[PATCH 4.4] geneve: add transport ports in route lookup for geneve

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pavel Machek <pavel@denx.de>
To: stable@vger.kernel.org, mark.d.gray@redhat.com, wens@csie.org,
	Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>,
	Greg Rose <gvrose8192@gmail.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4] geneve: add transport ports in route lookup for geneve
Date: Sun, 9 May 2021 10:27:55 +0200	[thread overview]
Message-ID: <20210509082755.GB25504@amd> (raw)

[-- Attachment #1: Type: text/plain, Size: 3382 bytes --]

From: Mark Gray <mark.d.gray@redhat.com>

[ Upstream commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 ]

This patch adds transport ports information for route lookup so that
IPsec can select Geneve tunnel traffic to do encryption. This is
needed for OVS/OVN IPsec with encrypted Geneve tunnels.

This can be tested by configuring a host-host VPN using an IKE
daemon and specifying port numbers. For example, for an
Openswan-type configuration, the following parameters should be
configured on both hosts and IPsec set up as-per normal:

$ cat /etc/ipsec.conf

conn in
...
left=$IP1
right=$IP2
...
leftprotoport=udp/6081
rightprotoport=udp
...
conn out
...
left=$IP1
right=$IP2
...
leftprotoport=udp
rightprotoport=udp/6081
...

The tunnel can then be setup using "ip" on both hosts (but
changing the relevant IP addresses):

$ ip link add tun type geneve id 1000 remote $IP2
$ ip addr add 192.168.0.1/24 dev tun
$ ip link set tun up

This can then be tested by pinging from $IP1:

$ ping 192.168.0.2

Without this patch the traffic is unencrypted on the wire.

Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels")
Signed-off-by: Qiuyu Xiao <qiuyu.xiao.qyx@gmail.com>
Signed-off-by: Mark Gray <mark.d.gray@redhat.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[backport to 4.4 for CVE-2020-25645]
Signed-off-by: Pavel Machek (CIP) <pavel@denx.de>
---
 drivers/net/geneve.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
index ee38299f9c57..aa00d71705c6 100644
--- a/drivers/net/geneve.c
+++ b/drivers/net/geneve.c
@@ -842,7 +842,7 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev,
 
 	sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
 	rt = geneve_get_v4_rt(skb, dev, &fl4, info,
-			      geneve->dst_port, sport);
+			      info->key.tp_dst, sport);
 	if (IS_ERR(rt)) {
 		err = PTR_ERR(rt);
 		goto tx_error;
@@ -925,7 +925,7 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev,
 
 	sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true);
 	dst = geneve_get_v6_dst(skb, dev, &fl6, info,
-				geneve->dst_port, sport);
+				info->key.tp_dst, sport);
 	if (IS_ERR(dst)) {
 		err = PTR_ERR(dst);
 		goto tx_error;
@@ -1026,7 +1026,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
 					  1, USHRT_MAX, true);
 
 		rt = geneve_get_v4_rt(skb, dev, &fl4, info,
-				      geneve->dst_port, sport);
+				      info->key.tp_dst, sport);
 		if (IS_ERR(rt))
 			return PTR_ERR(rt);
 
@@ -1038,7 +1038,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb)
 					  1, USHRT_MAX, true);
 
 		dst = geneve_get_v6_dst(skb, dev, &fl6, info,
-					geneve->dst_port, sport);
+					info->key.tp_dst, sport);
 		if (IS_ERR(dst))
 			return PTR_ERR(dst);
 
-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany



----- End forwarded message -----

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

next             reply	other threads:[~2021-05-09  8:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-09  8:27 Pavel Machek [this message]
2021-05-10  7:51 ` [PATCH 4.4] geneve: add transport ports in route lookup for geneve Greg KH

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ee38299f9c5 dfblob:aa00d71705c )
 OR (
bs:"[PATCH 4.4] geneve: add transport ports in route lookup for geneve" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210509082755.GB25504@amd \
    --to=pavel@denx.de \
    --cc=davem@davemloft.net \
    --cc=gvrose8192@gmail.com \
    --cc=mark.d.gray@redhat.com \
    --cc=qiuyu.xiao.qyx@gmail.com \
    --cc=stable@vger.kernel.org \
    --cc=wens@csie.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.