[PATCH net-next 0/2] tc: adjust network header after second vlan push

[PATCH net-next 0/2] tc: adjust network header after second vlan push

[Boris Sukholitko]

[-- Attachment #1: Type: text/plain, Size: 5842 bytes --]

<tldr>
skb network header of the single-tagged vlan packet continues to point the
vlan payload (e.g. IP) after second vlan tag is pushed by tc act_vlan. This
causes problem at the dissector which expects double-tagged packet network
header to point to the inner vlan.

The fix is to adjust network header in tcf_act_vlan.c but requires minor
changes to the generic skb_vlan_push function.
</tldr>

Consider the following shell script snippet configuring TC rules on the
veth interface:

ip link add veth0 type veth peer veth1
ip link set veth0 up
ip link set veth1 up

tc qdisc add dev veth0 clsact

tc filter add dev veth0 ingress pref 10 chain 0 flower \
	num_of_vlans 2 cvlan_ethtype 0x800 action goto chain 5
tc filter add dev veth0 ingress pref 20 chain 0 flower \
	num_of_vlans 1 action vlan push id 100 \
	protocol 0x8100 action goto chain 5
tc filter add dev veth0 ingress pref 30 chain 5 flower \
	num_of_vlans 2 cvlan_ethtype 0x800 action simple sdata "success"

Sending double-tagged vlan packet with the IP payload inside:

cat <<ENDS | text2pcap - - | tcpreplay -i veth1 -
0000  00 00 00 00 00 11 00 00 00 00 00 22 81 00 00 64   ..........."...d
0010  81 00 00 14 08 00 45 04 00 26 04 d2 00 00 7f 11   ......E..&......
0020  18 ef 0a 00 00 01 14 00 00 02 00 00 00 00 00 12   ................
0030  e1 c7 00 00 00 00 00 00 00 00 00 00               ............
ENDS

will match rule 10, goto rule 30 in chain 5 and correctly emit "success" to
the dmesg.

OTOH, sending single-tagged vlan packet:

cat <<ENDS | text2pcap - - | tcpreplay -i veth1 -
0000  00 00 00 00 00 11 00 00 00 00 00 22 81 00 00 14   ..........."....
0010  08 00 45 04 00 2a 04 d2 00 00 7f 11 18 eb 0a 00   ..E..*..........
0020  00 01 14 00 00 02 00 00 00 00 00 16 e1 bf 00 00   ................
0030  00 00 00 00 00 00 00 00 00 00 00 00               ............
ENDS

will match rule 20, will push the second vlan tag but will *not* match
rule 30. IOW, the match at rule 30 fails if the second vlan was freshly
pushed by the kernel.

Lets look at  __skb_flow_dissect working on the double-tagged vlan packet.
Here is the relevant code from around net/core/flow_dissector.c:1277
copy-pasted here for convenience:

	if (dissector_vlan == FLOW_DISSECTOR_KEY_MAX &&
	    skb && skb_vlan_tag_present(skb)) {
		proto = skb->protocol;
	} else {
		vlan = __skb_header_pointer(skb, nhoff, sizeof(_vlan),
					    data, hlen, &_vlan);
		if (!vlan) {
			fdret = FLOW_DISSECT_RET_OUT_BAD;
			break;
		}

		proto = vlan->h_vlan_encapsulated_proto;
		nhoff += sizeof(*vlan);
	}

The "else" clause above gets the protocol of the encapsulated packet from
the skb data at the network header location. printk debugging has showed
that in the good double-tagged packet case proto is
htons(0x800 == ETH_P_IP) as expected. However in the single-tagged packet
case proto is garbage leading to the failure to match tc filter 30.

proto is being set from the skb header pointed by nhoff parameter which is
defined at the beginning of __skb_flow_dissect
(net/core/flow_dissector.c:1055 in the current version):

		nhoff = skb_network_offset(skb);

Therefore the culprit seems to be that the skb network offset is different
between double-tagged packet received from the interface and single-tagged
packet having its vlan tag pushed by TC.

Lets look at the interesting points of the lifetime of the single/double
tagged packets as they traverse our packet flow.

Both of them will start at __netif_receive_skb_core where the first vlan
tag will be stripped:

	if (eth_type_vlan(skb->protocol)) {
		skb = skb_vlan_untag(skb);
		if (unlikely(!skb))
			goto out;
	}

At this stage in double-tagged case skb->data points to the second vlan tag
while in single-tagged case skb->data points to the network (eg. IP)
header.

