idev, - IPSTATS_MIB_INDISCARDS); - goto drop; - } - hdr = ipv6_hdr(skb); + if (pkt_len + ip6h_len > skb->len) { + __IP6_INC_STATS(net, idev, + IPSTATS_MIB_INTRUNCATEDPKTS); + goto drop; } - if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb)) + if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) { + __IP6_INC_STATS(net, idev, + IPSTATS_MIB_INDISCARDS); goto drop; + } memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm)); /* No IP options in IPv6 header; however it should be From patchwork Tue Mar 7 21:31:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13164754 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B50BC678D5 for ; Tue, 7 Mar 2023 21:31:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231565AbjCGVbw (ORCPT ); Tue, 7 Mar 2023 16:31:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39168 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229548AbjCGVbk (ORCPT ); Tue, 7 Mar 2023 16:31:40 -0500 Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59D27A5692; Tue, 7 Mar 2023 13:31:39 -0800 (PST) Received: by mail-qt1-x82e.google.com with SMTP id c18so16071992qte.5; Tue, 07 Mar 2023 13:31:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678224698; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=pxcuzOHps6XE85Z991hXn4nkBNrmr2smZxk/EhnEOzA=; b=bRqT8Ak0aHQDDQRqTzfWwKxrvM2oTRzRqiboHYbj020VmMl9ySibzoCe/6fwqe7dm7 iP5W8BvJSKfJznIH0y8Yks7O+9KlssR96gS49S77yed8c5z9ARh56MPKSLFAt4qYTj0e RHU/ejG1dhMAIWksMa2pujIy9taCHjuiqtwrNER9Ktx13Dnt7dKf49bEyx0wcTI2nYC+ V/yGhFRvyd5SvQQYyGIZD9tFDwBWZ/bQIfvymKVG0C5rr3gy9k9p4NKdosepUb1Fg019 Tq+VgfjnAm6P1fW5OxhVRGGBOHMmq9P0F4HeS3d7/llXO4RXehk2hYyBwThixflDDrQR Jc+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678224698; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=pxcuzOHps6XE85Z991hXn4nkBNrmr2smZxk/EhnEOzA=; b=Wbn6SEKEY/BH2oaggpTwoqEeXi/fv1auq4mzraPd/UVTzvSIvldFboaQniSu+DkHyA TktjPJfMhhbj+5a1s2V2XF/gQzT0JFeSoQ7lhrw6oaucHnAnntnpbFCc2nGha/AsdPbF oVNM1tZrTKnmMzKD9F6LyZ+J1ek1D1JEytGRgsozEceyKeySB4Wmcb+t8aniNHoscYJC UMYQD2wW+ZwoDaXKyF4vNj/Lz1kC0RuzIAMiQYbVMWdo6H/L+STbSUXWOdacIl7dHE2c 5VwuLmYOPGAlvHfQLXvNQ/717XpHPNf+vOv+wAfic6K/5hbcn/dBfbekUPmeR3jAcXS9 MreA== X-Gm-Message-State: AO0yUKWdZFuntaa+eRPkAxmZFmkUgXIbSYobtD724WdkYHPcVmpRHlvy SrxbN5k0breHMd8TMRPI/nCfIuPuz9LE2g== X-Google-Smtp-Source: AK7set+fkHHjLeN99hOMYpB784xMMehvRosINp6/u31qVerQO95y8xzrhKbE7Rw6noc9whfGwSXHCw== X-Received: by 2002:a05:622a:409:b0:3bf:d35d:98c0 with SMTP id n9-20020a05622a040900b003bfd35d98c0mr27896674qtx.29.1678224698080; Tue, 07 Mar 2023 13:31:38 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id r125-20020a374483000000b006fcb77f3bd6sm10269329qka.98.2023.03.07.13.31.