From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0A5DE18E03A; Mon, 28 Oct 2024 06:42:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730097757; cv=none; b=VtSXIhi9aAx30rD1BzzvYNHBqYZ9Ci2OEYsyyHcJyN2UkT+wiEnO6lMygnenycuHBooSmd16bPUKJV0T8f/Nyrjd9sscXmsEJtlUSVq8HYDDPIEppPBXbQd1tBf+yneRlw0pvHUNUfD9Wa7I6Nt2Db+7HJq0bntlVqCaBf7Eosw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1730097757; c=relaxed/simple; bh=rIVfVArDv6jsi4npiMqJigAqcJcqS80UgLT4F0SWY4E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=P+3RkGMaPsO3vc3uWuxKFzk9/BE4hpwM9BN2fADNVxy+6Rqzt6QcZMX5lngvrrUpwcpT69iCcVYb/2XGDSenWedTHaj7o0ckfw4NfQdDOS/+P63gVNGz8MyRo9M2r4JzEQhe0fTQdyAWlhKUyjuP/L9JBB++ILikNC4iCvlv21Q= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=C+bsu5os; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="C+bsu5os" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9D138C4CEC3; Mon, 28 Oct 2024 06:42:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1730097756; bh=rIVfVArDv6jsi4npiMqJigAqcJcqS80UgLT4F0SWY4E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=C+bsu5osj667eNrAMDiq7AKAYYg7i9tpzTvkkYMtgMC7FupBxvVWqawxGpb6IKxUm kFm/XufZ/3mqTc5KZxv9S/hYlYlCF9VwpnIbSyz4SfGTGly9C7QCNKk8No9/Y/0wXJ ihgvus1uQ5ZBYTxnZIvGb/FqvlUW+wc7D6WjTwto= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Eyal Birger , Antony Antony , Steffen Klassert , Sasha Levin Subject: [PATCH 6.6 132/208] xfrm: respect ip protocols rules criteria when performing dst lookups Date: Mon, 28 Oct 2024 07:25:12 +0100 Message-ID: <20241028062309.891204162@linuxfoundation.org> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241028062306.649733554@linuxfoundation.org> References: <20241028062306.649733554@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eyal Birger [ Upstream commit b8469721034300bbb6dec5b4bf32492c95e16a0c ] The series in the "fixes" tag added the ability to consider L4 attributes in routing rules. The dst lookup on the outer packet of encapsulated traffic in the xfrm code was not adapted to this change, thus routing behavior that relies on L4 information is not respected. Pass the ip protocol information when performing dst lookups. Fixes: a25724b05af0 ("Merge branch 'fib_rules-support-sport-dport-and-proto-match'") Signed-off-by: Eyal Birger Tested-by: Antony Antony Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- include/net/xfrm.h | 2 ++ net/ipv4/xfrm4_policy.c | 2 ++ net/ipv6/xfrm6_policy.c | 3 +++ net/xfrm/xfrm_policy.c | 15 +++++++++++++++ 4 files changed, 22 insertions(+) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 93207d87e1c7f..93a9866ee481f 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -349,6 +349,8 @@ struct xfrm_dst_lookup_params { xfrm_address_t *saddr; xfrm_address_t *daddr; u32 mark; + __u8 ipproto; + union flowi_uli uli; }; struct net_device; diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 01d4f6f4dbb8c..63bbc7f6a5a88 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c @@ -30,6 +30,8 @@ static struct dst_entry *__xfrm4_dst_lookup(struct flowi4 *fl4, fl4->flowi4_mark = params->mark; if (params->saddr) fl4->saddr = params->saddr->a4; + fl4->flowi4_proto = params->ipproto; + fl4->uli = params->uli; rt = __ip_route_output_key(params->net, fl4); if (!IS_ERR(rt)) diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index 246a0cea77c26..4cd625af91e6c 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c @@ -37,6 +37,9 @@ static struct dst_entry *xfrm6_dst_lookup(const struct xfrm_dst_lookup_params *p if (params->saddr) memcpy(&fl6.saddr, params->saddr, sizeof(fl6.saddr)); + fl6.flowi4_proto = params->ipproto; + fl6.uli = params->uli; + dst = ip6_route_output(params->net, NULL, &fl6); err = dst->error; diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 1395d3de1ec70..d788baffbf104 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -296,6 +296,21 @@ static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x, params.tos = tos; params.oif = oif; params.mark = mark; + params.ipproto = x->id.proto; + if (x->encap) { + switch (x->encap->encap_type) { + case UDP_ENCAP_ESPINUDP: + params.ipproto = IPPROTO_UDP; + params.uli.ports.sport = x->encap->encap_sport; + params.uli.ports.dport = x->encap->encap_dport; + break; + case TCP_ENCAP_ESPINTCP: + params.ipproto = IPPROTO_TCP; + params.uli.ports.sport = x->encap->encap_sport; + params.uli.ports.dport = x->encap->encap_dport; + break; + } + } dst = __xfrm_dst_lookup(family, ¶ms); -- 2.43.0