* [PATCH net-next 1/8] ipv6: icmp6: add drop reason support to ndisc_recv_ns()
2023-02-16 16:28 [PATCH net-next 0/8] ipv6: icmp6: better drop reason support Eric Dumazet
@ 2023-02-16 16:28 ` Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 2/8] ipv6: icmp6: add drop reason support to ndisc_recv_na() Eric Dumazet
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2023-02-16 16:28 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: David Ahern, netdev, eric.dumazet, Eric Dumazet
Change ndisc_recv_ns() to return a drop reason.
For the moment, return PKT_TOO_SMALL, NOT_SPECIFIED
or SKB_CONSUMED.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/ipv6/ndisc.c | 34 ++++++++++++++++++----------------
1 file changed, 18 insertions(+), 16 deletions(-)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 9548b5a44714f98975a8b7194bc81cbb0f72697f..039722f83c668ad59eb63ffde98e18ad8947bdcc 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -783,7 +783,7 @@ void ndisc_update(const struct net_device *dev, struct neighbour *neigh,
ndisc_ops_update(dev, neigh, flags, icmp6_type, ndopts);
}
-static void ndisc_recv_ns(struct sk_buff *skb)
+static enum skb_drop_reason ndisc_recv_ns(struct sk_buff *skb)
{
struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
@@ -797,18 +797,17 @@ static void ndisc_recv_ns(struct sk_buff *skb)
struct inet6_dev *idev = NULL;
struct neighbour *neigh;
int dad = ipv6_addr_any(saddr);
- bool inc;
int is_router = -1;
+ SKB_DR(reason);
u64 nonce = 0;
+ bool inc;
- if (skb->len < sizeof(struct nd_msg)) {
- ND_PRINTK(2, warn, "NS: packet too short\n");
- return;
- }
+ if (skb->len < sizeof(struct nd_msg))
+ return SKB_DROP_REASON_PKT_TOO_SMALL;
if (ipv6_addr_is_multicast(&msg->target)) {
ND_PRINTK(2, warn, "NS: multicast target address\n");
- return;
+ return reason;
}
/*
@@ -817,12 +816,12 @@ static void ndisc_recv_ns(struct sk_buff *skb)
*/
if (dad && !ipv6_addr_is_solict_mult(daddr)) {
ND_PRINTK(2, warn, "NS: bad DAD packet (wrong destination)\n");
- return;
+ return reason;
}
if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts)) {
ND_PRINTK(2, warn, "NS: invalid ND options\n");
- return;
+ return reason;
}
if (ndopts.nd_opts_src_lladdr) {
@@ -830,7 +829,7 @@ static void ndisc_recv_ns(struct sk_buff *skb)
if (!lladdr) {
ND_PRINTK(2, warn,
"NS: invalid link-layer address length\n");
- return;
+ return reason;
}
/* RFC2461 7.1.1:
@@ -841,7 +840,7 @@ static void ndisc_recv_ns(struct sk_buff *skb)
if (dad) {
ND_PRINTK(2, warn,
"NS: bad DAD packet (link-layer address option)\n");
- return;
+ return reason;
}
}
if (ndopts.nd_opts_nonce && ndopts.nd_opts_nonce->nd_opt_len == 1)
@@ -869,7 +868,7 @@ static void ndisc_recv_ns(struct sk_buff *skb)
* so fail our DAD process
*/
addrconf_dad_failure(skb, ifp);
- return;
+ return reason;
} else {
/*
* This is not a dad solicitation.