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 13:31:37 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole , Simon Horman Subject: [PATCHv2 nf-next 4/6] netfilter: move br_nf_check_hbh_len to utils Date: Tue, 7 Mar 2023 16:31:30 -0500 Message-Id: X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org Rename br_nf_check_hbh_len() to nf_ip6_check_hbh_len() and move it to netfilter utils, so that it can be used by other modules, like ovs and tc. Signed-off-by: Xin Long Reviewed-by: Simon Horman Reviewed-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- include/linux/netfilter_ipv6.h | 2 ++ net/bridge/br_netfilter_ipv6.c | 55 +--------------------------------- net/netfilter/utils.c | 52 ++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+), 54 deletions(-) diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 48314ade1506..7834c0be2831 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h @@ -197,6 +197,8 @@ static inline int nf_cookie_v6_check(const struct ipv6hdr *iph, __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, u_int8_t protocol); +int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen); + int ipv6_netfilter_init(void); void ipv6_netfilter_fini(void); diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c index a0d6dfb3e255..550039dfc31a 100644 --- a/net/bridge/br_netfilter_ipv6.c +++ b/net/bridge/br_netfilter_ipv6.c @@ -40,59 +40,6 @@ #include #endif -/* We only check the length. A bridge shouldn't do any hop-by-hop stuff - * anyway - */ -static int br_nf_check_hbh_len(struct sk_buff *skb, u32 *plen) -{ - int len, off = sizeof(struct ipv6hdr); - unsigned char *nh; - - if (!pskb_may_pull(skb, off + 8)) - return -1; - nh = (unsigned char *)(ipv6_hdr(skb) + 1); - len = (nh[1] + 1) << 3; - - if (!pskb_may_pull(skb, off + len)) - return -1; - nh = skb_network_header(skb); - - off += 2; - len -= 2; - while (len > 0) { - int optlen; - - if (nh[off] == IPV6_TLV_PAD1) { - off++; - len--; - continue; - } - if (len < 2) - return -1; - optlen = nh[off + 1] + 2; - if (optlen > len) - return -1; - - if (nh[off] == IPV6_TLV_JUMBO) { - u32 pkt_len; - - if (nh[off + 1] != 4 || (off & 3) != 2) - return -1; - pkt_len = ntohl(*(__be32 *)(nh + off + 2)); - if (pkt_len <= IPV6_MAXPLEN || - ipv6_hdr(skb)->payload_len) - return -1; - if (pkt_len > skb->len - sizeof(struct ipv6hdr)) - return -1; - *plen = pkt_len; - } - off += optlen; - len -= optlen; - } - - return len ? -1 : 0; -} - int br_validate_ipv6(struct net *net, struct sk_buff *skb) { const struct ipv6hdr *hdr; @@ -112,7 +59,7 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb) goto inhdr_error; pkt_len = ntohs(hdr->payload_len); - if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb, &pkt_len)) + if (hdr->nexthdr == NEXTHDR_HOP && nf_ip6_check_hbh_len(skb, &pkt_len)) goto drop; if (pkt_len + ip6h_len > skb->len) { diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c index 2182d361e273..acef4155f0da 100644 --- a/net/netfilter/utils.c +++ b/net/netfilter/utils.c @@ -215,3 +215,55 @@ int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry) } return ret; } + +/* Only get and check the lengths, not do any hop-by-hop stuff. */ +int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen) +{ + int len, off = sizeof(struct