tunnel: drop packet if ECN present with not-ECT

Linux tunnels were written before RFC6040 and therefore never implemented the corner case of ECN getting set in the outer header and the inner header not being ready for it. Section 4.2. Default Tunnel Egress Behaviour. o If the inner ECN field is Not-ECT, the decapsulator MUST NOT propagate any other ECN codepoint onwards. This is because the inner Not-ECT marking is set by transports that rely on dropped packets as an indication of congestion and would not understand or respond to any other ECN codepoint [RFC4774]. Specifically: * If the inner ECN field is Not-ECT and the outer ECN field is CE, the decapsulator MUST drop the packet. * If the inner ECN field is Not-ECT and the outer ECN field is Not-ECT, ECT(0), or ECT(1), the decapsulator MUST forward the outgoing packet with the ECN field cleared to Not-ECT. This patch moves the ECN decap logic out of the individual tunnels into a common place. It also adds logging to allow detecting broken systems that set ECN bits incorrectly when tunneling (or an intermediate router might be changing the header). Overloads rx_frame_error to keep track of ECN related error. Thanks to Chris Wright who caught this while reviewing the new VXLAN tunnel. This code was tested by injecting faulty logic in other end GRE to send incorrectly encapsulated packets. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: stephen hemminger <shemminger@vyatta.com> 2012-09-25 07:02:48 -0400
committer: David S. Miller <davem@davemloft.net> 2012-09-27 18:12:37 -0400
commit: eccc1bb8d4b4cf68d3c9becb083fa94ada7d495c (patch)
tree: b0be7efd0c4a4eed26ffd63863dc372d3b1f2ca0 /net/ipv6
parent: b0558ef24a792906914fcad277f3befe2420e618 (diff)
1 files changed, 24 insertions, 30 deletions
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index b987d4db790f..613a16647741 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -56,6 +56,10 @@
 #include <net/ip6_tunnel.h>
+static bool log_ecn_error = true;
+module_param(log_ecn_error, bool, 0644);
+MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
 #define IPV6_TCLASS_MASK (IPV6_FLOWINFO_MASK & ~IPV6_FLOWLABEL_MASK)
 #define IPV6_TCLASS_SHIFT 20
@@ -149,7 +153,9 @@ static struct rtnl_link_stats64 *ip6gre_get_stats64(struct net_device *dev,
        tot->rx_crc_errors = dev->stats.rx_crc_errors;
        tot->rx_fifo_errors = dev->stats.rx_fifo_errors;
        tot->rx_length_errors = dev->stats.rx_length_errors;
+        tot->rx_frame_errors = dev->stats.rx_frame_errors;
        tot->rx_errors = dev->stats.rx_errors;
        tot->tx_fifo_errors = dev->stats.tx_fifo_errors;
        tot->tx_carrier_errors = dev->stats.tx_carrier_errors;
        tot->tx_dropped = dev->stats.tx_dropped;
@@ -489,28 +495,6 @@ static void ip6gre_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        t->err_time = jiffies;
 }
-static inline void ip6gre_ecn_decapsulate_ipv4(const struct ip6_tnl *t,
-                const struct ipv6hdr *ipv6h, struct sk_buff *skb)
-{
-        __u8 dsfield = ipv6_get_dsfield(ipv6h) & ~INET_ECN_MASK;
-        if (t->parms.flags & IP6_TNL_F_RCV_DSCP_COPY)
-                ipv4_change_dsfield(ip_hdr(skb), INET_ECN_MASK, dsfield);
-        if (INET_ECN_is_ce(dsfield))
-                IP_ECN_set_ce(ip_hdr(skb));
-}
-static inline void ip6gre_ecn_decapsulate_ipv6(const struct ip6_tnl *t,
-                const struct ipv6hdr *ipv6h, struct sk_buff *skb)
-{
-        if (t->parms.flags & IP6_TNL_F_RCV_DSCP_COPY)
-                ipv6_copy_dscp(ipv6_get_dsfield(ipv6h), ipv6_hdr(skb));
-        if (INET_ECN_is_ce(ipv6_get_dsfield(ipv6h)))
-                IP6_ECN_set_ce(ipv6_hdr(skb));
-}
 static int ip6gre_rcv(struct sk_buff *skb)
 {
        const struct ipv6hdr *ipv6h;
@@ -522,6 +506,7 @@ static int ip6gre_rcv(struct sk_buff *skb)
        struct ip6_tnl *tunnel;
        int    offset = 4;
        __be16 gre_proto;
+        int err;
        if (!pskb_may_pull(skb, sizeof(struct in6_addr)))
                goto drop;
@@ -625,20 +610,29 @@ static int ip6gre_rcv(struct sk_buff *skb)
                        skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
                }
+                __skb_tunnel_rx(skb, tunnel->dev);
+                skb_reset_network_header(skb);
+                err = IP6_ECN_decapsulate(ipv6h, skb);
+                if (unlikely(err)) {
+                        if (log_ecn_error)
+                                net_info_ratelimited("non-ECT from %pI6 with dsfield=%#x\n",
+                                                     &ipv6h->saddr,
+                                                     ipv6_get_dsfield(ipv6h));
+                        if (err > 1) {
+                                ++tunnel->dev->stats.rx_frame_errors;
+                                ++tunnel->dev->stats.rx_errors;
+                                goto drop;
+                        }
+                }
                tstats = this_cpu_ptr(tunnel->dev->tstats);
                u64_stats_update_begin(&tstats->syncp);
                tstats->rx_packets++;
                tstats->rx_bytes += skb->len;
                u64_stats_update_end(&tstats->syncp);
-                __skb_tunnel_rx(skb, tunnel->dev);
-                skb_reset_network_header(skb);
-                if (skb->protocol == htons(ETH_P_IP))
-                        ip6gre_ecn_decapsulate_ipv4(tunnel, ipv6h, skb);
-                else if (skb->protocol == htons(ETH_P_IPV6))
-                        ip6gre_ecn_decapsulate_ipv6(tunnel, ipv6h, skb);
                netif_rx(skb);
                return 0;
author	stephen hemminger <shemminger@vyatta.com>	2012-09-25 07:02:48 -0400
committer	David S. Miller <davem@davemloft.net>	2012-09-27 18:12:37 -0400
commit	eccc1bb8d4b4cf68d3c9becb083fa94ada7d495c (patch)
tree	b0be7efd0c4a4eed26ffd63863dc372d3b1f2ca0 /net/ipv6
parent	b0558ef24a792906914fcad277f3befe2420e618 (diff)