@@ -901,7 +900,7 @@ static void ndisc_recv_ns(struct sk_buff *skb)
idev = in6_dev_get(dev);
if (!idev) {
/* XXX: count this drop? */
- return;
+ return reason;
}
if (ipv6_chk_acast_addr(net, dev, &msg->target) ||
@@ -958,6 +957,7 @@ static void ndisc_recv_ns(struct sk_buff *skb)
true, (ifp != NULL && inc), inc);
if (neigh)
neigh_release(neigh);
+ reason = SKB_CONSUMED;
}
out:
@@ -965,6 +965,7 @@ static void ndisc_recv_ns(struct sk_buff *skb)
in6_ifa_put(ifp);
else
in6_dev_put(idev);
+ return reason;
}
static int accept_untracked_na(struct net_device *dev, struct in6_addr *saddr)
@@ -1781,8 +1782,9 @@ void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
static void pndisc_redo(struct sk_buff *skb)
{
- ndisc_recv_ns(skb);
- kfree_skb(skb);
+ enum skb_drop_reason reason = ndisc_recv_ns(skb);
+
+ kfree_skb_reason(skb, reason);
}
static int ndisc_is_multicast(const void *pkey)
@@ -1834,7 +1836,7 @@ enum skb_drop_reason ndisc_rcv(struct sk_buff *skb)
switch (msg->icmph.icmp6_type) {
case NDISC_NEIGHBOUR_SOLICITATION:
memset(NEIGH_CB(skb), 0, sizeof(struct neighbour_cb));
- ndisc_recv_ns(skb);
+ reason = ndisc_recv_ns(skb);
break;
case NDISC_NEIGHBOUR_ADVERTISEMENT:
--
2.39.1.581.gbfd45094c4-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH net-next 2/8] ipv6: icmp6: add drop reason support to ndisc_recv_na()
2023-02-16 16:28 [PATCH net-next 0/8] ipv6: icmp6: better drop reason support Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 1/8] ipv6: icmp6: add drop reason support to ndisc_recv_ns() Eric Dumazet
@ 2023-02-16 16:28 ` Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 3/8] ipv6: icmp6: add drop reason support to ndisc_recv_rs() Eric Dumazet
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2023-02-16 16:28 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: David Ahern, netdev, eric.dumazet, Eric Dumazet
Change ndisc_recv_na() to return a drop reason.
For the moment, return PKT_TOO_SMALL, NOT_SPECIFIED
or SKB_CONSUMED. More reasons are added later.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/ipv6/ndisc.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 039722f83c668ad59eb63ffde98e18ad8947bdcc..9354cb3669c814166fb3d07b32097f0b00ef42f8 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -987,7 +987,7 @@ static int accept_untracked_na(struct net_device *dev, struct in6_addr *saddr)
}
}
-static void ndisc_recv_na(struct sk_buff *skb)
+static enum skb_drop_reason ndisc_recv_na(struct sk_buff *skb)
{
struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
@@ -1000,22 +1000,21 @@ static void ndisc_recv_na(struct sk_buff *skb)
struct inet6_dev *idev = __in6_dev_get(dev);
struct inet6_ifaddr *ifp;
struct neighbour *neigh;
+ SKB_DR(reason);
u8 new_state;
- if (skb->len < sizeof(struct nd_msg)) {
- ND_PRINTK(2, warn, "NA: packet too short\n");
- return;
- }
+ if (skb->len < sizeof(struct nd_msg))
+ return SKB_DROP_REASON_PKT_TOO_SMALL;
if (ipv6_addr_is_multicast(&msg->target)) {
ND_PRINTK(2, warn, "NA: target address is multicast\n");
- return;
+ return reason;
}
if (ipv6_addr_is_multicast(daddr) &&
msg->icmph.icmp6_solicited) {
ND_PRINTK(2, warn, "NA: solicited NA is multicasted\n");
- return;
+ return reason;
}
/* For some 802.11 wireless deployments (and possibly other networks),
@@ -1025,18 +1024,18 @@ static void ndisc_recv_na(struct sk_buff *skb)
*/
if (!msg->icmph.icmp6_solicited && idev &&
idev->cnf.drop_unsolicited_na)
- return;
+ return reason;
if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts)) {
ND_PRINTK(2, warn, "NS: invalid ND option\n");
- return;
+ return reason;
}
if (ndopts.nd_opts_tgt_lladdr) {
lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr, dev);
if (!lladdr) {
ND_PRINTK(2, warn,
"NA: invalid link-layer address length\n");
- return;
+ return reason;
}
}
ifp = ipv6_get_ifaddr(dev_net(dev), &msg->target, dev, 1);
@@ -1044,7 +1043,7 @@ static void ndisc_recv_na(struct sk_buff *skb)
if (skb->pkt_type != PACKET_LOOPBACK
&& (ifp->flags & IFA_F_TENTATIVE)) {
addrconf_dad_failure(skb, ifp);
- return;
+ return reason;
}
/* What should we make now? The advertisement
