[NET]: Added GSO header verification

When GSO packets come from an untrusted source (e.g., a Xen guest domain), we need to verify the header integrity before passing it to the hardware. Since the first step in GSO is to verify the header, we can reuse that code by adding a new bit to gso_type: SKB_GSO_DODGY. Packets with this bit set can only be fed directly to devices with the corresponding bit NETIF_F_GSO_ROBUST. If the device doesn't have that bit, then the skb is fed to the GSO engine which will allow the packet to be sent to the hardware if it passes the header check. This patch changes the sg flag to a full features flag. The same method can be used to implement TSO ECN support. We simply have to mark packets with CWR set with SKB_GSO_ECN so that only hardware with a corresponding NETIF_F_TSO_ECN can accept them. The GSO engine can either fully segment the packet, or segment the first MTU and pass the rest to the hardware for further segmentation. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2006-06-27 16:22:38 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-06-29 19:57:53 -0400
commit: 576a30eb6453439b3c37ba24455ac7090c247b5a (patch)
tree: e0c427a61e3de5c93e797c09903d910f6f060e64 /include
parent: 68c1692e3ea5d79f24cb5cc566c4a73939d13d25 (diff)
4 files changed, 19 insertions, 8 deletions
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 03cd7551a7a1..84b0f0d16fcb 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -315,6 +315,7 @@ struct net_device
 #define NETIF_F_GSO_SHIFT       16
 #define NETIF_F_TSO             (SKB_GSO_TCPV4 << NETIF_F_GSO_SHIFT)
 #define NETIF_F_UFO             (SKB_GSO_UDPV4 << NETIF_F_GSO_SHIFT)
+#define NETIF_F_GSO_ROBUST      (SKB_GSO_DODGY << NETIF_F_GSO_SHIFT)
 #define NETIF_F_GEN_CSUM        (NETIF_F_NO_CSUM | NETIF_F_HW_CSUM)
 #define NETIF_F_ALL_CSUM        (NETIF_F_IP_CSUM | NETIF_F_GEN_CSUM)
@@ -543,7 +544,8 @@ struct packet_type {
                                         struct net_device *,
                                         struct packet_type *,
                                         struct net_device *);
-        struct sk_buff          *(*gso_segment)(struct sk_buff *skb, int sg);
+        struct sk_buff          *(*gso_segment)(struct sk_buff *skb,
+                                                int features);
        void                    *af_packet_priv;
        struct list_head        list;
 };
@@ -968,7 +970,7 @@ extern int		netdev_max_backlog;
 extern int              weight_p;
 extern int              netdev_set_master(struct net_device *dev, struct net_device *master);
 extern int skb_checksum_help(struct sk_buff *skb, int inward);
-extern struct sk_buff *skb_gso_segment(struct sk_buff *skb, int sg);
+extern struct sk_buff *skb_gso_segment(struct sk_buff *skb, int features);
 #ifdef CONFIG_BUG
 extern void netdev_rx_csum_fault(struct net_device *dev);
 #else
@@ -988,11 +990,16 @@ extern void dev_seq_stop(struct seq_file *seq, void *v);
 extern void linkwatch_run_queue(void);
+static inline int skb_gso_ok(struct sk_buff *skb, int features)
+{
+        int feature = skb_shinfo(skb)->gso_size ?
+                      skb_shinfo(skb)->gso_type << NETIF_F_GSO_SHIFT : 0;
+        return (features & feature) != feature;
+}
 static inline int netif_needs_gso(struct net_device *dev, struct sk_buff *skb)
 {
-        int feature = skb_shinfo(skb)->gso_type << NETIF_F_GSO_SHIFT;
+        return skb_gso_ok(skb, dev->features);
-        return skb_shinfo(skb)->gso_size &&
-               (dev->features & feature) != feature;
 }
 #endif /* __KERNEL__ */
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 16eef03ce0eb..5fb72da7da03 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -172,6 +172,9 @@ enum {
 enum {
        SKB_GSO_TCPV4 = 1 << 0,
        SKB_GSO_UDPV4 = 1 << 1,
+        /* This indicates the skb is from an untrusted source. */
+        SKB_GSO_DODGY = 1 << 2,
 };
 /** 
@@ -1299,7 +1302,7 @@ extern void	       skb_split(struct sk_buff *skb,
                                 struct sk_buff *skb1, const u32 len);
 extern void            skb_release_data(struct sk_buff *skb);
-extern struct sk_buff *skb_segment(struct sk_buff *skb, int sg);
+extern struct sk_buff *skb_segment(struct sk_buff *skb, int features);
 static inline void *skb_header_pointer(const struct sk_buff *skb, int offset,
                                       int len, void *buffer)
diff --git a/include/net/protocol.h b/include/net/protocol.h
index 3b6dc15c68a5..40b6b9c9973f 100644
--- a/include/net/protocol.h
+++ b/include/net/protocol.h
@@ -36,7 +36,8 @@
 struct net_protocol {
        int                     (*handler)(struct sk_buff *skb);
        void                    (*err_handler)(struct sk_buff *skb, u32 info);
-        struct sk_buff         *(*gso_segment)(struct sk_buff *skb, int sg);
+        struct sk_buff         *(*gso_segment)(struct sk_buff *skb,
+                                               int features);
        int                     no_policy;
 };
diff --git a/include/net/tcp.h b/include/net/tcp.h
index ca3d38dfc00b..624921e76332 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1086,7 +1086,7 @@ extern struct request_sock_ops tcp_request_sock_ops;
 extern int tcp_v4_destroy_sock(struct sock *sk);
-extern struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int sg);
+extern struct sk_buff *tcp_tso_segment(struct sk_buff *skb, int features);
 #ifdef CONFIG_PROC_FS
 extern int  tcp4_proc_init(void);
author	Herbert Xu <herbert@gondor.apana.org.au>	2006-06-27 16:22:38 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-06-29 19:57:53 -0400
commit	576a30eb6453439b3c37ba24455ac7090c247b5a (patch)
tree	e0c427a61e3de5c93e797c09903d910f6f060e64 /include
parent	68c1692e3ea5d79f24cb5cc566c4a73939d13d25 (diff)