From patchwork Tue Oct 15 14:07:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836501 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 894C31B21A9; Tue, 15 Oct 2024 14:08:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001303; cv=none; b=sZ1Hni27MhOJfVWm2yXdxTyHkun5ChOm3KpTDeN5TMCRuD7q2Sd2+hgjFso2kTaEEBl+f4/YKXBLCwFWNLLwvJyqBrO7o1+WwbCm7pGO3GbwHoFKaLaLcI+GXRH8b7FSDJr1Ba8M+AfIhN4xI5VlUO3BtHgxeUak6/F3JNdbhmQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001303; c=relaxed/simple; bh=Q02mPHSdawuoacP3FWbSIcLy+LqtdxaSYcl7vnKHZ/0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qVpTaT47MwNQltQ4XtZG1fEwSOHaJ17u42fw0L+f1GuePPyoTLkVQOHXwKBKjqKEq9RehNdFe7bNm0da345v9VXLvxvdrzeJ2N3RPni8eQX7B3LqjwPiBFavkU7RHJgCggWBodT8QLcOyofoKLHQdq5urWooew8bgBXLYLMQbkc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=SXDjEuPo; arc=none smtp.client-ip=209.85.214.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="SXDjEuPo" Received: by mail-pl1-f195.google.com with SMTP id d9443c01a7336-20cbcd71012so29859255ad.3; Tue, 15 Oct 2024 07:08:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001301; x=1729606101; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=WuHCIlXMzbgZGREkpMiEjnEhIkYiYw79l5/zuLO8F5Q=; b=SXDjEuPofB5miKv6kOIaoWj4sgAKcrlp6Uoey0U2QI0Lh4dFbRpiHqXUdEA1ash7Xh rfCdOHBS0z+bhHRPJWBhX+z1sO5sz/Qn/1Dv4xYLopo9ZAfyJjaPVosHxm70GZlyZyVE /Zw/Vs85SJHvEinBh0ZIY40g0nWa5Hqkupa2zRcooDaWH3AVvu1dgDS+3l4u2SzELew6 Sf12vlVzP+Ypc0LJINY0lPyr6ev2QduH6gLCc2xKl6N97V4S+ZJcGWZwmF6AYHvVk7sN g2hydw5hAPK+Jx99nO8IHaHOTEInMn/UhWJC899O0x7m0dxLzz7sCBYrY25oorPEYDo7 3XwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001301; x=1729606101; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=WuHCIlXMzbgZGREkpMiEjnEhIkYiYw79l5/zuLO8F5Q=; b=E3WzsK+hWVAZiNKttUSufoW6ApzY/w4h01+YMmDzF5fWkB8gJajX5kQyq4eakk6rjK NMPSf2XAEvB9Zj+FYuSxBv/oGnNnGCuDiSXXCH+eOQQxd4hKpPhmrpn2Q0RvFX45Kak/ AJW7I2fc4i7r8tdRypyxjqr52mCpe6T1YmDv9+UHpaMe+Z+lf9HN8rJ6g/RzG1HMesrq 3vzKV8H3tEuiuwvBJVyW2ioYlwots8QxFPTNsCZIV0L4bs7Qaq3N7pfJ0eNm3DDzwslU VI6aZBdr1Sy1qhbqGh2QDG0CSARiMT6hISIyrqtmRLtAMLU/5RWoQCiRabEPV8/cKQ8c 0/WA== X-Forwarded-Encrypted: i=1; AJvYcCV8NYTopcF3ZkFcf1mLgRxZ9QlQ6yVYDTLES6CDAGvJ4Zyu5+KBr42NHWhp1RAiJZ92kwfv9Ua/@vger.kernel.org, AJvYcCVoId+iGCCsDkQc27JPdzFR6CDOQbg2r61Yuk0ywz0div2scXX+6BmBSWibmAOShg8bsh48UJHNlUf9IvLdS+h9@vger.kernel.org, AJvYcCWBy9inYAnpg1+MiZMM9L1OUA4BmJjAYfofbRbgqronEH000E+Pqx1QggAZ9Om07jIUr0VULEWOOieLMVzJ@vger.kernel.org, AJvYcCXVHnwFwW9CVqOTZIeQzfGxmusHdtpgCkYY3+xZu9AjZwjwwu9mjOz/Mx1gWKgQCMXoM2A=@vger.kernel.org X-Gm-Message-State: AOJu0YwZTHvMPzPK1q5QyfOVW3T47wu9YsdasiTi4vzfdMZLzHYm2duQ +YsDTHeU1NDjezqYCXT+SjHXo0gEbQlRuO7bElRfcS9RnSH1B9zS X-Google-Smtp-Source: AGHT+IGbmeVE+JhrsrK3HAk9iuaIB4S9x5eE0tZ4XUwVZrEWYa3we3NvOttIji7BlAsXUq/hEJEBYg== X-Received: by 2002:a17:902:d48e:b0:20c:ef81:db with SMTP id d9443c01a7336-20cef810287mr103721535ad.28.1729001300614; Tue, 15 Oct 2024 07:08:20 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.08.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:08:20 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 01/10] net: ip: refactor fib_validate_source/__fib_validate_source Date: Tue, 15 Oct 2024 22:07:51 +0800 Message-Id: <20241015140800.159466-2-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org The only caller of __fib_validate_source() is fib_validate_source(), so we can combine fib_validate_source() into __fib_validate_source(), and make fib_validate_source() an inline call to __fib_validate_source(). This will make it easier to make fib_validate_source() return drop reasons in the next patch. Signed-off-by: Menglong Dong --- include/net/ip_fib.h | 15 ++++++++-- net/ipv4/fib_frontend.c | 64 +++++++++++++++++------------------------ 2 files changed, 38 insertions(+), 41 deletions(-) diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index