is invalid, but ndisc specs say nothing
@@ -1060,7 +1059,7 @@ static void ndisc_recv_na(struct sk_buff *skb)
"NA: %pM advertised our address %pI6c on %s!\n",
eth_hdr(skb)->h_source, &ifp->addr, ifp->idev->dev->name);
in6_ifa_put(ifp);
- return;
+ return reason;
}
neigh = neigh_lookup(&nd_tbl, &msg->target, dev);
@@ -1121,10 +1120,11 @@ static void ndisc_recv_na(struct sk_buff *skb)
*/
rt6_clean_tohost(dev_net(dev), saddr);
}
-
+ reason = SKB_CONSUMED;
out:
neigh_release(neigh);
}
+ return reason;
}
static void ndisc_recv_rs(struct sk_buff *skb)
@@ -1840,7 +1840,7 @@ enum skb_drop_reason ndisc_rcv(struct sk_buff *skb)
break;
case NDISC_NEIGHBOUR_ADVERTISEMENT:
- ndisc_recv_na(skb);
+ reason = ndisc_recv_na(skb);
break;
case NDISC_ROUTER_SOLICITATION:
--
2.39.1.581.gbfd45094c4-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH net-next 3/8] ipv6: icmp6: add drop reason support to ndisc_recv_rs()
2023-02-16 16:28 [PATCH net-next 0/8] ipv6: icmp6: better drop reason support Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 1/8] ipv6: icmp6: add drop reason support to ndisc_recv_ns() Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 2/8] ipv6: icmp6: add drop reason support to ndisc_recv_na() Eric Dumazet
@ 2023-02-16 16:28 ` Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 4/8] ipv6: icmp6: add drop reason support to ndisc_router_discovery() Eric Dumazet
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2023-02-16 16:28 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: David Ahern, netdev, eric.dumazet, Eric Dumazet
Change ndisc_recv_rs() to return a drop reason.
For the moment, return PKT_TOO_SMALL, NOT_SPECIFIED
or SKB_CONSUMED. More reasons are added later.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/ipv6/ndisc.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 9354cb3669c814166fb3d07b32097f0b00ef42f8..514eb8cc78792445dedead3cf0b49df696ce2785 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1127,7 +1127,7 @@ static enum skb_drop_reason ndisc_recv_na(struct sk_buff *skb)
return reason;
}
-static void ndisc_recv_rs(struct sk_buff *skb)
+static enum skb_drop_reason ndisc_recv_rs(struct sk_buff *skb)
{
struct rs_msg *rs_msg = (struct rs_msg *)skb_transport_header(skb);
unsigned long ndoptlen = skb->len - sizeof(*rs_msg);
@@ -1136,14 +1136,15 @@ static void ndisc_recv_rs(struct sk_buff *skb)
const struct in6_addr *saddr = &ipv6_hdr(skb)->saddr;
struct ndisc_options ndopts;
u8 *lladdr = NULL;
+ SKB_DR(reason);
if (skb->len < sizeof(*rs_msg))
- return;
+ return SKB_DROP_REASON_PKT_TOO_SMALL;
idev = __in6_dev_get(skb->dev);
if (!idev) {
ND_PRINTK(1, err, "RS: can't find in6 device\n");
- return;
+ return reason;
}
/* Don't accept RS if we're not in router mode */
@@ -1178,9 +1179,10 @@ static void ndisc_recv_rs(struct sk_buff *skb)
NEIGH_UPDATE_F_OVERRIDE_ISROUTER,
NDISC_ROUTER_SOLICITATION, &ndopts);
neigh_release(neigh);
+ reason = SKB_CONSUMED;
}
out:
- return;
+ return reason;
}
static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)
@@ -1844,7 +1846,7 @@ enum skb_drop_reason ndisc_rcv(struct sk_buff *skb)
break;
case NDISC_ROUTER_SOLICITATION:
- ndisc_recv_rs(skb);
+ reason = ndisc_recv_rs(skb);
break;
case NDISC_ROUTER_ADVERTISEMENT:
--
2.39.1.581.gbfd45094c4-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH net-next 4/8] ipv6: icmp6: add drop reason support to ndisc_router_discovery()
2023-02-16 16:28 [PATCH net-next 0/8] ipv6: icmp6: better drop reason support Eric Dumazet
` (2 preceding siblings ...)
2023-02-16 16:28 ` [PATCH net-next 3/8] ipv6: icmp6: add drop reason support to ndisc_recv_rs() Eric Dumazet
@ 2023-02-16 16:28 ` Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 5/8] ipv6: icmp6: add drop reason support to ndisc_redirect_rcv() Eric Dumazet
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2023-02-16 16:28 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: David Ahern, netdev, eric.dumazet, Eric Dumazet
Change ndisc_router_discovery() to return a drop reason.
For the moment, return PKT_TOO_SMALL, NOT_SPECIFIED
and SKB_CONSUMED.