ipv6hdr); + unsigned char *nh; + + if (!pskb_may_pull(skb, off + 8)) + return -ENOMEM; + nh = (unsigned char *)(ipv6_hdr(skb) + 1); + len = (nh[1] + 1) << 3; + + if (!pskb_may_pull(skb, off + len)) + return -ENOMEM; + nh = skb_network_header(skb); + + off += 2; + len -= 2; + while (len > 0) { + int optlen; + + if (nh[off] == IPV6_TLV_PAD1) { + off++; + len--; + continue; + } + if (len < 2) + return -EBADMSG; + optlen = nh[off + 1] + 2; + if (optlen > len) + return -EBADMSG; + + if (nh[off] == IPV6_TLV_JUMBO) { + u32 pkt_len; + + if (nh[off + 1] != 4 || (off & 3) != 2) + return -EBADMSG; + pkt_len = ntohl(*(__be32 *)(nh + off + 2)); + if (pkt_len <= IPV6_MAXPLEN || + ipv6_hdr(skb)->payload_len) + return -EBADMSG; + if (pkt_len > skb->len - sizeof(struct ipv6hdr)) + return -EBADMSG; + *plen = pkt_len; + } + off += optlen; + len -= optlen; + } + + return len ? -EBADMSG : 0; +} +EXPORT_SYMBOL_GPL(nf_ip6_check_hbh_len); From patchwork Tue Mar 7 21:31:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13164753 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8EFC4C6FD1E for ; Tue, 7 Mar 2023 21:31:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231549AbjCGVbu (ORCPT ); Tue, 7 Mar 2023 16:31:50 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39170 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231502AbjCGVbk (ORCPT ); Tue, 7 Mar 2023 16:31:40 -0500 Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B9E4AA4B1B; Tue, 7 Mar 2023 13:31:39 -0800 (PST) Received: by mail-qt1-x835.google.com with SMTP id h19so16050178qtk.7; Tue, 07 Mar 2023 13:31:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678224699; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Fj36irOffjBtbTZwkLkJGzRSUR+RtRBnfCPwNNGVcEE=; b=VgdfoIuD7BwThrOSqXcd+KSPirMxbTCYNmZrdkSvLrQwpoAxSWGJuUcJ9yxnUZiQNm RbmHt5cpabTylMm4yzzI+KmRqL7HCiBhY1HNauXcsY7cWuQqEb9U5ndzQsbHOepLeY6m XWJZKy9Dj7gviReOQIYIE55+qXZOSE3blXznTxwvYg4JiABsmsChfFlU9so+6Gx+Xr4Y 0AX4zzM2AuCqt1fmdm4tG4uA2MtM2GGdxNG3WpwkZ/aTwFpD8ipXB+qnPZYfVzNi4MEq sw8ic0X81z+GuvdBFxXLkaVWMpOgWBwTxVlVXFjhpFbingObtUzfWvvK3afLnZOJUzIS JRPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678224699; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Fj36irOffjBtbTZwkLkJGzRSUR+RtRBnfCPwNNGVcEE=; b=76e/Iopz8jPcqX0oyxn30NeK9+V/X2QQhoqv11LbZpTcKy4h2JZWMzUokupE398J4F GUJZ/3DhG7mxDfmJhC7ifKNO+xsMyQ7RUe23AoClQlObRR39tyV7rmelIPHxfs5taU+i NI0YLfu9SRYjATe38fW+dhCnU0YSdiAO/zKEMpOb95xYCrz5eBCCmm+OwcJskCr0WESe B+Bnwlf09jih+dwqa3iZ0T46+mK7x38i87Bp8zTs43yyoKGkpyypHV3ipPlSH9kby6ns PJvjrKkZU69ej8FsisO+0QAQ74GYxby3eCcZ8tCw2ewUfalegKfPqD08ncp/7le588EU Su0w== X-Gm-Message-State: AO0yUKVTt+KkyxI5xVwIbU/t8TNMx2hGuQPK5a+sliKUR5oqz+8GEQdB HJVzijnOQUNeHY4l9Z0q2juSLhKQhxTDCg== X-Google-Smtp-Source: AK7set+5LA0jjO71Q8C9O/tT0jz8NCc4D/FSc/rfOVb3lKD6dYxgAbn1+Ru7++sQSWbjU3DXm4tcJg== X-Received: by 2002:a05:622a:489:b0:3b8:340b:1aab with SMTP id p9-20020a05622a048900b003b8340b1aabmr25172765qtx.25.1678224699195; Tue, 07 Mar 2023 13:31:39 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id r125-20020a374483000000b006fcb77f3bd6sm10269329qka.98.2023.03.07.13.31.