b6e44f4eaa4c..90ff815f212b 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h @@ -448,9 +448,18 @@ int fib_gw_from_via(struct fib_config *cfg, struct nlattr *nla, struct netlink_ext_ack *extack); __be32 fib_compute_spec_dst(struct sk_buff *skb); bool fib_info_nh_uses_dev(struct fib_info *fi, const struct net_device *dev); -int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, - dscp_t dscp, int oif, struct net_device *dev, - struct in_device *idev, u32 *itag); +int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, + dscp_t dscp, int oif, struct net_device *dev, + struct in_device *idev, u32 *itag); + +static inline int +fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, + dscp_t dscp, int oif, struct net_device *dev, + struct in_device *idev, u32 *itag) +{ + return __fib_validate_source(skb, src, dst, dscp, oif, dev, idev, + itag); +} #ifdef CONFIG_IP_ROUTE_CLASSID static inline int fib_num_tclassid_users(struct net *net) diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 8353518b110a..f74138f4d748 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -341,10 +341,11 @@ EXPORT_SYMBOL_GPL(fib_info_nh_uses_dev); * - check, that packet arrived from expected physical interface. * called with rcu_read_lock() */ -static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, - dscp_t dscp, int oif, struct net_device *dev, - int rpf, struct in_device *idev, u32 *itag) +int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, + dscp_t dscp, int oif, struct net_device *dev, + struct in_device *idev, u32 *itag) { + int rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev); struct net *net = dev_net(dev); struct flow_keys flkeys; int ret, no_addr; @@ -352,6 +353,28 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, struct flowi4 fl4; bool dev_match; + /* Ignore rp_filter for packets protected by IPsec. */ + if (!rpf && !fib_num_tclassid_users(net) && + (dev->ifindex != oif || !IN_DEV_TX_REDIRECTS(idev))) { + if (IN_DEV_ACCEPT_LOCAL(idev)) + goto last_resort; + /* with custom local routes in place, checking local addresses + * only will be too optimistic, with custom rules, checking + * local addresses only can be too strict, e.g. due to vrf + */ + if (net->ipv4.fib_has_custom_local_routes || + fib4_has_custom_rules(net)) + goto full_check; + /* Within the same container, it is regarded as a martian source, + * and the same host but different containers are not. + */ + if (inet_lookup_ifaddr_rcu(net, src)) + return -EINVAL; + + goto last_resort; + } + +full_check: fl4.flowi4_oif = 0; fl4.flowi4_l3mdev = l3mdev_master_ifindex_rcu(dev); fl4.flowi4_iif = oif ? : LOOPBACK_IFINDEX; @@ -417,41 +440,6 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, return -EXDEV; } -/* Ignore rp_filter for packets protected by IPsec. */ -int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, - dscp_t dscp, int oif, struct net_device *dev, - struct in_device *idev, u32 *itag) -{ - int r = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev); - struct net *net = dev_net(dev); - - if (!r && !fib_num_tclassid_users(net) && - (dev->ifindex != oif || !IN_DEV_TX_REDIRECTS(idev))) { - if (IN_DEV_ACCEPT_LOCAL(idev)) - goto ok; - /* with custom local routes in place, checking local addresses - * only will be too optimistic, with custom rules, checking - * local addresses only can be too strict, e.g. due to vrf - */ - if (net->ipv4.fib_has_custom_local_routes || - fib4_has_custom_rules(net)) - goto full_check; - /* Within the same container, it is regarded as a martian source, - * and the same host but different containers are not. - */ - if (inet_lookup_ifaddr_rcu(net, src)) - return -EINVAL; - -ok: - *itag = 0; - return 0; - } - -full_check: - return __fib_validate_source(skb, src, dst, dscp, oif, dev, r, idev, - itag); -} - static