More reasons are added later.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/ipv6/ndisc.c | 37 +++++++++++++++++++------------------
1 file changed, 19 insertions(+), 18 deletions(-)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 514eb8cc78792445dedead3cf0b49df696ce2785..7c8ba308ea4979f46cb22d0132b559278b927a5f 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1231,20 +1231,21 @@ static void ndisc_ra_useropt(struct sk_buff *ra, struct nd_opt_hdr *opt)
rtnl_set_sk_err(net, RTNLGRP_ND_USEROPT, err);
}
-static void ndisc_router_discovery(struct sk_buff *skb)
+static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
{
struct ra_msg *ra_msg = (struct ra_msg *)skb_transport_header(skb);
+ bool send_ifinfo_notify = false;
struct neighbour *neigh = NULL;
- struct inet6_dev *in6_dev;
+ struct ndisc_options ndopts;
struct fib6_info *rt = NULL;
+ struct inet6_dev *in6_dev;
u32 defrtr_usr_metric;
+ unsigned int pref = 0;
+ __u32 old_if_flags;
struct net *net;
+ SKB_DR(reason);
int lifetime;
- struct ndisc_options ndopts;
int optlen;
- unsigned int pref = 0;
- __u32 old_if_flags;
- bool send_ifinfo_notify = false;
__u8 *opt = (__u8 *)(ra_msg + 1);
@@ -1256,17 +1257,15 @@ static void ndisc_router_discovery(struct sk_buff *skb)
__func__, skb->dev->name);
if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
ND_PRINTK(2, warn, "RA: source address is not link-local\n");
- return;
- }
- if (optlen < 0) {
- ND_PRINTK(2, warn, "RA: packet too short\n");
- return;
+ return reason;
}
+ if (optlen < 0)
+ return SKB_DROP_REASON_PKT_TOO_SMALL;
#ifdef CONFIG_IPV6_NDISC_NODETYPE
if (skb->ndisc_nodetype == NDISC_NODETYPE_HOST) {
ND_PRINTK(2, warn, "RA: from host or unauthorized router\n");
- return;
+ return reason;
}
#endif
@@ -1278,12 +1277,12 @@ static void ndisc_router_discovery(struct sk_buff *skb)
if (!in6_dev) {
ND_PRINTK(0, err, "RA: can't find inet6 device for %s\n",
skb->dev->name);
- return;
+ return reason;
}
if (!ndisc_parse_options(skb->dev, opt, optlen, &ndopts)) {
ND_PRINTK(2, warn, "RA: invalid ND options\n");
- return;
+ return reason;
}
if (!ipv6_accept_ra(in6_dev)) {
@@ -1365,7 +1364,7 @@ static void ndisc_router_discovery(struct sk_buff *skb)
"RA: %s got default router without neighbour\n",
__func__);
fib6_info_release(rt);
- return;
+ return reason;
}
}
/* Set default route metric as specified by user */
@@ -1390,7 +1389,7 @@ static void ndisc_router_discovery(struct sk_buff *skb)
ND_PRINTK(0, err,
"RA: %s failed to add default route\n",
__func__);
- return;
+ return reason;
}
neigh = ip6_neigh_lookup(&rt->fib6_nh->fib_nh_gw6,
@@ -1401,7 +1400,7 @@ static void ndisc_router_discovery(struct sk_buff *skb)
"RA: %s got default router without neighbour\n",
__func__);
fib6_info_release(rt);
- return;
+ return reason;
}
neigh->flags |= NTF_ROUTER;
} else if (rt && IPV6_EXTRACT_PREF(rt->fib6_flags) != pref) {
@@ -1488,6 +1487,7 @@ static void ndisc_router_discovery(struct sk_buff *skb)
NEIGH_UPDATE_F_OVERRIDE_ISROUTER|
NEIGH_UPDATE_F_ISROUTER,
NDISC_ROUTER_ADVERTISEMENT, &ndopts);
+ reason = SKB_CONSUMED;
}
if (!ipv6_accept_ra(in6_dev)) {
@@ -1598,6 +1598,7 @@ static void ndisc_router_discovery(struct sk_buff *skb)
fib6_info_release(rt);
if (neigh)
neigh_release(neigh);
+ return reason;
}
static void ndisc_redirect_rcv(struct sk_buff *skb)
@@ -1850,7 +1851,7 @@ enum skb_drop_reason ndisc_rcv(struct sk_buff *skb)
break;
case NDISC_ROUTER_ADVERTISEMENT:
- ndisc_router_discovery(skb);
+ reason = ndisc_router_discovery(skb);
break;
case NDISC_REDIRECT:
--
2.39.1.581.gbfd45094c4-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH net-next 5/8] ipv6: icmp6: add drop reason support to ndisc_redirect_rcv()
2023-02-16 16:28 [PATCH net-next 0/8] ipv6: icmp6: better drop reason support Eric Dumazet
` (3 preceding siblings ...)