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 13:31:38 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole , Simon Horman Subject: [PATCHv2 nf-next 5/6] netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim Date: Tue, 7 Mar 2023 16:31:31 -0500 Message-Id: X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org For IPv6 Jumbo packets, the ipv6_hdr(skb)->payload_len is always 0, and its real payload_len ( > 65535) is saved in hbh exthdr. With 0 length for the jumbo packets, all data and exthdr will be trimmed in nf_ct_skb_network_trim(). This patch is to call nf_ip6_check_hbh_len() to get real pkt_len of the IPv6 packet, similar to br_validate_ipv6(). Signed-off-by: Xin Long Reviewed-by: Simon Horman Reviewed-by: Nikolay Aleksandrov Reviewed-by: Aaron Conole --- net/netfilter/nf_conntrack_ovs.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_ovs.c b/net/netfilter/nf_conntrack_ovs.c index 52b776bdf526..068e9489e1c2 100644 --- a/net/netfilter/nf_conntrack_ovs.c +++ b/net/netfilter/nf_conntrack_ovs.c @@ -6,6 +6,7 @@ #include #include #include +#include /* 'skb' should already be pulled to nh_ofs. */ int nf_ct_helper(struct sk_buff *skb, struct nf_conn *ct, @@ -120,8 +121,14 @@ int nf_ct_skb_network_trim(struct sk_buff *skb, int family) len = skb_ip_totlen(skb); break; case NFPROTO_IPV6: - len = sizeof(struct ipv6hdr) - + ntohs(ipv6_hdr(skb)->payload_len); + len = ntohs(ipv6_hdr(skb)->payload_len); + if (ipv6_hdr(skb)->nexthdr == NEXTHDR_HOP) { + int err = nf_ip6_check_hbh_len(skb, &len); + + if (err) + return err; + } + len += sizeof(struct ipv6hdr); break; default: len = skb->len; From patchwork Tue Mar 7 21:31:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 13164755 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8ACA2C742A7 for ; Tue, 7 Mar 2023 21:31:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229715AbjCGVbx (ORCPT ); Tue, 7 Mar 2023 16:31:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39304 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231510AbjCGVbp (ORCPT ); Tue, 7 Mar 2023 16:31:45 -0500 Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E60DEA337C; Tue, 7 Mar 2023 13:31:40 -0800 (PST) Received: by mail-qt1-x82b.google.com with SMTP id z6so16145067qtv.0; Tue, 07 Mar 2023 13:31:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678224700; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=npyb8A+8myxQM9keePhgQ8S8LvCjZg2rFBholC2/OAI=; b=UM7gO9FlwmU51A/EieFL0ZnH4ggdhv8K0d5VlBKRQezihV5+zcR4NzjAQYTGUdBe/z N//nGapQsWyhPVAaq46VotMzIuZqP5PaXLnE24E4aRZBbxOApm10sFBY5m9IWlphIDw2 qmcoIkEuIubtfBF3LCOhsac5u4QBLzuw+ibVqUZNrQM+N+fVVTMxsNyj4rxa2JJciSWC gedDdAflm22XgJ0OLGQ7vbqSbuFR1xOi1m/DU6jF9uyJmYLo60AzLWx4i55WJmcYdtNX JJXjYAyejyxnO0b4m50heulsn3/JcKaDn7gcrDS/fAxuKiQ2Jvgr6J+JYX2psvW+L9mU