inline __be32 sk_extract_addr(struct sockaddr *addr) { return ((struct sockaddr_in *) addr)->sin_addr.s_addr; From patchwork Tue Oct 15 14:07:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836502 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 89A251B2196; Tue, 15 Oct 2024 14:08:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.194 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001311; cv=none; b=DzNyPg6uuHwd0hqVg199kjQxdhxLAwnJXOvCw8dqeWbZ73GeIj7UQltjlJ0d0kXzou2rIuHIS8sbgdG+h6WcVFZoo8JNtkrDyq7EBdW1vhIJ9PxoI+D2k57f06kYT6D17MEJxbO1bo12Q1YfQRALCe9OD3/JAnfHBQDxgdO/aHA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001311; c=relaxed/simple; bh=vuIVB6hj3sTojMcEzLdz2fDB0hk+PCA25oNYDh11e4c=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=uUJEGWErAH+z2V87hIF/o19nPt9H4SzkeoutwQ+S3ouQruaV/SpYSqqfSj/42IwxwANUNm4Xm64iw48bRpKcefIzPo0oeftFkjPge3NR/9+PxCqqkQom/TVSs4GpEeYgm7PG5wNLrrSJJb8Elp34WASHA2vvC0cAAKIqB6iltt0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=MSUI/B4s; arc=none smtp.client-ip=209.85.214.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="MSUI/B4s" Received: by mail-pl1-f194.google.com with SMTP id d9443c01a7336-20c70abba48so36186645ad.0; Tue, 15 Oct 2024 07:08:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001308; x=1729606108; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CT6uU9JqzHOOu2LSHqsbJX6hAIgV10uw9l8Y9B61PJY=; b=MSUI/B4sU3nXbQqWE1eRWi2+8j2oLFQ0a/93rNP6Gv0+NENaXLsdVZencibB6xXZPP V06+tejcPFbQH38APwUeiJs9biX/kTXHwer9Dpkr3TC+H6lOjMcV2ou/awWDcI+tcKTX Jw0ZHVpeGzK5YYzB061Qk88zG2ORtY3hZOcXDMwV/njNd9kFVkTNKttWjGdxxoeyRUbD yYTOrA05Q7QZARCFngZj9UgjdY91ywW1zi7GzpzXt+xtM2ZNdw2vw1/5F34g8Bi+aE3l SKuVoC04HwJ5XmoCKaXfd0r4pgnvgz3tOFPCocVtcrv/u+UfoWmNAq2G3U8/u+DPJiC8 mC2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001308; x=1729606108; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CT6uU9JqzHOOu2LSHqsbJX6hAIgV10uw9l8Y9B61PJY=; b=xAbm50dNtdQx1ujSxeuX8uUcziExBN46RfVA5VdmTGvWC4lm1Af+1FLdeYOLkqXjN2 gXQnzQIcvT0qqWLnp5Cu9AOpkvGDGrIEqrNSnSqmCbck+/1qfYjo7TtKX2krly4NWY9a Hox31A2GRHchd/z/8kSHjpbF0tNr04+Led3dfrHEy3E5aPhFruW/1IKP8qBfImHIW9ed L1E9Miw78tQ01/RR0Y5RsD7Anq1RsG7siPMxHWZuUJH4308N7M9o6b4m12Yfva9+TN2e JID7wSWyAxd0Nh59xVVfVn4NswTwW9CGChAvsjVpNdC/k4nbn/QmV3wY7gZChL/EtdCl bTJw== X-Forwarded-Encrypted: i=1; AJvYcCVk7HNhTpbIKdT8BtxgPyBo7/BAWEFTowGtQW9BFlvsZcupraDIq4ox/5QqYpn7OdhJox3MYxhHvW1l0FKp@vger.kernel.org, AJvYcCWbPce7eTQkaXCGDobnT+nVsuNWT+B20LbPNKDAHCSSFC06RWXhnxVcjHFTC3gXvSs3ri+1o2yx@vger.kernel.org, AJvYcCWw3/SNFyW7KH8qJXI5NBdgcAglqpO7275lTFEEN+NAIULk4ECzOHCaLDf8afRbJJ1/bNFldwt7FaijkGvjqGlx@vger.kernel.org, AJvYcCWzh/uQiYEXd3uTC0+0TCrSUS9Cz2XS2ZvqVHE+eeLVeUw6vJ6HOlsS45M8OTdErQ6E7Y8=@vger.kernel.org X-Gm-Message-State: AOJu0YwVN8bq0zjKU4+btEAobfCkEB0jvzeewLsazIXWqHa+J/a8AvRU iR7D0aCzbmLmfyk4lbQdeeb4DUhvZaA8m7VtbkK7wOtdW90C/jjD X-Google-Smtp-Source: AGHT+IFVKsMCCaGMAa35EAsJT8GlSeOwzSVb29rITdxcHpxoMjKmc4qwLx0o5XFUlgbG+QD/fUFC8g== X-Received: by 2002:a17:902:e5d2:b0:20c:ce9c:bbb0 with SMTP id d9443c01a7336-20cce9cbddfmr147567465ad.0.1729001307715; Tue, 15 Oct 2024 07:08:27 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.08.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:08:27 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 02/10] net: ip: make fib_validate_source() return drop reason Date: Tue, 15 Oct 2024 22:07:52 +0800 Message-Id: <20241015140800.159466-3-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org In this commit, we make __fib_validate_source return -reason instead of errno on error. The return value of __fib_validate_source can be -errno, 0, and 1. It's hard to make __fib_validate_source() return drop reasons directly. The __fib_validate_source() will return 1 if the scope of the source(revert) route is HOST. And the __mkroute_input() will