[PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue
@ 2014-05-22  7:05 huizhang
  2014-05-22 12:21 ` Sergei Shtylyov
  2014-05-22 16:12 ` David Miller
  0 siblings, 2 replies; 6+ messages in thread
From: huizhang @ 2014-05-22  7:05 UTC (permalink / raw)
  To: netdev; +Cc: huizhang, alan, nickcave.zhang

From: Hui Zhang <huizhang@marvell.com>

    Bug report on https://bugzilla.kernel.org/show_bug.cgi?id=75781

    When a local output ipsec packet match the mangle table rule,
    and be set mark value, the packet will be route again in
    route_me_harder -> _session_decoder6

    In this case, the nhoff in CB of skb was still the default
    value 0. So the protocal match can't success and the packet can't match
    correct SA rule,and then the packet be send out in plaintext.

    To fixed up the issue. The CB->nhoff must be set.

Signed-off-by: huizhang <huizhang@marvell.com>
---
 net/ipv6/xfrm6_policy.c |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 5f8e128..869b68b 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -134,6 +134,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
 	const struct ipv6hdr *hdr = ipv6_hdr(skb);
 	struct ipv6_opt_hdr *exthdr;
 	const unsigned char *nh = skb_network_header(skb);
+	if(IP6CB(skb)->nhoff==0)
+		IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
 	u8 nexthdr = nh[IP6CB(skb)->nhoff];
 	int oif = 0;
 
-- 
1.7.9.5

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue
  2014-05-22  7:05 [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue huizhang
@ 2014-05-22 12:21 ` Sergei Shtylyov
  2014-05-22 16:12 ` David Miller
  1 sibling, 0 replies; 6+ messages in thread
From: Sergei Shtylyov @ 2014-05-22 12:21 UTC (permalink / raw)
  To: huizhang, netdev; +Cc: alan, nickcave.zhang

Hello.

On 22-05-2014 11:05, huizhang wrote:

> From: Hui Zhang <huizhang@marvell.com>

>      Bug report on https://bugzilla.kernel.org/show_bug.cgi?id=75781
>
>      When a local output ipsec packet match the mangle table rule,
>      and be set mark value, the packet will be route again in
>      route_me_harder -> _session_decoder6

>      In this case, the nhoff in CB of skb was still the default
>      value 0. So the protocal match can't success and the packet can't match
>      correct SA rule,and then the packet be send out in plaintext.

>      To fixed up the issue. The CB->nhoff must be set.

> Signed-off-by: huizhang <huizhang@marvell.com>

    Why not Hui Zhang, like in the From field?

> ---
>   net/ipv6/xfrm6_policy.c |    2 ++
>   1 file changed, 2 insertions(+)

> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 5f8e128..869b68b 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -134,6 +134,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
>   	const struct ipv6hdr *hdr = ipv6_hdr(skb);
>   	struct ipv6_opt_hdr *exthdr;
>   	const unsigned char *nh = skb_network_header(skb);
> +	if(IP6CB(skb)->nhoff==0)

    Please, surround == with a space on each side.

WBR, Sergei

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue
  2014-05-22  7:05 [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue huizhang
  2014-05-22 12:21 ` Sergei Shtylyov
@ 2014-05-22 16:12 ` David Miller
  2014-05-26  4:38   ` nickcave
  1 sibling, 1 reply; 6+ messages in thread
From: David Miller @ 2014-05-22 16:12 UTC (permalink / raw)
  To: huizhang; +Cc: netdev, alan, nickcave.zhang

From: huizhang <huizhang@marvell.com>
Date: Thu, 22 May 2014 15:05:46 +0800

> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 5f8e128..869b68b 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -134,6 +134,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
>  	const struct ipv6hdr *hdr = ipv6_hdr(skb);
>  	struct ipv6_opt_hdr *exthdr;
>  	const unsigned char *nh = skb_network_header(skb);
> +	if(IP6CB(skb)->nhoff==0)
> +		IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
>  	u8 nexthdr = nh[IP6CB(skb)->nhoff];
>  	int oif = 0;

Never put actual statements in the middle of a series of variable
declarations.

Also, it would probably be better to do this assignment in
__ip_local_out().