2023-02-16 16:28 ` [PATCH net-next 4/8] ipv6: icmp6: add drop reason support to ndisc_router_discovery() Eric Dumazet
@ 2023-02-16 16:28 ` Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 6/8] ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS Eric Dumazet
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2023-02-16 16:28 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: David Ahern, netdev, eric.dumazet, Eric Dumazet
Change ndisc_redirect_rcv() to return a drop reason.
For the moment, return PKT_TOO_SMALL, NOT_SPECIFIED
and values from icmpv6_notify().
More reasons are added later.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/ipv6/ndisc.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 7c8ba308ea4979f46cb22d0132b559278b927a5f..e9776aa6f1675e35273df16e40745779b91d117e 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1601,13 +1601,14 @@ static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
return reason;
}
-static void ndisc_redirect_rcv(struct sk_buff *skb)
+static enum skb_drop_reason ndisc_redirect_rcv(struct sk_buff *skb)
{
- u8 *hdr;
- struct ndisc_options ndopts;
struct rd_msg *msg = (struct rd_msg *)skb_transport_header(skb);
u32 ndoptlen = skb_tail_pointer(skb) - (skb_transport_header(skb) +
offsetof(struct rd_msg, opt));
+ struct ndisc_options ndopts;
+ SKB_DR(reason);
+ u8 *hdr;
#ifdef CONFIG_IPV6_NDISC_NODETYPE
switch (skb->ndisc_nodetype) {
@@ -1615,31 +1616,31 @@ static void ndisc_redirect_rcv(struct sk_buff *skb)
case NDISC_NODETYPE_NODEFAULT:
ND_PRINTK(2, warn,
"Redirect: from host or unauthorized router\n");
- return;
+ return reason;
}
#endif
if (!(ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)) {
ND_PRINTK(2, warn,
"Redirect: source address is not link-local\n");
- return;
+ return reason;
}
if (!ndisc_parse_options(skb->dev, msg->opt, ndoptlen, &ndopts))
- return;
+ return reason;
if (!ndopts.nd_opts_rh) {
ip6_redirect_no_header(skb, dev_net(skb->dev),
skb->dev->ifindex);
- return;
+ return reason;
}
hdr = (u8 *)ndopts.nd_opts_rh;
hdr += 8;
if (!pskb_pull(skb, hdr - skb_transport_header(skb)))
- return;
+ return SKB_DROP_REASON_PKT_TOO_SMALL;
- icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
+ return icmpv6_notify(skb, NDISC_REDIRECT, 0, 0);
}
static void ndisc_fill_redirect_hdr_option(struct sk_buff *skb,
@@ -1855,7 +1856,7 @@ enum skb_drop_reason ndisc_rcv(struct sk_buff *skb)
break;
case NDISC_REDIRECT:
- ndisc_redirect_rcv(skb);
+ reason = ndisc_redirect_rcv(skb);
break;
}
--
2.39.1.581.gbfd45094c4-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH net-next 6/8] ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS
2023-02-16 16:28 [PATCH net-next 0/8] ipv6: icmp6: better drop reason support Eric Dumazet
` (4 preceding siblings ...)
2023-02-16 16:28 ` [PATCH net-next 5/8] ipv6: icmp6: add drop reason support to ndisc_redirect_rcv() Eric Dumazet
@ 2023-02-16 16:28 ` Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 7/8] ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_NS_OTHERHOST Eric Dumazet
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2023-02-16 16:28 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: David Ahern, netdev, eric.dumazet, Eric Dumazet
This is a generic drop reason for any error detected
in ndisc_parse_options().
