kernel/net/ipv4/af_inet.c, branch linux-5.1.yHosts the 0x221E linux distro kernel.https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-5.1.y2019-02-20T19:24:27Zgso: validate gso_type on ipip style tunnels2019-02-20T19:24:27ZWillem de Bruijnwillemb@google.com2019-02-20T15:52:12Zurn:sha1:418e897e0716b238ea4252ed22a73ca37d3cbbc1
Commit 121d57af308d ("gso: validate gso_type in GSO handlers") added
gso_type validation to existing gso_segment callback functions, to
filter out illegal and potentially dangerous SKB_GSO_DODGY packets.
Convert tunnels that now call inet_gso_segment and ipv6_gso_segment
directly to have their own callbacks and extend validation to these.
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: use indirect call wrappers at GRO transport layer2018-12-15T21:23:02ZPaolo Abenipabeni@redhat.com2018-12-14T10:51:59Zurn:sha1:028e0a4766844e7eeb31b93479ea6dd40cfc2895
This avoids an indirect call in the receive path for TCP and UDP
packets. TCP takes precedence on UDP, so that we have a single
additional conditional in the common case.
When IPV6 is build as module, all gro symbols except UDPv6 are
builtin, while the latter belong to the ipv6 module, so we
need some special care.
v1 -> v2:
- adapted to INDIRECT_CALL_ changes
v2 -> v3:
- fix build issue with CONFIG_IPV6=m
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
inet: minor optimization for backlog setting in listen(2)2018-11-08T06:31:07ZYafang Shaolaoar.shao@gmail.com2018-11-07T11:20:16Zurn:sha1:1295e2cf3065a55f35d112e4dfeb2c7322823249
Set the backlog earlier in inet_dccp_listen() and inet_listen(),
then we can avoid the redundant setting.
Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs2018-11-08T00:12:38ZMike Manningmmanning@vyatta.att-mail.com2018-11-07T15:36:05Zurn:sha1:6897445fb194c8ad046df4a13e1ee9f080a5a21e
Add a sysctl raw_l3mdev_accept to control raw socket lookup in a manner
similar to use of tcp_l3mdev_accept for stream and of udp_l3mdev_accept
for datagram sockets. Have this default to enabled for reasons of
backwards compatibility. This is so as to specify the output device
with cmsg and IP_PKTINFO, but using a socket not bound to the
corresponding VRF. This allows e.g. older ping implementations to be
run with specifying the device but without executing it in the VRF.
If the option is disabled, packets received in a VRF context are only
handled by a raw socket bound to the VRF, and correspondingly packets
in the default VRF are only handled by a socket not bound to any VRF.
Signed-off-by: Mike Manning <mmanning@vyatta.att-mail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Tested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
gso_segment: Reset skb->mac_len after modifying network header2018-09-13T19:09:32ZToke Høiland-Jørgensentoke@toke.dk2018-09-13T14:43:07Zurn:sha1:c56cae23c6b167acc68043c683c4573b80cbcc2c
When splitting a GSO segment that consists of encapsulated packets, the
skb->mac_len of the segments can end up being set wrong, causing packet
drops in particular when using act_mirred and ifb interfaces in
combination with a qdisc that splits GSO packets.
This happens because at the time skb_segment() is called, network_header
will point to the inner header, throwing off the calculation in
skb_reset_mac_len(). The network_header is subsequently adjust by the
outer IP gso_segment handlers, but they don't set the mac_len.
Fix this by adding skb_reset_mac_len() calls to both the IPv4 and IPv6
gso_segment handlers, after they modify the network_header.
Many thanks to Eric Dumazet for his help in identifying the cause of
the bug.
Acked-by: Dave Taht <dave.taht@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: ipv4: Control SKB reprioritization after forwarding2018-08-01T16:52:30ZPetr Machatapetrm@mellanox.com2018-07-31T22:36:03Zurn:sha1:432e05d328921c68c35bfdeff7d7b7400b8e3d1a
After IPv4 packets are forwarded, the priority of the corresponding SKB
is updated according to the TOS field of IPv4 header. This overrides any
prioritization done earlier by e.g. an skbedit action or ingress-qos-map
defined at a vlan device.
Such overriding may not always be desirable. Even if the packet ends up
being routed, which implies this is an L3 network node, an administrator
may wish to preserve whatever prioritization was done earlier on in the
pipeline.
Therefore introduce a sysctl that controls this behavior. Keep the
default value at 1 to maintain backward-compatible behavior.
Signed-off-by: Petr Machata <petrm@mellanox.com>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net: add helpers checking if socket can be bound to nonlocal address2018-08-01T16:50:04ZVincent Bernatvincent@bernat.im2018-07-31T19:18:11Zurn:sha1:83ba4645152d1177c161750e1064e3a8e7cee19b
The construction "net->ipv4.sysctl_ip_nonlocal_bind || inet->freebind
|| inet->transparent" is present three times and its IPv6 counterpart
is also present three times. We introduce two small helpers to
characterize these tests uniformly.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Signed-off-by: David S. Miller <davem@davemloft.net>
bpf: Add BPF_SOCK_OPS_TCP_LISTEN_CB2018-07-14T22:08:41ZAndrey Ignatovrdna@fb.com2018-07-12T00:33:32Zurn:sha1:f333ee0cdb27ba201e6cc0c99c76b1364aa29b86
Add new TCP-BPF callback that is called on listen(2) right after socket
transition to TCP_LISTEN state.
It fills the gap for listening sockets in TCP-BPF. For example BPF
program can set BPF_SOCK_OPS_STATE_CB_FLAG when socket becomes listening
and track later transition from TCP_LISTEN to TCP_CLOSE with
BPF_SOCK_OPS_STATE_CB callback.
Before there was no way to do it with TCP-BPF and other options were
much harder to work with. E.g. socket state tracking can be done with
tracepoints (either raw or regular) but they can't be attached to cgroup
and their lifetime has to be managed separately.
Signed-off-by: Andrey Ignatov <rdna@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
net: ipv4: listified version of ip_rcv2018-07-04T05:06:20ZEdward Creeecree@solarflare.com2018-07-02T15:14:12Zurn:sha1:17266ee939849cb095ed7dd9edbec4162172226b
Also involved adding a way to run a netfilter hook over a list of packets.
Rather than attempting to make netfilter know about lists (which would be
a major project in itself) we just let it call the regular okfn (in this
case ip_rcv_finish()) for any packets it steals, and have it give us back
a list of packets it's synchronously accepted (which normally NF_HOOK
would automatically call okfn() on, but we want to be able to potentially
pass the list to a listified version of okfn().)
The netfilter hooks themselves are indirect calls that still happen per-
packet (see nf_hook_entry_hookfn()), but again, changing that can be left
for future work.
There is potential for out-of-order receives if the netfilter hook ends up
synchronously stealing packets, as they will be processed before any
accepts earlier in the list. However, it was already possible for an
asynchronous accept to cause out-of-order receives, so presumably this is
considered OK.
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net2018-07-03T01:29:26ZDavid S. Millerdavem@davemloft.net2018-07-03T01:26:50Zurn:sha1:5cd3da4ba2397ef07226ca2aa5094ed21ff8198f
Simple overlapping changes in stmmac driver.
Adjust skb_gro_flush_final_remcsum function signature to make GRO list
changes in net-next, as per Stephen Rothwell's example merge
resolution.
Signed-off-by: David S. Miller <davem@davemloft.net>