Looking at TC vlan push action (net/sched/act_vlan.c) we have the following
code at tcf_vlan_act (interesting points are in square brackets):

	if (skb_at_tc_ingress(skb))
[1]		skb_push_rcsum(skb, skb->mac_len);

	....

	case TCA_VLAN_ACT_PUSH:
		err = skb_vlan_push(skb, p->tcfv_push_proto, p->tcfv_push_vid |
				    (p->tcfv_push_prio << VLAN_PRIO_SHIFT),
				    0);
		if (err)
			goto drop;
		break;

	....

out:
	if (skb_at_tc_ingress(skb))
[3]		skb_pull_rcsum(skb, skb->mac_len);

And skb_vlan_push (net/core/skbuff.c:6204) function does:

		err = __vlan_insert_tag(skb, skb->vlan_proto,
					skb_vlan_tag_get(skb));
		if (err)
			return err;

		skb->protocol = skb->vlan_proto;
[2]		skb->mac_len += VLAN_HLEN;

in the case of pushing the second tag. Lets look at what happens with
skb->data of the single-tagged packet at each of the above points:

1. As a result of the skb_push_rcsum, skb->data is moved back to the start
   of the packet.

2. First VLAN tag is moved from the skb into packet buffer, skb->mac_len is
   incremented, skb->data still points to the start of the packet.

3. As a result of the skb_pull_rcsum, skb->data is moved forward by the
   modified skb->mac_len, thus pointing to the network header again.

Then __skb_flow_dissect will get confused by having double-tagged vlan
packet with the skb->data at the network header.

Our solution for the bug is to preserve "skb->data at second vlan header"
semantics in the act_vlan.c. We do this by passing skb->mac_len advancement
as an argument to skb_vlan_push (first patch in the series). Second patch
modifies act_vlan.c to disable skb->mac_len increment and do network header
adjustment by itself.

Thanks,
Boris.

Boris Sukholitko (2):
  skb: skb_vlan_push gets VLAN_HLEN as an argument
  tc vlan: adjust network header in tcf_vlan_act

 include/linux/skbuff.h    | 2 +-
 net/core/filter.c         | 2 +-
 net/core/skbuff.c         | 4 ++--
 net/openvswitch/actions.c | 3 ++-
 net/sched/act_vlan.c      | 8 ++++++--
 5 files changed, 12 insertions(+), 7 deletions(-)

-- 
2.42.0


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4221 bytes --]

[PATCH net-next 1/2] skb: skb_vlan_push gets VLAN_HLEN as an argument

[Boris Sukholitko]

[-- Attachment #1: Type: text/plain, Size: 3665 bytes --]

In case of vlan tagged packet, skb_vlan_push flushes current vlan header
into skb packet buffer. It also advances skb->mac_len by VLAN_HLEN
amount.

Some of the callers of skb_vlan_push (e.g. net/sched/act_vlan.c)
may want to reset skb network header by themselves.

To allow this we pass VLAN_HLEN as an argument to skb_vlan_push.

Signed-off-by: Boris Sukholitko <boris.sukholitko@broadcom.com>
---
 include/linux/skbuff.h    | 2 +-
 net/core/filter.c         | 2 +-
 net/core/skbuff.c         | 4 ++--
 net/openvswitch/actions.c | 3 ++-
 net/sched/act_vlan.c      | 3 ++-
 5 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 9c29bdd5596d..e13f44fe33df 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4046,7 +4046,7 @@ int skb_ensure_writable(struct sk_buff *skb, unsigned int write_len);
 int skb_ensure_writable_head_tail(struct sk_buff *skb, struct net_device *dev);
 int __skb_vlan_pop(struct sk_buff *skb, u16 *vlan_tci);
 int skb_vlan_pop(struct sk_buff *skb);
-int skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci);
+int skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci, u16 hlen);
 int skb_eth_pop(struct sk_buff *skb);
 int skb_eth_push(struct sk_buff *skb, const unsigned char *dst,
 		 const unsigned char *src);
diff --git a/net/core/filter.c b/net/core/filter.c
index d767880c276d..bb14574422b5 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3187,7 +3187,7 @@ BPF_CALL_3(bpf_skb_vlan_push, struct sk_buff *, skb, __be16, vlan_proto,
 		vlan_proto = htons(ETH_P_8021Q);
 
 	bpf_push_mac_rcsum(skb);
-	ret = skb_vlan_push(skb, vlan_proto, vlan_tci);
+	ret = skb_vlan_push(skb, vlan_proto, vlan_tci, VLAN_HLEN);
 	bpf_pull_mac_rcsum(skb);
 