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
include/net/dropreason.h | 3 +++
net/ipv6/ndisc.c | 27 ++++++++++-----------------
2 files changed, 13 insertions(+), 17 deletions(-)
diff --git a/include/net/dropreason.h b/include/net/dropreason.h
index ef3f65d135d375920e88759890947ed0f6e87e10..239a5c0ea83eb6053df55f1ea113f3005ec050b0 100644
--- a/include/net/dropreason.h
+++ b/include/net/dropreason.h
@@ -76,6 +76,7 @@
FN(IPV6_NDISC_FRAG) \
FN(IPV6_NDISC_HOP_LIMIT) \
FN(IPV6_NDISC_BAD_CODE) \
+ FN(IPV6_NDISC_BAD_OPTIONS) \
FNe(MAX)
/**
@@ -330,6 +331,8 @@ enum skb_drop_reason {
SKB_DROP_REASON_IPV6_NDISC_HOP_LIMIT,
/** @SKB_DROP_REASON_IPV6_NDISC_BAD_CODE: invalid NDISC icmp6 code. */
SKB_DROP_REASON_IPV6_NDISC_BAD_CODE,
+ /** @SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS: invalid NDISC options. */
+ SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS,
/**
* @SKB_DROP_REASON_MAX: the maximum of drop reason, which shouldn't be
* used as a real 'reason'
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index e9776aa6f1675e35273df16e40745779b91d117e..b47e845d66eb8533e2334915fe6f05bed6f84764 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -819,10 +819,8 @@ static enum skb_drop_reason ndisc_recv_ns(struct sk_buff *skb)
return reason;
}
- if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts)) {
- ND_PRINTK(2, warn, "NS: invalid ND options\n");
- return reason;
- }
+ if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts))
+ return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
if (ndopts.nd_opts_src_lladdr) {
lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr, dev);
@@ -1026,10 +1024,9 @@ static enum skb_drop_reason ndisc_recv_na(struct sk_buff *skb)
idev->cnf.drop_unsolicited_na)
return reason;
- if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts)) {
- ND_PRINTK(2, warn, "NS: invalid ND option\n");
- return reason;
- }
+ if (!ndisc_parse_options(dev, msg->opt, ndoptlen, &ndopts))
+ return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
+
if (ndopts.nd_opts_tgt_lladdr) {
lladdr = ndisc_opt_addr_data(ndopts.nd_opts_tgt_lladdr, dev);
if (!lladdr) {
@@ -1159,10 +1156,8 @@ static enum skb_drop_reason ndisc_recv_rs(struct sk_buff *skb)
goto out;
/* Parse ND options */
- if (!ndisc_parse_options(skb->dev, rs_msg->opt, ndoptlen, &ndopts)) {
- ND_PRINTK(2, notice, "NS: invalid ND option, ignored\n");
- goto out;
- }
+ if (!ndisc_parse_options(skb->dev, rs_msg->opt, ndoptlen, &ndopts))
+ return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
if (ndopts.nd_opts_src_lladdr) {
lladdr = ndisc_opt_addr_data(ndopts.nd_opts_src_lladdr,
@@ -1280,10 +1275,8 @@ static enum skb_drop_reason ndisc_router_discovery(struct sk_buff *skb)
return reason;
}
- if (!ndisc_parse_options(skb->dev, opt, optlen, &ndopts)) {
- ND_PRINTK(2, warn, "RA: invalid ND options\n");
- return reason;
- }
+ if (!ndisc_parse_options(skb->dev, opt, optlen, &ndopts))
+ return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
if (!ipv6_accept_ra(in6_dev)) {
ND_PRINTK(2, info,
@@ -1627,7 +1620,7 @@ static enum skb_drop_reason ndisc_redirect_rcv(struct sk_buff *skb)
}
if (!ndisc_parse_options(skb->dev, msg->opt, ndoptlen, &ndopts))
- return reason;
+ return SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS;
if (!ndopts.nd_opts_rh) {
ip6_redirect_no_header(skb, dev_net(skb->dev),
--
2.39.1.581.gbfd45094c4-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH net-next 7/8] ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_NS_OTHERHOST
2023-02-16 16:28 [PATCH net-next 0/8] ipv6: icmp6: better drop reason support Eric Dumazet
` (5 preceding siblings ...)
2023-02-16 16:28 ` [PATCH net-next 6/8] ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS Eric Dumazet
@ 2023-02-16 16:28 ` Eric Dumazet
2023-02-16 16:28 ` [PATCH net-next 8/8] ipv6: icmp6: add drop reason support to icmpv6_echo_reply() Eric Dumazet
2023-02-20 9:00 ` [PATCH net-next 0/8] ipv6: icmp6: better drop reason support patchwork-bot+netdevbpf
8 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2023-02-16 16:28 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: David Ahern, netdev, eric.dumazet, Eric Dumazet
Hosts can often receive neighbour discovery messages
that are not for them.