sCow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678224700; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=npyb8A+8myxQM9keePhgQ8S8LvCjZg2rFBholC2/OAI=; b=CmOS2FXbJMaLo8DJPOVCugADHnOJ2LUgtccCgomEV1sy5eFw94Kd+Dh/1ryBCMSWoe JjGnGCVwHievuWXgIey/hKL7VGTwi5eEcVFY+cB+rO8dIoOOZ8kOthY7y7q9Bsm2HxD7 s+C1jwoQBarY6TEHVZYPUR39w+mu8PAAtXW8kVTfhHeEhRdsTMOhSF79nvT9vpHb6JRF ODj52pcvio4xDAw6IiV6H0UezW5wtH7OHwEduXCTAJZUcoyc6JvsXezjldKkdppabYRc b8HyMjN1fYgx0NJeVSH3Dd1+HI0nccBUZ1R1MHi6Rd68gToOuOsgKchaUzwY4dAZJIng t+lQ== X-Gm-Message-State: AO0yUKU7RM/XsnnOshPwiTBTo7H6rzrOE0MWl7oHCR+O2ezhylPPzNhy bUgV0WhpVRhrSqLE/+GPBu5uGZz+9H2Z7A== X-Google-Smtp-Source: AK7set/41hOVA0Rn5eLDLbkXaQGgu3y9AAx3bFR3uW1Lh8JPg0LmaouE6FF0ryqFwk5IIExs3Dap6A== X-Received: by 2002:a05:622a:d6:b0:3bf:a5fb:6d6e with SMTP id p22-20020a05622a00d600b003bfa5fb6d6emr27023819qtw.29.1678224700221; Tue, 07 Mar 2023 13:31:40 -0800 (PST) Received: from wsfd-netdev15.ntdv.lab.eng.bos.redhat.com (nat-pool-bos-t.redhat.com. [66.187.233.206]) by smtp.gmail.com with ESMTPSA id r125-20020a374483000000b006fcb77f3bd6sm10269329qka.98.2023.03.07.13.31.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Mar 2023 13:31:39 -0800 (PST) From: Xin Long To: netfilter-devel@vger.kernel.org, network dev Cc: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , davem@davemloft.net, kuba@kernel.org, Eric Dumazet , Paolo Abeni , Roopa Prabhu , Nikolay Aleksandrov , Pravin B Shelar , Aaron Conole , Simon Horman Subject: [PATCHv2 nf-next 6/6] selftests: add a selftest for big tcp Date: Tue, 7 Mar 2023 16:31:32 -0500 Message-Id: X-Mailer: git-send-email 2.39.1 In-Reply-To: References: MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org This test runs on the client-router-server topo, and monitors the traffic on the RX devices of router and server while sending BIG TCP packets with netperf from client to server. Meanwhile, it changes 'tso' on the TX devs and 'gro' on the RX devs. Then it checks if any BIG TCP packets appears on the RX devs with 'ip/ip6tables -m length ! --length 0:65535' for each case. Note that we also add tc action ct in link1 ingress to cover the ipv6 jumbo packets process in nf_ct_skb_network_trim() of nf_conntrack_ovs. Signed-off-by: Xin Long Reviewed-by: Aaron Conole Reviewed-by: Nikolay Aleksandrov --- tools/testing/selftests/net/Makefile | 1 + tools/testing/selftests/net/big_tcp.sh | 180 +++++++++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100755 tools/testing/selftests/net/big_tcp.sh diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile index 6cd8993454d7..099741290184 100644 --- a/tools/testing/selftests/net/Makefile +++ b/tools/testing/selftests/net/Makefile @@ -48,6 +48,7 @@ TEST_PROGS += l2_tos_ttl_inherit.sh TEST_PROGS += bind_bhash.sh TEST_PROGS += ip_local_port_range.sh TEST_PROGS += rps_default_mask.sh +TEST_PROGS += big_tcp.sh TEST_PROGS_EXTENDED := in_netns.sh setup_loopback.sh setup_veth.sh TEST_PROGS_EXTENDED += toeplitz_client.sh toeplitz.sh TEST_GEN_FILES = socket nettest diff --git a/tools/testing/selftests/net/big_tcp.sh b/tools/testing/selftests/net/big_tcp.sh new file mode 100755 index 000000000000..cde9a91c4797 --- /dev/null +++ b/tools/testing/selftests/net/big_tcp.sh @@ -0,0 +1,180 @@ +#!