mark the skb with IPSKB_DOREDIRECT in this case (combine with some other conditions). And then, a REDIRECT ICMP will be sent in ip_forward() if this flag exists. We can't pass this information to __mkroute_input if we make __fib_validate_source() return drop reasons. However, we can make fib_validate_source() return drop reasons, and call __fib_validate_source() directly in __mkroute_input(). In the origin logic, LINUX_MIB_IPRPFILTER will be counted if __fib_validate_source() return -EXDEV. And now, we need to adjust it by checking "reason == SKB_DROP_REASON_IP_RPFILTER". However, this will take effect only after the patch "net: ip: make ip_route_input_noref() return drop reasons", as we can't pass the drop reasons from fib_validate_source() to ip_rcv_finish_core() in this patch. Following new drop reasons are added in this patch: SKB_DROP_REASON_IP_LOCAL_SOURCE SKB_DROP_REASON_IP_INVALID_SOURCE Signed-off-by: Menglong Dong --- v2: - make fib_validate_source() return drop reasons, instead of -reason. --- include/net/dropreason-core.h | 10 ++++++++++ include/net/ip_fib.h | 9 ++++++--- net/ipv4/fib_frontend.c | 19 ++++++++++++------ net/ipv4/ip_input.c | 4 +--- net/ipv4/route.c | 37 ++++++++++++++++++++--------------- 5 files changed, 51 insertions(+), 28 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index d59bb96c5a02..62a60be1db84 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -76,6 +76,8 @@ FN(INVALID_PROTO) \ FN(IP_INADDRERRORS) \ FN(IP_INNOROUTES) \ + FN(IP_LOCAL_SOURCE) \ + FN(IP_INVALID_SOURCE) \ FN(PKT_TOO_BIG) \ FN(DUP_FRAG) \ FN(FRAG_REASM_TIMEOUT) \ @@ -373,6 +375,14 @@ enum skb_drop_reason { * IPSTATS_MIB_INADDRERRORS */ SKB_DROP_REASON_IP_INNOROUTES, + /** @SKB_DROP_REASON_IP_LOCAL_SOURCE: the source ip is local */ + SKB_DROP_REASON_IP_LOCAL_SOURCE, + /** + * @SKB_DROP_REASON_IP_INVALID_SOURCE: the source ip is invalid: + * 1) source ip is multicast or limited broadcast + * 2) source ip is zero and not IGMP + */ + SKB_DROP_REASON_IP_INVALID_SOURCE, /** * @SKB_DROP_REASON_PKT_TOO_BIG: packet size is too big (maybe exceed the * MTU) diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index 90ff815f212b..b3f7a1562140 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h @@ -452,13 +452,16 @@ int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, dscp_t dscp, int oif, struct net_device *dev, struct in_device *idev, u32 *itag); -static inline int +static inline enum skb_drop_reason fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, dscp_t dscp, int oif, struct net_device *dev, struct in_device *idev, u32 *itag) { - return __fib_validate_source(skb, src, dst, dscp, oif, dev, idev, - itag); + int err = __fib_validate_source(skb, src, dst, dscp, oif, dev, idev, + itag); + if (err < 0) + return -err; + return SKB_NOT_DROPPED_YET; } #ifdef CONFIG_IP_ROUTE_CLASSID diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index f74138f4d748..71fa9cee9149 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -347,6 +347,7 @@ int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, { int rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(idev); struct net *net = dev_net(dev); + enum skb_drop_reason reason; struct flow_keys flkeys; int ret, no_addr; struct fib_result res; @@ -369,7 +370,7 @@ int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, * and the same host but different containers are not. */ if (inet_lookup_ifaddr_rcu(net, src)) - return -EINVAL; + return -SKB_DROP_REASON_IP_LOCAL_SOURCE; goto last_resort; } @@ -400,9 +401,15 @@ int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, if (fib_lookup(net, &fl4, &res, 0)) goto last_resort; - if (res.type != RTN_UNICAST && - (res.type != RTN_LOCAL || !IN_DEV_ACCEPT_LOCAL(idev))) - goto e_inval; + if (res.type != RTN_UNICAST) { + if (res.type != RTN_LOCAL) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; + goto e_inval; + } else if (!IN_DEV_ACCEPT_LOCAL(idev)) { + reason = SKB_DROP_REASON_IP_LOCAL_SOURCE; + goto e_inval; + } + } fib_combine_itag(itag, &res); dev_match = fib_info_nh_uses_dev(res.fi, dev); @@ -435,9 +442,9 @@ int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, return 0; e_inval: - return -EINVAL; + return -reason; e_rpf: - return -EXDEV; + return -SKB_DROP_REASON_IP_RPFILTER; } static inline __be32 sk_extract_addr(struct sockaddr *addr) diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index 89bb63da6852..c40a26972884 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c @@ -425,10 +425,8 @@ static int ip_rcv_finish_core(struct net *net, struct sock *sk, return NET_RX_DROP; drop_error: - if (err == -EXDEV) { - drop_reason = SKB_DROP_REASON_IP_RPFILTER; + if (drop_reason == SKB_DROP_REASON_IP_RPFILTER) __NET_INC_STATS(net, LINUX_MIB_IPRPFILTER); - } goto drop; } diff --git a/net/ipv4/route.c b/net/ipv4/route.c index a0b091a7df87..df5401efbf56 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1669,7 +1669,7 @@ int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, struct in_device *in_dev, u32 *itag) { - int err; + enum skb_drop_reason reason; /* Primary sanity checks. */ if (!in_dev) @@ -1687,10 +1687,10 @@ int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, ip_hdr(skb)->protocol != IPPROTO_IGMP) return -EINVAL; } else { - err = fib_validate_source(skb, saddr, 0, dscp, 0, dev, in_dev, - itag); - if (err < 0) - return err; + reason = fib_validate_source(skb, saddr, 0, dscp, 0, dev, + in_dev, itag); + if (reason) + return -EINVAL; } return 0; } @@ -1785,9 +1785,10 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, return -EINVAL; } - err = fib_validate_source(skb, saddr, daddr, dscp, FIB_RES_OIF(*res), - in_dev->dev, in_dev, &itag); + err = __fib_validate_source(skb, saddr, daddr, dscp, FIB_RES_OIF(*res), + in_dev->dev, in_dev, &itag); if (err < 0) { + err = -EINVAL; ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr, saddr); @@ -2140,6 +2141,7 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, struct in_device *in_dev = __in_dev_get_rcu(dev); struct rtable *rt = skb_rtable(hint); struct net *net = dev_net(dev); + enum skb_drop_reason reason; int err = -EINVAL; u32 tag = 0; @@ -2158,9 +2160,9 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, if (rt->rt_type != RTN_LOCAL) goto skip_validate_source; - err = fib_validate_source(skb, saddr, daddr, dscp, 0, dev, in_dev, - &tag); - if (err < 0) + reason = fib_validate_source(skb, saddr, daddr, dscp, 0, dev, in_dev, + &tag); + if (reason) goto martian_source; skip_validate_source: @@ -2202,6 +2204,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, struct fib_result *res) { + enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct in_device *in_dev = __in_dev_get_rcu(dev); struct flow_keys *flkeys = NULL, _flkeys; struct net *net = dev_net(dev); @@ -2296,10 +2299,11 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, goto brd_input; } + err = -EINVAL; if (res->type == RTN_LOCAL) { - err = fib_validate_source(skb, saddr, daddr, dscp, 0, dev, - in_dev, &itag); - if (err < 0) + reason = fib_validate_source(skb, saddr, daddr, dscp, 0, dev, + in_dev, &itag); + if (reason) goto martian_source; goto local_input; } @@ -2320,9 +2324,10 @@ out: return err; goto e_inval; if (!ipv4_is_zeronet(saddr)) { - err = fib_validate_source(skb, saddr, 0, dscp, 0, dev, in_dev, - &itag); - if (err < 0) + err = -EINVAL; + reason = fib_validate_source(skb, saddr, 0, dscp, 0, dev, + in_dev, &itag); + if (reason) goto martian_source; } flags |= RTCF_BROADCAST; From patchwork Tue Oct 15 14:07:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836503 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1724A1D5158; Tue, 