* [PATCH net] ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels
@ 2024-03-15 12:25 Tobias Brunner
2024-03-15 13:48 ` Nicolas Dichtel
0 siblings, 1 reply; 4+ messages in thread
From: Tobias Brunner @ 2024-03-15 12:25 UTC (permalink / raw)
To: David S. Miller, David Ahern; +Cc: netdev, Steffen Klassert, Herbert Xu
Since the referenced commit, the xfrm_inner_extract_output() function
uses the skb's protocol field to determine the address family. So not
setting it for IPv4 raw sockets meant that such packets couldn't be
tunneled via IPsec anymore.
IPv6 raw sockets are not affected as they already set the protocol since
9c9c9ad5fae7 ("ipv6: set skb->protocol on tcp, raw and ip6_append_data
genereated skbs").
Fixes: 5f24f41e8ea6 ("xfrm: Remove inner/outer modes from input path")
Signed-off-by: Tobias Brunner <tobias@strongswan.org>
---
net/ipv4/raw.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 42ac434cfcfa..322e389021c3 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -357,6 +357,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
goto error;
skb_reserve(skb, hlen);
+ skb->protocol = htons(ETH_P_IP);
skb->priority = READ_ONCE(sk->sk_priority);
skb->mark = sockc->mark;
skb->tstamp = sockc->transmit_time;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net] ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels
2024-03-15 12:25 [PATCH net] ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels Tobias Brunner
@ 2024-03-15 13:48 ` Nicolas Dichtel
2024-03-15 14:31 ` Tobias Brunner
0 siblings, 1 reply; 4+ messages in thread
From: Nicolas Dichtel @ 2024-03-15 13:48 UTC (permalink / raw)
To: Tobias Brunner, David S. Miller, David Ahern
Cc: netdev, Steffen Klassert, Herbert Xu
Le 15/03/2024 à 13:25, Tobias Brunner a écrit :
> Since the referenced commit, the xfrm_inner_extract_output() function
> uses the skb's protocol field to determine the address family. So not
> setting it for IPv4 raw sockets meant that such packets couldn't be
> tunneled via IPsec anymore.
>
> IPv6 raw sockets are not affected as they already set the protocol since
> 9c9c9ad5fae7 ("ipv6: set skb->protocol on tcp, raw and ip6_append_data
> genereated skbs").
>
> Fixes: 5f24f41e8ea6 ("xfrm: Remove inner/outer modes from input path")This is the input part, I presume you were thinking to the output part:
Fixes: f4796398f21b ("xfrm: Remove inner/outer modes from output path")
> Signed-off-by: Tobias Brunner <tobias@strongswan.org>
> ---
> net/ipv4/raw.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
> index 42ac434cfcfa..322e389021c3 100644
> --- a/net/ipv4/raw.c
> +++ b/net/ipv4/raw.c
> @@ -357,6 +357,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
> goto error;
> skb_reserve(skb, hlen);
>
> + skb->protocol = htons(ETH_P_IP);
> skb->priority = READ_ONCE(sk->sk_priority);
> skb->mark = sockc->mark;
> skb->tstamp = sockc->transmit_time;
For !ipsec packet, dst_output()/ ip_output() is called. This last function set
skb->protocol to htons(ETH_P_IP).
What about doing the same in xfrm4_output() to avoid missing another path?
Regards,
Nicolas
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels
2024-03-15 13:48 ` Nicolas Dichtel
@ 2024-03-15 14:31 ` Tobias Brunner
2024-03-15 14:55 ` David Ahern
0 siblings, 1 reply; 4+ messages in thread
From: Tobias Brunner @ 2024-03-15 14:31 UTC (permalink / raw)
To: nicolas.dichtel, David S. Miller, David Ahern
Cc: netdev, Steffen Klassert, Herbert Xu
>> Since the referenced commit, the xfrm_inner_extract_output() function
>> uses the skb's protocol field to determine the address family. So not
>> setting it for IPv4 raw sockets meant that such packets couldn't be
>> tunneled via IPsec anymore.
>>
>> IPv6 raw sockets are not affected as they already set the protocol since
>> 9c9c9ad5fae7 ("ipv6: set skb->protocol on tcp, raw and ip6_append_data
>> genereated skbs").
>>
>> Fixes: 5f24f41e8ea6 ("xfrm: Remove inner/outer modes from input path")This is the input part, I presume you were thinking to the output part:
> Fixes: f4796398f21b ("xfrm: Remove inner/outer modes from output path")
Right, will fix.
>> Signed-off-by: Tobias Brunner <tobias@strongswan.org>
>> ---
>> net/ipv4/raw.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
>> index 42ac434cfcfa..322e389021c3 100644
>> --- a/net/ipv4/raw.c
>> +++ b/net/ipv4/raw.c
>> @@ -357,6 +357,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
>> goto error;
>> skb_reserve(skb, hlen);
>>
>> + skb->protocol = htons(ETH_P_IP);
>> skb->priority = READ_ONCE(sk->sk_priority);
>> skb->mark = sockc->mark;
>> skb->tstamp = sockc->transmit_time;
> For !ipsec packet, dst_output()/ ip_output() is called. This last function set
> skb->protocol to htons(ETH_P_IP).
> What about doing the same in xfrm4_output() to avoid missing another path?
I took this approach because it worked and it aligns the code with the
IPv6 version. Whether the code path would actually pass through the
function you mention before hitting the problematic one I don't know.
Regards,
Tobias
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels
2024-03-15 14:31 ` Tobias Brunner
@ 2024-03-15 14:55 ` David Ahern
0 siblings, 0 replies; 4+ messages in thread
From: David Ahern @ 2024-03-15 14:55 UTC (permalink / raw)
To: Tobias Brunner, nicolas.dichtel, David S. Miller
Cc: netdev, Steffen Klassert, Herbert Xu
On 3/15/24 8:31 AM, Tobias Brunner wrote:
>>> diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
>>> index 42ac434cfcfa..322e389021c3 100644
>>> --- a/net/ipv4/raw.c
>>> +++ b/net/ipv4/raw.c
>>> @@ -357,6 +357,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
>>> goto error;
>>> skb_reserve(skb, hlen);
>>>
>>> + skb->protocol = htons(ETH_P_IP);
>>> skb->priority = READ_ONCE(sk->sk_priority);
>>> skb->mark = sockc->mark;
>>> skb->tstamp = sockc->transmit_time;
>> For !ipsec packet, dst_output()/ ip_output() is called. This last function set
>> skb->protocol to htons(ETH_P_IP).
>> What about doing the same in xfrm4_output() to avoid missing another path?
>
> I took this approach because it worked and it aligns the code with the
> IPv6 version.
I agree with that; setting it in raw_send_hdrinc makes it consistent
across protocols.
Reviewed-by: David Ahern <dsahern@kernel.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-03-15 14:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-15 12:25 [PATCH net] ipv4: raw: Fix sending packets from raw sockets via IPsec tunnels Tobias Brunner
2024-03-15 13:48 ` Nicolas Dichtel
2024-03-15 14:31 ` Tobias Brunner
2024-03-15 14:55 ` David Ahern
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.