Use a dedicated drop reason to make clear the packet is dropped
for this normal case.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
include/net/dropreason.h | 5 +++++
net/ipv6/ndisc.c | 4 +++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/include/net/dropreason.h b/include/net/dropreason.h
index 239a5c0ea83eb6053df55f1ea113f3005ec050b0..c0a3ea806cd5bf3045efd568cafb227dab7f2d3d 100644
--- a/include/net/dropreason.h
+++ b/include/net/dropreason.h
@@ -77,6 +77,7 @@
FN(IPV6_NDISC_HOP_LIMIT) \
FN(IPV6_NDISC_BAD_CODE) \
FN(IPV6_NDISC_BAD_OPTIONS) \
+ FN(IPV6_NDISC_NS_OTHERHOST) \
FNe(MAX)
/**
@@ -333,6 +334,10 @@ enum skb_drop_reason {
SKB_DROP_REASON_IPV6_NDISC_BAD_CODE,
/** @SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS: invalid NDISC options. */
SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS,
+ /** @SKB_DROP_REASON_IPV6_NDISC_NS_OTHERHOST: NEIGHBOUR SOLICITATION
+ * for another host.
+ */
+ SKB_DROP_REASON_IPV6_NDISC_NS_OTHERHOST,
/**
* @SKB_DROP_REASON_MAX: the maximum of drop reason, which shouldn't be
* used as a real 'reason'
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index b47e845d66eb8533e2334915fe6f05bed6f84764..c4be62c99f7371a55e56f4489f822d9c11b007f5 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -921,8 +921,10 @@ static enum skb_drop_reason ndisc_recv_ns(struct sk_buff *skb)
pneigh_enqueue(&nd_tbl, idev->nd_parms, n);
goto out;
}
- } else
+ } else {
+ SKB_DR_SET(reason, IPV6_NDISC_NS_OTHERHOST);
goto out;
+ }
}
if (is_router < 0)
--
2.39.1.581.gbfd45094c4-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH net-next 8/8] ipv6: icmp6: add drop reason support to icmpv6_echo_reply()
2023-02-16 16:28 [PATCH net-next 0/8] ipv6: icmp6: better drop reason support Eric Dumazet
` (6 preceding siblings ...)
2023-02-16 16:28 ` [PATCH net-next 7/8] ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_NS_OTHERHOST Eric Dumazet
@ 2023-02-16 16:28 ` Eric Dumazet
2023-02-20 9:00 ` [PATCH net-next 0/8] ipv6: icmp6: better drop reason support patchwork-bot+netdevbpf
8 siblings, 0 replies; 10+ messages in thread
From: Eric Dumazet @ 2023-02-16 16:28 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: David Ahern, netdev, eric.dumazet, Eric Dumazet
Change icmpv6_echo_reply() to return a drop reason.
For the moment, return NOT_SPECIFIED or SKB_CONSUMED.
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
net/ipv6/icmp.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
index f32bc98155bfb027dd3328eefd4a26a1d067c013..1f53f2a74480c0b8433204b567e7f98ad1216ad6 100644
--- a/net/ipv6/icmp.c
+++ b/net/ipv6/icmp.c
@@ -705,7 +705,7 @@ int ip6_err_gen_icmpv6_unreach(struct sk_buff *skb, int nhs, int type,
}
EXPORT_SYMBOL(ip6_err_gen_icmpv6_unreach);
-static void icmpv6_echo_reply(struct sk_buff *skb)
+static enum skb_drop_reason icmpv6_echo_reply(struct sk_buff *skb)
{
struct net *net = dev_net(skb->dev);
struct sock *sk;
@@ -719,18 +719,19 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
struct dst_entry *dst;
struct ipcm6_cookie ipc6;
u32 mark = IP6_REPLY_MARK(net, skb->mark);
+ SKB_DR(reason);
bool acast;
u8 type;
if (ipv6_addr_is_multicast(&ipv6_hdr(skb)->daddr) &&
net->ipv6.sysctl.icmpv6_echo_ignore_multicast)
- return;
+ return reason;
saddr = &ipv6_hdr(skb)->daddr;
acast = ipv6_anycast_destination(skb_dst(skb), saddr);
if (acast && net->ipv6.sysctl.icmpv6_echo_ignore_anycast)
- return;
+ return reason;
if (!ipv6_unicast_destination(skb) &&
!(net->ipv6.sysctl.anycast_src_echo_reply && acast))