15 Oct 2024 14:08:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.194 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001316; cv=none; b=LdJcXlJYw7zDzg00EdWhhwkW2DJn/35Sbg5RaR7Fr3uLbcgIv4LsZKklOZn9kem6J5weXJxLBKKPupQZYUyBG+HYDfPFX9kPWQOH6cRsO2KyAmbV2x5mBBoUL9qP+5yf9geNXDgsnz6pAYkQxmywKx+21ytCwzBaUh3Zn1ogmyE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001316; c=relaxed/simple; bh=zjlkYbbC8QBM7Wf3cdYohzkjfajX7qpT0FaW94GtYUw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=AyKOUn9s4v4HAmw6AFdPh5D/6I5QVZ7HNbYRdVWlkW/kYfygEc32X8aicIfH5Xkk1iVAkMU3TLjEZ5ACs4CaqXUHTkHiiujr88gKYhcyjR0yXnbYXWiQOD04aGpFGabhkLGWEtwAJ/V+ccec/IwkzVZj5P6rpuKjjhPmYVxs/gE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ej/3UfSo; arc=none smtp.client-ip=209.85.214.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ej/3UfSo" Received: by mail-pl1-f194.google.com with SMTP id d9443c01a7336-20c7edf2872so40884835ad.1; Tue, 15 Oct 2024 07:08:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001314; x=1729606114; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UXNVpwdypQN7MhzdxvEJ3Is8WZEvjSGwXelKg8lkKU8=; b=ej/3UfSoL6lt0zCO15ZS3WoX20tV2zCqyGkgnq2SkhUWzhCqXgO7GqLrdzPI2b0t7e g/7GIdha8Z/OYaGVY+Irz3Woc8VskTG2TE6tWuHBV19C8OH3TwXeeyBbMzneboqzHqV/ AYk2Xk+p1px0+Ddl8Mhuv3dDfF4cpFHxuiokRybnPnMiK2T+9Wl0TPWcJ62bTEBglcoo Yr4cAOFTdRL5Y+jM4Uhs0jzxGG87r5S67TIuLfA6HuB6ZOdxu6Wk/WTu0+o7dl2nAb+v TEmA/bsFtg8UAJFJTq3pMglBk8IHZOywo399KEZSTef1XqYTQwTukn5fV7lmyuRV4rmh FpAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001314; x=1729606114; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UXNVpwdypQN7MhzdxvEJ3Is8WZEvjSGwXelKg8lkKU8=; b=Khwt7K8975PIHYmQQz9iL6pKnEdYaQ78AuNeW+8rhPSAcp3GFSVRX8GYT8Me161hbw 26pt+f8hJ6eBoi8wdWAW11u872W6BpGa0j343Uo4Ln6RAHj54gBwDereJpNaaqcGTJKc 0X8Cohd2YdqbDJgF5Eq6Sq6RwGJ8BvV8aJNFulXHo1uScFVHYFH5eeIE1IwVbGbrN64x 29bcXZBVdxq5C0pFcskjjY4aCnajmFA+yAici7+UO6+9IOUNL60RVlsZ+uSDUSFxGgZO 2XbXLXoU6KjFDJzCoxB+095gVJDW4eSrq+aBL9+tr2iW+twfC11L/D6LGYym8rDok5o+ cpyQ== X-Forwarded-Encrypted: i=1; AJvYcCV8NIoYRi58M3hIlJrm0cuq0/iWdBIGSG6yw9xjdHCTejqEUHITmVdl6dooHzQ6YHIibgUCd2k6AbT/LAgq3xs1@vger.kernel.org, AJvYcCVdV8VTtCzuLrX1k+C4l4Kg5CI8o6AvBNcBlao3n9CcDcYyHzzNT/UNqS6F+tTO8P2m3e92ZdaV1Zv5cw+Z@vger.kernel.org, AJvYcCWCvbmOHKHaAsPMnzlqfaS+8UT8koHCm3dzEk0NGl6eD9k2yKEpVrCFAS9TaDjWTuhNQdQ=@vger.kernel.org, AJvYcCWzIz2eLkxAV9vREh31JbtmCYYTEHCvt2nv9MtXlJGLCc7rU8XQ8s49p1Wj5fzDVO2hRjeecnE1@vger.kernel.org X-Gm-Message-State: AOJu0YyFFwEB/geIbYKEY3Ki60YPJUNg3dpSHTMQ4bKDBi/9ezdEzFG4 n9ewHyTPIpoBhJE+70MS2SeiEg871kw1RloRRYEqPJZZm4SXK+6FXvMINiIW X-Google-Smtp-Source: AGHT+IGRXJjST0HTxQYk+VFHEHpjAD+R//v1UjrCQMEfF2mjki+N/bHGaWK/rOjw6+eX9IGlKmdSOQ== X-Received: by 2002:a17:902:f647:b0:205:8b84:d5e8 with SMTP id d9443c01a7336-20ca03a6a5cmr217260785ad.18.1729001314209; Tue, 15 Oct 2024 07:08:34 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.08.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:08:33 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 03/10] net: ip: make ip_route_input_mc() return drop reason Date: Tue, 15 Oct 2024 22:07:53 +0800 Message-Id: <20241015140800.159466-4-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Make ip_route_input_mc() return drop reason, and adjust the call of it in ip_route_input_rcu(). Signed-off-by: Menglong Dong --- net/ipv4/route.