ip_tunnel: fix ip_tunnel_lookup

This patch fixes 3 similar bugs where incoming packets might be routed into wrong non-wildcard tunnels: 1) Consider the following setup: ip address add 1.1.1.1/24 dev eth0 ip address add 1.1.1.2/24 dev eth0 ip tunnel add ipip1 remote 2.2.2.2 local 1.1.1.1 mode ipip dev eth0 ip link set ipip1 up Incoming ipip packets from 2.2.2.2 were routed into ipip1 even if it has dst = 1.1.1.2. Moreover even if there was wildcard tunnel like ip tunnel add ipip0 remote 2.2.2.2 local any mode ipip dev eth0 but it was created before explicit one (with local 1.1.1.1), incoming ipip packets with src = 2.2.2.2 and dst = 1.1.1.2 were still routed into ipip1. Same issue existed with all tunnels that use ip_tunnel_lookup (gre, vti) 2) ip address add 1.1.1.1/24 dev eth0 ip tunnel add ipip1 remote 2.2.146.85 local 1.1.1.1 mode ipip dev eth0 ip link set ipip1 up Incoming ipip packets with dst = 1.1.1.1 were routed into ipip1, no matter what src address is. Any remote ip address which has ip_tunnel_hash = 0 raised this issue, 2.2.146.85 is just an example, there are more than 4 million of them. And again, wildcard tunnel like ip tunnel add ipip0 remote any local 1.1.1.1 mode ipip dev eth0 wouldn't be ever matched if it was created before explicit tunnel like above. Gre & vti tunnels had the same issue. 3) ip address add 1.1.1.1/24 dev eth0 ip tunnel add gre1 remote 2.2.146.84 local 1.1.1.1 key 1 mode gre dev eth0 ip link set gre1 up Any incoming gre packet with key = 1 were routed into gre1, no matter what src/dst addresses are. Any remote ip address which has ip_tunnel_hash = 0 raised the issue, 2.2.146.84 is just an example, there are more than 4 million of them. Wildcard tunnel like ip tunnel add gre2 remote any local any key 1 mode gre dev eth0 wouldn't be ever matched if it was created before explicit tunnel like above. All this stuff happened because while looking for a wildcard tunnel we didn't check that matched tunnel is a wildcard one. Fixed. Signed-off-by: Dmitry Popov <ixaphire@qrator.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Dmitry Popov <ixaphire@qrator.net> 2014-07-04 18:26:37 -0400
committer: David S. Miller <davem@davemloft.net> 2014-07-08 22:35:09 -0400
commit: e0056593b61253f1a8a9941dacda22e73b963cdc (patch)
tree: 660bab18f9cb58a82d0c94a7bd0529694091d3f8 /net
parent: 85b722d760f0de77c4bb371b77202784671f5a54 (diff)
1 files changed, 8 insertions, 4 deletions
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index 54b6731dab55..6f9de61dce5f 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -169,6 +169,7 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
        hlist_for_each_entry_rcu(t, head, hash_node) {
                if (remote != t->parms.iph.daddr ||
+                    t->parms.iph.saddr != 0 ||
                    !(t->dev->flags & IFF_UP))
                        continue;
@@ -185,10 +186,11 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
        head = &itn->tunnels[hash];
        hlist_for_each_entry_rcu(t, head, hash_node) {
-                if ((local != t->parms.iph.saddr &&
+                if ((local != t->parms.iph.saddr || t->parms.iph.daddr != 0) &&
-                     (local != t->parms.iph.daddr ||
+                    (local != t->parms.iph.daddr || !ipv4_is_multicast(local)))
-                      !ipv4_is_multicast(local))) ||
+                        continue;
-                    !(t->dev->flags & IFF_UP))
+                if (!(t->dev->flags & IFF_UP))
                        continue;
                if (!ip_tunnel_key_match(&t->parms, flags, key))
@@ -205,6 +207,8 @@ struct ip_tunnel *ip_tunnel_lookup(struct ip_tunnel_net *itn,
        hlist_for_each_entry_rcu(t, head, hash_node) {
                if (t->parms.i_key != key ||
+                    t->parms.iph.saddr != 0 ||
+                    t->parms.iph.daddr != 0 ||
                    !(t->dev->flags & IFF_UP))
                        continue;
author	Dmitry Popov <ixaphire@qrator.net>	2014-07-04 18:26:37 -0400
committer	David S. Miller <davem@davemloft.net>	2014-07-08 22:35:09 -0400
commit	e0056593b61253f1a8a9941dacda22e73b963cdc (patch)
tree	660bab18f9cb58a82d0c94a7bd0529694091d3f8 /net
parent	85b722d760f0de77c4bb371b77202784671f5a54 (diff)

diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 54b6731dab55..6f9de61dce5f 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c
@@ -169,6 +169,7 @@ struct ip_tunnel ip_tunnel_lookup(struct ip_tunnel_net itn,
169		169
170	hlist_for_each_entry_rcu(t, head, hash_node) {	170	hlist_for_each_entry_rcu(t, head, hash_node) {
171	if (remote != t->parms.iph.daddr \|\|	171	if (remote != t->parms.iph.daddr \|\|
		172	t->parms.iph.saddr != 0 \|\|
172	!(t->dev->flags & IFF_UP))	173	!(t->dev->flags & IFF_UP))
173	continue;	174	continue;
174		175
@@ -185,10 +186,11 @@ struct ip_tunnel ip_tunnel_lookup(struct ip_tunnel_net itn,
185	head = &itn->tunnels[hash];	186	head = &itn->tunnels[hash];
186		187
187	hlist_for_each_entry_rcu(t, head, hash_node) {	188	hlist_for_each_entry_rcu(t, head, hash_node) {
188	if ((local != t->parms.iph.saddr &&	189	if ((local != t->parms.iph.saddr \|\| t->parms.iph.daddr != 0) &&
189	(local != t->parms.iph.daddr \|\|	190	(local != t->parms.iph.daddr \|\| !ipv4_is_multicast(local)))
190	!ipv4_is_multicast(local))) \|\|	191	continue;
191	!(t->dev->flags & IFF_UP))	192
		193	if (!(t->dev->flags & IFF_UP))
192	continue;	194	continue;
193		195
194	if (!ip_tunnel_key_match(&t->parms, flags, key))	196	if (!ip_tunnel_key_match(&t->parms, flags, key))
@@ -205,6 +207,8 @@ struct ip_tunnel ip_tunnel_lookup(struct ip_tunnel_net itn,
205		207
206	hlist_for_each_entry_rcu(t, head, hash_node) {	208	hlist_for_each_entry_rcu(t, head, hash_node) {
207	if (t->parms.i_key != key \|\|	209	if (t->parms.i_key != key \|\|
		210	t->parms.iph.saddr != 0 \|\|
		211	t->parms.iph.daddr != 0 \|\|
208	!(t->dev->flags & IFF_UP))	212	!(t->dev->flags & IFF_UP))
209	continue;	213	continue;
210		214