 	bpf_compute_data_pointers(skb);
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 83f8cd8aa2d1..9c69c9bff55c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -6223,7 +6223,7 @@ EXPORT_SYMBOL(skb_vlan_pop);
 /* Push a vlan tag either into hwaccel or into payload (if hwaccel tag present).
  * Expects skb->data at mac header.
  */
-int skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci)
+int skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci, u16 hlen)
 {
 	if (skb_vlan_tag_present(skb)) {
 		int offset = skb->data - skb_mac_header(skb);
@@ -6241,7 +6241,7 @@ int skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci)
 			return err;
 
 		skb->protocol = skb->vlan_proto;
-		skb->mac_len += VLAN_HLEN;
+		skb->mac_len += hlen;
 
 		skb_postpush_rcsum(skb, skb->data + (2 * ETH_ALEN), VLAN_HLEN);
 	}
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index 101f9a23792c..34909aca3526 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -244,7 +244,8 @@ static int push_vlan(struct sk_buff *skb, struct sw_flow_key *key,
 		key->eth.vlan.tpid = vlan->vlan_tpid;
 	}
 	return skb_vlan_push(skb, vlan->vlan_tpid,
-			     ntohs(vlan->vlan_tci) & ~VLAN_CFI_MASK);
+			     ntohs(vlan->vlan_tci) & ~VLAN_CFI_MASK,
+			     VLAN_HLEN);
 }
 
 /* 'src' is already properly masked. */
diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
index 22f4b1e8ade9..f60cf7062572 100644
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -50,7 +50,8 @@ TC_INDIRECT_SCOPE int tcf_vlan_act(struct sk_buff *skb,
 		break;
 	case TCA_VLAN_ACT_PUSH:
 		err = skb_vlan_push(skb, p->tcfv_push_proto, p->tcfv_push_vid |
-				    (p->tcfv_push_prio << VLAN_PRIO_SHIFT));
+				    (p->tcfv_push_prio << VLAN_PRIO_SHIFT),
+				    VLAN_HLEN);
 		if (err)
 			goto drop;
 		break;
-- 
2.42.0


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4221 bytes --]

[PATCH net-next 2/2] tc vlan: adjust network header in tcf_vlan_act

[Boris Sukholitko]

[-- Attachment #1: Type: text/plain, Size: 1522 bytes --]

When double-tagged VLAN packet enters Linux network stack the outer
vlan is stripped and copied to the skb. As a result, skb->data points
to the inner vlan.

When second vlan is pushed by tcf_vlan_act, skb->mac_len will be advanced
by skb_vlan_push. As a result, the final skb_pull_rcsum will have
network header pointing to the inner protocol header (e.g. IP) rather than
inner vlan as expected. This causes a problem with further TC processing
as __skb_flow_dissect expects the network header to point to the inner
vlan.

To fix this problem, we disable skb->mac_len advancement and reset
network header and mac_len at the end of tcf_vlan_act.

Signed-off-by: Boris Sukholitko <boris.sukholitko@broadcom.com>
---
 net/sched/act_vlan.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
index f60cf7062572..8de6f363885b 100644
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -51,7 +51,7 @@ TC_INDIRECT_SCOPE int tcf_vlan_act(struct sk_buff *skb,
 	case TCA_VLAN_ACT_PUSH:
 		err = skb_vlan_push(skb, p->tcfv_push_proto, p->tcfv_push_vid |
 				    (p->tcfv_push_prio << VLAN_PRIO_SHIFT),
-				    VLAN_HLEN);
+				    0);
 		if (err)
 			goto drop;
 		break;
@@ -94,8 +94,11 @@ TC_INDIRECT_SCOPE int tcf_vlan_act(struct sk_buff *skb,
 	}
 
 out:
-	if (skb_at_tc_ingress(skb))
+	if (skb_at_tc_ingress(skb)) {
 		skb_pull_rcsum(skb, skb->mac_len);
+		skb_reset_network_header(skb);
+		skb_reset_mac_len(skb);
+	}
 
 	return action;
 
-- 
2.42.0


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 4221 bytes --]

Re: [PATCH net-next 0/2] tc: adjust network header after second vlan push

[Jakub Kicinski]

On Thu, 11 Jul 2024 10:08:26 +0300 Boris Sukholitko wrote:
> skb network header of the single-tagged vlan packet continues to point the
> vlan payload (e.g. IP) after second vlan tag is pushed by tc act_vlan. This
> causes problem at the dissector which expects double-tagged packet network
> header to point to the inner vlan.
> 
> The fix is to adjust network header in tcf_act_vlan.c but requires minor
> changes to the generic skb_vlan_push function.

This requires more careful analysis than I can afford right now since
the merge window has started, sorry :( Please repost once net-next
reopens: https://netdev.bots.linux.dev/net-next.html
-- 
pw-bot: defer