Re: [PATCH v2] xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Simon Horman <simon.horman@corigine.com>
To: "Maciej Żenczykowski" <maze@google.com>
Cc: Linux Network Development Mailing List <netdev@vger.kernel.org>,
	Sabrina Dubroca <sd@queasysnail.net>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Benedict Wong <benedictwong@google.com>,
	Yan Yan <evitayan@google.com>
Subject: Re: [PATCH v2] xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets
Date: Tue, 6 Jun 2023 11:30:07 +0200	[thread overview]
Message-ID: <ZH78nx72BdFUYPdM@corigine.com> (raw)
In-Reply-To: <CANP3RGfWATmOzb4=DXb=+K7iij4HPBp0Uq79r0NjxGyvAaKNgA@mail.gmail.com>

On Tue, Jun 06, 2023 at 06:38:04AM +0900, Maciej Żenczykowski wrote:
> On Mon, Jun 5, 2023 at 9:59 PM Simon Horman <simon.horman@corigine.com> wrote:
> > Hi Maciej,
> >
> > Does the opposite case also need to be handled in xfrm4_udp_encap_rcv()?
> 
> I believe the answer is no:
> - ipv4 (AF_INET) sockets only ever receive (native) ipv4 traffic.
> - ipv6 (AF_INET6) ipv6-only sockets only ever receive (native) ipv6 traffic.
> - ipv6 (AF_INET6) dualstack (ie. not ipv6-only) sockets can receive
> both (native) ipv4 and (native) ipv6 traffic.
> 
> Ipv6 dualstack sockets map the ipv4 address space into the IPv6
> "IPv4-mapped" range of ::ffff:0.0.0.0/96,
> ie. 1.2.3.4 -> ::ffff:1.2.3.4 aka ::ffff:0102:0304
> 
> Whether ipv6 sockets default to dualstack or not is controlled by a
> sysctl (net.ipv6.bindv6only - not entirely well named, it actually
> affects the socket() system call, and bind() only as a later
> consequence of that, it thus does also affect whether connect() to
> ipv4 mapped addresses works or not), but can also be toggled manually
> via IPV6_V6ONLY socket option.
> 
> Basically a dualstack ipv6 socket is a more-or-less drop-in
> replacement for ipv4 sockets (*entirely* so for TCP/UDP, and likely
> SCTP, DCCP & UDPLITE, though I think there might be some edge cases
> like ICMP sockets or RAW sockets that do need AF_INET - any such
> exceptions should probably be considered kernel bugs / missing
> features -> hence this patch).
> 
> ---
> 
> I believe we don't need to test the sk for:
>   !ipv6_only_sock(sk), ie. !sk->sk_ipv6only
> before we do the dispatch to the v4 code path,
> because if the socket is ipv6-only then there should [IMHO/AFAICT] be
> no way for ipv4 packets to arrive here in the first place.
> 
> ---
> 
> Note: I can guarantee the currently existing code is wrong,
> both because we've experimentally discovered AF_INET6 dualstack
> sockets don't work for v4,
> and because the code obviously tries to read payload length from the
> ipv6 header,
> which of course doesn't exist for skb->protocol ETH_P_IP packets.
> 
> However, I'm still not entirely sure this patch is 100% bug free...
> though it seems straightforward enough...

Thanks for the thorough explanation.
I'm happy with this patch.

Reviewed-by: Simon Horman <simon.horman@corigine.com>

> ---
> 
> I'll hold off on re-spinning for the ' -> " unless there's other comments.

Ack

next prev parent reply	other threads:[~2023-06-06  9:30 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-26  8:32 [PATCH] xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets Maciej Żenczykowski
2022-10-26  8:42 ` Maciej Żenczykowski
2022-10-27  1:24   ` Jakub Kicinski
2022-10-27  1:52     ` Maciej Żenczykowski
2022-10-27  1:58       ` Jakub Kicinski
2022-10-27  4:47 ` kernel test robot
2023-06-05 11:06 ` [PATCH v2] " Maciej Żenczykowski
2023-06-05 12:59   ` Simon Horman
2023-06-05 21:38     ` Maciej Żenczykowski
2023-06-06  9:30       ` Simon Horman [this message]
2023-06-07  9:41       ` Steffen Klassert
2023-06-07 15:00       ` Sabrina Dubroca
2023-06-05 13:04   ` Simon Horman
2023-06-09  7:17   ` Steffen Klassert

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZH78nx72BdFUYPdM@corigine.com \
    --to=simon.horman@corigine.com \
    --cc=benedictwong@google.com \
    --cc=evitayan@google.com \
    --cc=kuba@kernel.org \
    --cc=maze@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=sd@queasysnail.net \
    --cc=steffen.klassert@secunet.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.