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index df5401efbf56..7f989e8eff30 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1696,8 +1696,9 @@ int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, } /* called in rcu_read_lock() section */ -static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, int our) +static enum skb_drop_reason +ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, int our) { struct in_device *in_dev = __in_dev_get_rcu(dev); unsigned int flags = RTCF_MULTICAST; @@ -1708,7 +1709,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, err = ip_mc_validate_source(skb, daddr, saddr, dscp, dev, in_dev, &itag); if (err) - return err; + return SKB_DROP_REASON_NOT_SPECIFIED; if (our) flags |= RTCF_LOCAL; @@ -1719,7 +1720,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST, false); if (!rth) - return -ENOBUFS; + return SKB_DROP_REASON_NOMEM; #ifdef CONFIG_IP_ROUTE_CLASSID rth->dst.tclassid = itag; @@ -1735,7 +1736,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, skb_dst_drop(skb); skb_dst_set(skb, &rth->dst); - return 0; + return SKB_NOT_DROPPED_YET; } @@ -2433,12 +2434,12 @@ static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, * route cache entry is created eventually. */ if (ipv4_is_multicast(daddr)) { + enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct in_device *in_dev = __in_dev_get_rcu(dev); int our = 0; - int err = -EINVAL; if (!in_dev) - return err; + return -EINVAL; our = ip_check_mc_rcu(in_dev, daddr, saddr, ip_hdr(skb)->protocol); @@ -2459,10 +2460,10 @@ static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, IN_DEV_MFORWARD(in_dev)) #endif ) { - err = ip_route_input_mc(skb, daddr, saddr, dscp, dev, - our); + reason = ip_route_input_mc(skb, daddr, saddr, dscp, + dev, our); } - return err; + return reason ? -EINVAL : 0; } return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res); From patchwork Tue Oct 15 14:07:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836504 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0650C1C07CE; Tue, 15 Oct 2024 14:08:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001322; cv=none; b=BKX/MZfHyG9aLhzzzAETH52I+gMoQ8o2zhJnlkAMbIo052LNtnq34p7iH7fznEjP0yWy9gwVjJOTESgHH1HJGZZkqjriuhylqneiWersXgr3LlS6J9KoLmt34oLEYD82oUy/xzjnK6+Sw4ZR37Cny/FngxrmwwROwlwWVFDD0ic= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001322; c=relaxed/simple; bh=hxuu0/nkjUZhdJBDoDA6hN+7VvuYgi9BaKCsHp4WTvA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=V+LPdTB8wxS7tYGwYQuxKSJH1C1aGjX+X8dlq6DPK5PMlO+yFwPbcAEOkBYjtJ/flgoQQJHMRBhtPWMKw/t9WbPztSgpuDNgset+qK/6i2s6bQ6P/Fh8vcY8VspQ7yaSqcmZgetfKA2v8M0l2tzLjZ5ssXDAJRF6tPU5ni1kEnU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fO1jn2Lk; arc=none smtp.client-ip=209.85.214.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fO1jn2Lk" Received: by mail-pl1-f193.google.com with SMTP id d9443c01a7336-20b5affde14so33068965ad.3; Tue, 15 Oct 2024 07:08:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001320; x=1729606120; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Z6anbrvmLOQ4OBsRRG9oOEYV2Hqq5hOWvdDoNzx76NA=; b=fO1jn2Lkw7RR83cplTAdKRAiQzgdhsUBPc43t5gLxi7nApghHuK8COQVU64OsRkq5K lCn/6yjtSvEG9pSepzhbX+NUjYtyMlZQAuSxA8RiJ0jVwYuh89zIiA7LXs16QQoXk+Wj Ncn6KbVEbsyVEF1X9Y0DM1bvW9SSIHrsQEjeG6lGYcbaJ8n+gpmzcsChQMVZZ/V4XBbu eexFMovLA4RIeFsMAIcrHbuW1FoGTtM8lwD9aKXJAV8HUFrIP06ewXvwxx5Hf00WKj1o d8m2rFAy5Z5757ouHQGn1Fp0twssrftJsYTpC5UQx6my6T8ZxG1YZoxOMN3689x1svBQ cFDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001320; x=1729606120; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Z6anbrvmLOQ4OBsRRG9oOEYV2Hqq5hOWvdDoNzx76NA=; b=FiSiCPJEyBYNIrsTrnYMRwamwHYf0fw5p62XsJB/pzjFgXnR/X/l8Bb89G3H8hdB+4 V5E0YYRcWyz1cCxci/S6/lak86lfO0lV7OocXCD0nOrN3P4w5IMo+8QBc4SNF36HrM7g 1vMS61Ui82HgaZLaczB9rVHpp20Q4t5Nva+BSYtFn7dUonYw2ScHQKtvPG87Z7SOFiG/ GnNEhnNMRZdzz+N6fw2IrrroZAkPvvqy9BL2mTzf2X6nhA7QM+rPzLTwNYjbgrxVqn6d DZEvdMGqYhtHZYLgAJnBKzgIovFhV7yRJwKS65VT/tRyfXqNeJQIo9t5YzxCCpBOGcrX +3cQ== X-Forwarded-Encrypted: i=1; AJvYcCUC8R9c6ovElnqppgzcMjWVnseSV7G1Pg4ae8sKvWxuZ2cbPQfLWsBKg5BgO1XCHiNImjwt/cq86TQ3pD+S@vger.kernel.org, AJvYcCV7ygXnAD532SaHd/zNbEyd7VJvrPqfcm55cZt7GP2KNDhcQR4ZuSpfB3uhJ/71m0nOo2A=@vger.kernel.org, AJvYcCVD3wGOW8wx8A38Qd5a593J9Y+2rs1cNi414Suo7dk5vD2QnHwzSVQbixMffCuSz9wzt09yfWAL@vger.kernel.org, AJvYcCVZNA0AVjRLU1VeKYcCryyTl2vq2ZC4xI07I+dsaqqYCYQuaAhZCYz/rgnDKAvkFfZkwZ8Wg5wFeyH7/l+00+hj@vger.kernel.org X-Gm-Message-State: AOJu0YxR8id3nNOicZg19Zyl/VyYO0ipHkJ2cxKYq4E7Sm4HYjW6M9oQ IqhHs4msscP1McIi9aCxKGm2wGR+iOchLHJiihPWm7QKHrab7xld X-Google-Smtp-Source: AGHT+IHy9wxqvfUD56h4WGgeKK4L4pmA46wTKG+SP1RfTiUWV4iaj1nLQ/39xSFLus0hu5kRNmPScA== X-Received: by 2002:a17:902:ce0c:b0:203:a0ea:63c5 with SMTP id d9443c01a7336-20d2766b76fmr5604655ad.0.1729001320111; Tue, 15 Oct 2024 07:08:40 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.08.