@@ -804,6 +805,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
} else {
icmpv6_push_pending_frames(sk, &fl6, &tmp_hdr,
skb->len + sizeof(struct icmp6hdr));
+ reason = SKB_CONSUMED;
}
out_dst_release:
dst_release(dst);
@@ -811,6 +813,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
icmpv6_xmit_unlock(sk);
out_bh_enable:
local_bh_enable();
+ return reason;
}
enum skb_drop_reason icmpv6_notify(struct sk_buff *skb, u8 type,
@@ -929,12 +932,12 @@ static int icmpv6_rcv(struct sk_buff *skb)
switch (type) {
case ICMPV6_ECHO_REQUEST:
if (!net->ipv6.sysctl.icmpv6_echo_ignore_all)
- icmpv6_echo_reply(skb);
+ reason = icmpv6_echo_reply(skb);
break;
case ICMPV6_EXT_ECHO_REQUEST:
if (!net->ipv6.sysctl.icmpv6_echo_ignore_all &&
READ_ONCE(net->ipv4.sysctl_icmp_echo_enable_probe))
- icmpv6_echo_reply(skb);
+ reason = icmpv6_echo_reply(skb);
break;
case ICMPV6_ECHO_REPLY:
--
2.39.1.581.gbfd45094c4-goog
^ permalink raw reply related [flat|nested] 10+ messages in thread* Re: [PATCH net-next 0/8] ipv6: icmp6: better drop reason support
2023-02-16 16:28 [PATCH net-next 0/8] ipv6: icmp6: better drop reason support Eric Dumazet
` (7 preceding siblings ...)
2023-02-16 16:28 ` [PATCH net-next 8/8] ipv6: icmp6: add drop reason support to icmpv6_echo_reply() Eric Dumazet
@ 2023-02-20 9:00 ` patchwork-bot+netdevbpf
8 siblings, 0 replies; 10+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-02-20 9:00 UTC (permalink / raw)
To: Eric Dumazet; +Cc: davem, kuba, pabeni, dsahern, netdev, eric.dumazet
Hello:
This series was applied to netdev/net-next.git (master)
by David S. Miller <davem@davemloft.net>:
On Thu, 16 Feb 2023 16:28:34 +0000 you wrote:
> This series aims to have more precise drop reason reports for icmp6.
>
> This should reduce false positives on most usual cases.
>
> This can be extended as needed later.
>
> Eric Dumazet (8):
> ipv6: icmp6: add drop reason support to ndisc_recv_ns()
> ipv6: icmp6: add drop reason support to ndisc_recv_na()
> ipv6: icmp6: add drop reason support to ndisc_recv_rs()
> ipv6: icmp6: add drop reason support to ndisc_router_discovery()
> ipv6: icmp6: add drop reason support to ndisc_redirect_rcv()
> ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS
> ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_NS_OTHERHOST
> ipv6: icmp6: add drop reason support to icmpv6_echo_reply()
>
> [...]
Here is the summary with links:
- [net-next,1/8] ipv6: icmp6: add drop reason support to ndisc_recv_ns()
https://git.kernel.org/netdev/net-next/c/7c9c8913f452
- [net-next,2/8] ipv6: icmp6: add drop reason support to ndisc_recv_na()
https://git.kernel.org/netdev/net-next/c/3009f9ae21ec
- [net-next,3/8] ipv6: icmp6: add drop reason support to ndisc_recv_rs()
https://git.kernel.org/netdev/net-next/c/243e37c642ac
- [net-next,4/8] ipv6: icmp6: add drop reason support to ndisc_router_discovery()
https://git.kernel.org/netdev/net-next/c/2f326d9d9ff4
- [net-next,5/8] ipv6: icmp6: add drop reason support to ndisc_redirect_rcv()
https://git.kernel.org/netdev/net-next/c/ec993edf05ca
- [net-next,6/8] ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_BAD_OPTIONS
https://git.kernel.org/netdev/net-next/c/784d4477f07b
- [net-next,7/8] ipv6: icmp6: add SKB_DROP_REASON_IPV6_NDISC_NS_OTHERHOST
https://git.kernel.org/netdev/net-next/c/c34b8bb11ebc
- [net-next,8/8] ipv6: icmp6: add drop reason support to icmpv6_echo_reply()
https://git.kernel.org/netdev/net-next/c/ac03694bc009
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 10+ messages in thread