That's the bug, we only set nhoff in the input paths, we need
to set it in the output paths too if reaching _decode_session6
is possible for output packets.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue
  2014-05-22 16:12 ` David Miller
@ 2014-05-26  4:38   ` nickcave
  0 siblings, 0 replies; 6+ messages in thread
From: nickcave @ 2014-05-26  4:38 UTC (permalink / raw)
  To: David Miller; +Cc: huizhang, netdev, alan

2014-05-23 0:12 GMT+08:00 David Miller <davem@davemloft.net>:
> From: huizhang <huizhang@marvell.com>
> Date: Thu, 22 May 2014 15:05:46 +0800
>
>> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
>> index 5f8e128..869b68b 100644
>> --- a/net/ipv6/xfrm6_policy.c
>> +++ b/net/ipv6/xfrm6_policy.c
>> @@ -134,6 +134,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
>>       const struct ipv6hdr *hdr = ipv6_hdr(skb);
>>       struct ipv6_opt_hdr *exthdr;
>>       const unsigned char *nh = skb_network_header(skb);
>> +     if(IP6CB(skb)->nhoff==0)
>> +             IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
>>       u8 nexthdr = nh[IP6CB(skb)->nhoff];
>>       int oif = 0;
>
> Never put actual statements in the middle of a series of variable
> declarations.
>
> Also, it would probably be better to do this assignment in
> __ip_local_out().
>
> That's the bug, we only set nhoff in the input paths, we need
> to set it in the output paths too if reaching _decode_session6
> is possible for output packets.

You are right,  __ip_local_out maybe a better place.I will submit another patch.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue
@ 2014-06-09  4:37 Hui Zhang
  2014-06-11  7:47 ` David Miller
  0 siblings, 1 reply; 6+ messages in thread
From: Hui Zhang @ 2014-06-09  4:37 UTC (permalink / raw)
  To: netdev; +Cc: alan, davem, sergei.shtylyov, nickcave.zhang, huizhang

Bug report on https://bugzilla.kernel.org/show_bug.cgi?id=75781

When a local output ipsec packet match the mangle table rule,
and be set mark value, the packet will be route again in
route_me_harder -> _session_decoder6

In this case, the nhoff in CB of skb was still the default
value 0. So the protocal match can't success and the packet can't match
correct SA rule,and then the packet be send out in plaintext.

To fixed up the issue. The CB->nhoff must be set.

Signed-off-by: Hui Zhang <huizhang@marvell.com>
---
 net/ipv6/output_core.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 827f795..589f6b9 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -106,6 +106,7 @@ int __ip6_local_out(struct sk_buff *skb)
 	if (len > IPV6_MAXPLEN)
 		len = 0;
 	ipv6_hdr(skb)->payload_len = htons(len);
+	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
 
 	return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
 		       skb_dst(skb)->dev, dst_output);
-- 
1.7.9.5

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue
  2014-06-09  4:37 Hui Zhang
@ 2014-06-11  7:47 ` David Miller
  0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2014-06-11  7:47 UTC (permalink / raw)
  To: huizhang; +Cc: netdev, alan, sergei.shtylyov, nickcave.zhang

From: Hui Zhang <huizhang@marvell.com>
Date: Mon, 9 Jun 2014 12:37:25 +0800

> Bug report on https://bugzilla.kernel.org/show_bug.cgi?id=75781
> 
> When a local output ipsec packet match the mangle table rule,
> and be set mark value, the packet will be route again in
> route_me_harder -> _session_decoder6
> 
> In this case, the nhoff in CB of skb was still the default
> value 0. So the protocal match can't success and the packet can't match
> correct SA rule,and then the packet be send out in plaintext.
> 
> To fixed up the issue. The CB->nhoff must be set.
> 
> Signed-off-by: Hui Zhang <huizhang@marvell.com>

Applied, thanks.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-06-11  7:47 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-22  7:05 [PATCH] net: ipv6: Fixed up ipsec packet be re-routing issue huizhang
2014-05-22 12:21 ` Sergei Shtylyov
2014-05-22 16:12 ` David Miller
2014-05-26  4:38   ` nickcave
  -- strict thread matches above, loose matches on Subject: below --
2014-06-09  4:37 Hui Zhang
2014-06-11  7:47 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).