/bin/bash +# SPDX-License-Identifier: GPL-2.0 +# +# Testing For IPv4 and IPv6 BIG TCP. +# TOPO: CLIENT_NS (link0)<--->(link1) ROUTER_NS (link2)<--->(link3) SERVER_NS + +CLIENT_NS=$(mktemp -u client-XXXXXXXX) +CLIENT_IP4="198.51.100.1" +CLIENT_IP6="2001:db8:1::1" + +SERVER_NS=$(mktemp -u server-XXXXXXXX) +SERVER_IP4="203.0.113.1" +SERVER_IP6="2001:db8:2::1" + +ROUTER_NS=$(mktemp -u router-XXXXXXXX) +SERVER_GW4="203.0.113.2" +CLIENT_GW4="198.51.100.2" +SERVER_GW6="2001:db8:2::2" +CLIENT_GW6="2001:db8:1::2" + +MAX_SIZE=128000 +CHK_SIZE=65535 + +# Kselftest framework requirement - SKIP code is 4. +ksft_skip=4 + +setup() { + ip netns add $CLIENT_NS + ip netns add $SERVER_NS + ip netns add $ROUTER_NS + ip -net $ROUTER_NS link add link1 type veth peer name link0 netns $CLIENT_NS + ip -net $ROUTER_NS link add link2 type veth peer name link3 netns $SERVER_NS + + ip -net $CLIENT_NS link set link0 up + ip -net $CLIENT_NS link set link0 mtu 1442 + ip -net $CLIENT_NS addr add $CLIENT_IP4/24 dev link0 + ip -net $CLIENT_NS addr add $CLIENT_IP6/64 dev link0 nodad + ip -net $CLIENT_NS route add $SERVER_IP4 dev link0 via $CLIENT_GW4 + ip -net $CLIENT_NS route add $SERVER_IP6 dev link0 via $CLIENT_GW6 + ip -net $CLIENT_NS link set dev link0 \ + gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE + ip -net $CLIENT_NS link set dev link0 \ + gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE + ip net exec $CLIENT_NS sysctl -wq net.ipv4.tcp_window_scaling=10 + + ip -net $ROUTER_NS link set link1 up + ip -net $ROUTER_NS link set link2 up + ip -net $ROUTER_NS addr add $CLIENT_GW4/24 dev link1 + ip -net $ROUTER_NS addr add $CLIENT_GW6/64 dev link1 nodad + ip -net $ROUTER_NS addr add $SERVER_GW4/24 dev link2 + ip -net $ROUTER_NS addr add $SERVER_GW6/64 dev link2 nodad + ip -net $ROUTER_NS link set dev link1 \ + gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE + ip -net $ROUTER_NS link set dev link2 \ + gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE + ip -net $ROUTER_NS link set dev link1 \ + gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE + ip -net $ROUTER_NS link set dev link2 \ + gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE + # test for nf_ct_skb_network_trim in nf_conntrack_ovs used by TC ct action. + ip net exec $ROUTER_NS tc qdisc add dev link1 ingress + ip net exec $ROUTER_NS tc filter add dev link1 ingress \ + proto ip flower ip_proto tcp action ct + ip net exec $ROUTER_NS tc filter add dev link1 ingress \ + proto ipv6 flower ip_proto tcp action ct + ip net exec $ROUTER_NS sysctl -wq net.ipv4.ip_forward=1 + ip net exec $ROUTER_NS sysctl -wq net.ipv6.conf.all.forwarding=1 + + ip -net $SERVER_NS link set link3 up + ip -net $SERVER_NS addr add $SERVER_IP4/24 dev link3 + ip -net $SERVER_NS