diff options
| author | stephen hemminger <shemminger@vyatta.com> | 2012-09-25 07:02:48 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2012-09-27 18:12:37 -0400 |
| commit | eccc1bb8d4b4cf68d3c9becb083fa94ada7d495c (patch) | |
| tree | b0be7efd0c4a4eed26ffd63863dc372d3b1f2ca0 /net/ipv4/ipip.c | |
| parent | b0558ef24a792906914fcad277f3befe2420e618 (diff) | |
tunnel: drop packet if ECN present with not-ECT
Linux tunnels were written before RFC6040 and therefore never
implemented the corner case of ECN getting set in the outer header
and the inner header not being ready for it.
Section 4.2. Default Tunnel Egress Behaviour.
o If the inner ECN field is Not-ECT, the decapsulator MUST NOT
propagate any other ECN codepoint onwards. This is because the
inner Not-ECT marking is set by transports that rely on dropped
packets as an indication of congestion and would not understand or
respond to any other ECN codepoint [RFC4774]. Specifically:
* If the inner ECN field is Not-ECT and the outer ECN field is
CE, the decapsulator MUST drop the packet.
* If the inner ECN field is Not-ECT and the outer ECN field is
Not-ECT, ECT(0), or ECT(1), the decapsulator MUST forward the
outgoing packet with the ECN field cleared to Not-ECT.
This patch moves the ECN decap logic out of the individual tunnels
into a common place.
It also adds logging to allow detecting broken systems that
set ECN bits incorrectly when tunneling (or an intermediate
router might be changing the header).
Overloads rx_frame_error to keep track of ECN related error.
Thanks to Chris Wright who caught this while reviewing the new VXLAN
tunnel.
This code was tested by injecting faulty logic in other end GRE
to send incorrectly encapsulated packets.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/ipip.c')
| -rw-r--r-- | net/ipv4/ipip.c | 42 |
1 files changed, 25 insertions, 17 deletions
diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c index 618bde867ac1..e15b45297c09 100644 --- a/net/ipv4/ipip.c +++ b/net/ipv4/ipip.c | |||
| @@ -120,6 +120,10 @@ | |||
| 120 | #define HASH_SIZE 16 | 120 | #define HASH_SIZE 16 |
| 121 | #define HASH(addr) (((__force u32)addr^((__force u32)addr>>4))&0xF) | 121 | #define HASH(addr) (((__force u32)addr^((__force u32)addr>>4))&0xF) |
| 122 | 122 | ||
| 123 | static bool log_ecn_error = true; | ||
| 124 | module_param(log_ecn_error, bool, 0644); | ||
| 125 | MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN"); | ||
| 126 | |||
| 123 | static int ipip_net_id __read_mostly; | 127 | static int ipip_net_id __read_mostly; |
| 124 | struct ipip_net { | 128 | struct ipip_net { |
| 125 | struct ip_tunnel __rcu *tunnels_r_l[HASH_SIZE]; | 129 | struct ip_tunnel __rcu *tunnels_r_l[HASH_SIZE]; |
| @@ -400,28 +404,18 @@ out: | |||
| 400 | return err; | 404 | return err; |
| 401 | } | 405 | } |
| 402 | 406 | ||
| 403 | static inline void ipip_ecn_decapsulate(const struct iphdr *outer_iph, | ||
| 404 | struct sk_buff *skb) | ||
| 405 | { | ||
| 406 | struct iphdr *inner_iph = ip_hdr(skb); | ||
| 407 | |||
| 408 | if (INET_ECN_is_ce(outer_iph->tos)) | ||
| 409 | IP_ECN_set_ce(inner_iph); | ||
| 410 | } | ||
| 411 | |||
| 412 | static int ipip_rcv(struct sk_buff *skb) | 407 | static int ipip_rcv(struct sk_buff *skb) |
| 413 | { | 408 | { |
| 414 | struct ip_tunnel *tunnel; | 409 | struct ip_tunnel *tunnel; |
| 415 | const struct iphdr *iph = ip_hdr(skb); | 410 | const struct iphdr *iph = ip_hdr(skb); |
| 411 | int err; | ||
| 416 | 412 | ||
| 417 | tunnel = ipip_tunnel_lookup(dev_net(skb->dev), iph->saddr, iph->daddr); | 413 | tunnel = ipip_tunnel_lookup(dev_net(skb->dev), iph->saddr, iph->daddr); |
| 418 | if (tunnel != NULL) { | 414 | if (tunnel != NULL) { |
| 419 | struct pcpu_tstats *tstats; | 415 | struct pcpu_tstats *tstats; |
| 420 | 416 | ||
| 421 | if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) { | 417 | if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) |
| 422 | kfree_skb(skb); | 418 | goto drop; |
| 423 | return 0; | ||
| 424 | } | ||
| 425 | 419 | ||
| 426 | secpath_reset(skb); | 420 | secpath_reset(skb); |
| 427 | 421 | ||
| @@ -430,21 +424,35 @@ static int ipip_rcv(struct sk_buff *skb) | |||
| 430 | skb->protocol = htons(ETH_P_IP); | 424 | skb->protocol = htons(ETH_P_IP); |
| 431 | skb->pkt_type = PACKET_HOST; | 425 | skb->pkt_type = PACKET_HOST; |
| 432 | 426 | ||
| 427 | __skb_tunnel_rx(skb, tunnel->dev); | ||
| 428 | |||
| 429 | err = IP_ECN_decapsulate(iph, skb); | ||
| 430 | if (unlikely(err)) { | ||
| 431 | if (log_ecn_error) | ||
| 432 | net_info_ratelimited("non-ECT from %pI4 with TOS=%#x\n", | ||
| 433 | &iph->saddr, iph->tos); | ||
| 434 | if (err > 1) { | ||
| 435 | ++tunnel->dev->stats.rx_frame_errors; | ||
| 436 | ++tunnel->dev->stats.rx_errors; | ||
| 437 | goto drop; | ||
| 438 | } | ||
| 439 | } | ||
| 440 | |||
| 433 | tstats = this_cpu_ptr(tunnel->dev->tstats); | 441 | tstats = this_cpu_ptr(tunnel->dev->tstats); |
| 434 | u64_stats_update_begin(&tstats->syncp); | 442 | u64_stats_update_begin(&tstats->syncp); |
| 435 | tstats->rx_packets++; | 443 | tstats->rx_packets++; |
| 436 | tstats->rx_bytes += skb->len; | 444 | tstats->rx_bytes += skb->len; |
| 437 | u64_stats_update_end(&tstats->syncp); | 445 | u64_stats_update_end(&tstats->syncp); |
| 438 | 446 | ||
| 439 | __skb_tunnel_rx(skb, tunnel->dev); | ||
| 440 | |||
| 441 | ipip_ecn_decapsulate(iph, skb); | ||
| 442 | |||
| 443 | netif_rx(skb); | 447 | netif_rx(skb); |
| 444 | return 0; | 448 | return 0; |
| 445 | } | 449 | } |
| 446 | 450 | ||
| 447 | return -1; | 451 | return -1; |
| 452 | |||
| 453 | drop: | ||
| 454 | kfree_skb(skb); | ||
| 455 | return 0; | ||
| 448 | } | 456 | } |
| 449 | 457 | ||
| 450 | /* | 458 | /* |