Re: [PATCH ipsec 2/2] xfrm: Log input direction mismatch error in one place

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <horms@kernel.org>
To: Antony Antony <antony.antony@secunet.com>
Cc: netdev@vger.kernel.org,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Sabrina Dubroca <sd@queasysnail.net>
Subject: Re: [PATCH ipsec 2/2] xfrm: Log input direction mismatch error in one place
Date: Fri, 14 Jun 2024 13:10:17 +0100	[thread overview]
Message-ID: <20240614121017.GI8447@kernel.org> (raw)
In-Reply-To: <50e4e7fd0b978aaa4721f022a3d5737c377c8375.1718087437.git.antony.antony@secunet.com>

On Tue, Jun 11, 2024 at 08:32:15AM +0200, Antony Antony wrote:
> Previously, the offload data path decrypted the packet before checking
> the direction, leading to error logging and packet dropping. However,
> dropped packets wouldn't be visible in tcpdump or audit log.
> 
> With this fix, the offload path, upon noticing SA direction mismatch,
> will pass the packet to the stack without decrypting it. The L3 layer
> will then log the error, audit, and drop ESP without decrypting or
> decapsulating it.
> 
> This also ensures that the slow path records the error and audit log,
> making dropped packets visible in tcpdump.
> 
> Fixes: 304b44f0d5a4 ("xfrm: Add dir validation to "in" data path lookup")
> Signed-off-by: Antony Antony <antony.antony@secunet.com>

Thanks Antony,

The comment below notwithstanding, this looks good to me.
Reviewed-by: Simon Horman <horms@kernel.org>

> ---
>  net/ipv4/esp4_offload.c | 7 +++++++
>  net/ipv6/esp6_offload.c | 7 +++++++
>  net/xfrm/xfrm_input.c   | 5 -----
>  3 files changed, 14 insertions(+), 5 deletions(-)
> 
> diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
> index b3271957ad9a..3f28ecbdcaef 100644
> --- a/net/ipv4/esp4_offload.c
> +++ b/net/ipv4/esp4_offload.c
> @@ -56,6 +56,13 @@ static struct sk_buff *esp4_gro_receive(struct list_head *head,
>  		x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
>  				      (xfrm_address_t *)&ip_hdr(skb)->daddr,
>  				      spi, IPPROTO_ESP, AF_INET);
> +
> +		if (unlikely(x && x->dir && x->dir != XFRM_SA_DIR_IN)) {
> +			/* non-offload path will record the error and audit log */
> +			xfrm_state_put(x);
> +			x = NULL;
> +		}
> +
>  		if (!x)
>  			goto out_reset;
>  
> diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
> index 527b7caddbc6..919ebfabbe4e 100644
> --- a/net/ipv6/esp6_offload.c
> +++ b/net/ipv6/esp6_offload.c
> @@ -83,6 +83,13 @@ static struct sk_buff *esp6_gro_receive(struct list_head *head,
>  		x = xfrm_state_lookup(dev_net(skb->dev), skb->mark,
>  				      (xfrm_address_t *)&ipv6_hdr(skb)->daddr,
>  				      spi, IPPROTO_ESP, AF_INET6);
> +
> +		if (unlikely(x && x->dir && x->dir != XFRM_SA_DIR_IN)) {
> +			/* non-offload path will record the error and audit log */
> +			xfrm_state_put(x);
> +			x = NULL;
> +		}
> +
>  		if (!x)
>  			goto out_reset;
>  

The logic in the two hunks above seems to be duplicated.
FWIIW, I think it would be nice to consolidate it.

...

next prev parent reply	other threads:[~2024-06-14 12:10 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-11  6:31 [PATCH ipsec 1/2] xfrm: Fix input error path memory access Antony Antony
2024-06-11  6:32 ` [PATCH ipsec 2/2] xfrm: Log input direction mismatch error in one place Antony Antony
2024-06-14 12:10   ` Simon Horman [this message]
2024-06-18  7:47   ` Steffen Klassert
2024-06-14 12:10 ` [PATCH ipsec 1/2] xfrm: Fix input error path memory access Simon Horman
2024-06-18  7:44 ` Steffen Klassert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240614121017.GI8447@kernel.org \
    --to=horms@kernel.org \
    --cc=antony.antony@secunet.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=sd@queasysnail.net \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.