addr add $SERVER_IP6/64 dev link3 nodad + ip -net $SERVER_NS route add $CLIENT_IP4 dev link3 via $SERVER_GW4 + ip -net $SERVER_NS route add $CLIENT_IP6 dev link3 via $SERVER_GW6 + ip -net $SERVER_NS link set dev link3 \ + gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE + ip -net $SERVER_NS link set dev link3 \ + gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE + ip net exec $SERVER_NS sysctl -wq net.ipv4.tcp_window_scaling=10 + ip net exec $SERVER_NS netserver 2>&1 >/dev/null +} + +cleanup() { + ip net exec $SERVER_NS pkill netserver + ip -net $ROUTER_NS link del link1 + ip -net $ROUTER_NS link del link2 + ip netns del "$CLIENT_NS" + ip netns del "$SERVER_NS" + ip netns del "$ROUTER_NS" +} + +start_counter() { + local ipt="iptables" + local iface=$1 + local netns=$2 + + [ "$NF" = "6" ] && ipt="ip6tables" + ip net exec $netns $ipt -t raw -A PREROUTING -i $iface \ + -m length ! --length 0:$CHK_SIZE -j ACCEPT +} + +check_counter() { + local ipt="iptables" + local iface=$1 + local netns=$2 + + [ "$NF" = "6" ] && ipt="ip6tables" + test `ip net exec $netns $ipt -t raw -L -v |grep $iface | awk '{print $1}'` != "0" +} + +stop_counter() { + local ipt="iptables" + local iface=$1 + local netns=$2 + + [ "$NF" = "6" ] && ipt="ip6tables" + ip net exec $netns $ipt -t raw -D PREROUTING -i $iface \ + -m length ! --length 0:$CHK_SIZE -j ACCEPT +} + +do_netperf() { + local serip=$SERVER_IP4 + local netns=$1 + + [ "$NF" = "6" ] && serip=$SERVER_IP6 + ip net exec $netns netperf -$NF -t TCP_STREAM -H $serip 2>&1 >/dev/null +} + +do_test() { + local cli_tso=$1 + local gw_gro=$2 + local gw_tso=$3 + local ser_gro=$4 + local ret="PASS" + + ip net exec $CLIENT_NS ethtool -K link0 tso $cli_tso + ip net exec $ROUTER_NS ethtool -K link1 gro $gw_gro + ip net exec $ROUTER_NS ethtool -K link2 tso $gw_tso + ip net exec $SERVER_NS ethtool -K link3 gro $ser_gro + + start_counter link1 $ROUTER_NS + start_counter link3 $SERVER_NS + do_netperf $CLIENT_NS + + if check_counter link1 $ROUTER_NS; then + check_counter link3 $SERVER_NS || ret="FAIL_on_link3" + else + ret="FAIL_on_link1" + fi + + stop_counter link1 $ROUTER_NS + stop_counter link3 $SERVER_NS + printf "%-9s %-8s %-8s %-8s: [%s]\n" \ + $cli_tso $gw_gro $gw_tso $ser_gro $ret + test $ret = "PASS" +} + +testup() { + echo "CLI GSO | GW GRO | GW GSO | SER GRO" && \ + do_test "on" "on" "on" "on" && \ + do_test "on" "off" "on" "off" && \ + do_test "off" "on" "on" "on" && \ + do_test "on" "on" "off" "on" && \ + do_test "off" "on" "off" "on" +} + +if ! netperf -V &> /dev/null; then + echo "SKIP: Could not run test without netperf tool" + exit $ksft_skip +fi + +if ! ip link help 2>&1 | grep gso_ipv4_max_size &> /dev/null; then + echo "SKIP: Could not run test without gso/gro_ipv4_max_size supported in ip-link" + exit $ksft_skip +fi + +trap cleanup EXIT +setup && echo "Testing for BIG TCP:" && \ +NF=4 testup && echo "***v4 Tests Done***" && \ +NF=6 testup && echo "***v6 Tests Done***" +exit $?