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:08:39 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 04/10] net: ip: make ip_mc_validate_source() return drop reason Date: Tue, 15 Oct 2024 22:07:54 +0800 Message-Id: <20241015140800.159466-5-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org Make ip_mc_validate_source() return drop reason, and adjust the call of it in ip_route_input_mc(). Another caller of it is ip_rcv_finish_core->udp_v4_early_demux, and the errno is not checked in detail, so we don't do more adjustment for it. The drop reason "SKB_DROP_REASON_IP_LOCALNET" is added in this commit. Signed-off-by: Menglong Dong --- include/net/dropreason-core.h | 3 +++ include/net/route.h | 7 ++++--- net/ipv4/route.c | 35 +++++++++++++++++++---------------- 3 files changed, 26 insertions(+), 19 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index 62a60be1db84..a2a1fb90e0e5 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -78,6 +78,7 @@ FN(IP_INNOROUTES) \ FN(IP_LOCAL_SOURCE) \ FN(IP_INVALID_SOURCE) \ + FN(IP_LOCALNET) \ FN(PKT_TOO_BIG) \ FN(DUP_FRAG) \ FN(FRAG_REASM_TIMEOUT) \ @@ -383,6 +384,8 @@ enum skb_drop_reason { * 2) source ip is zero and not IGMP */ SKB_DROP_REASON_IP_INVALID_SOURCE, + /** @SKB_DROP_REASON_IP_LOCALNET: source or dest ip is local net */ + SKB_DROP_REASON_IP_LOCALNET, /** * @SKB_DROP_REASON_PKT_TOO_BIG: packet size is too big (maybe exceed the * MTU) diff --git a/include/net/route.h b/include/net/route.h index 586e59f7ed8a..a828a17a6313 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -199,9 +199,10 @@ static inline struct rtable *ip_route_output_gre(struct net *net, struct flowi4 return ip_route_output_key(net, fl4); } -int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - struct in_device *in_dev, u32 *itag); +enum skb_drop_reason +ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + struct in_device *in_dev, u32 *itag); int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev); int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 7f989e8eff30..917f05a0a5ce 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1665,34 +1665,37 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt) EXPORT_SYMBOL(rt_dst_clone); /* called in rcu_read_lock() section */ -int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - struct in_device *in_dev, u32 *itag) +enum skb_drop_reason +ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + struct in_device *in_dev, u32 *itag) { enum skb_drop_reason reason; /* Primary sanity checks. */ if (!in_dev) - return -EINVAL; + return SKB_DROP_REASON_NOT_SPECIFIED; - if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr) || - skb->protocol != htons(ETH_P_IP)) - return -EINVAL; + if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) + return SKB_DROP_REASON_IP_INVALID_SOURCE; + + if (skb->protocol != htons(ETH_P_IP)) + return SKB_DROP_REASON_INVALID_PROTO; if (ipv4_is_loopback(saddr) && !IN_DEV_ROUTE_LOCALNET(in_dev)) - return -EINVAL; + return SKB_DROP_REASON_IP_LOCALNET; if (ipv4_is_zeronet(saddr)) { if (!ipv4_is_local_multicast(daddr) && ip_hdr(skb)->protocol != IPPROTO_IGMP) - return -EINVAL; + return SKB_DROP_REASON_IP_INVALID_SOURCE; } else { reason = fib_validate_source(skb, saddr, 0, dscp, 0, dev, in_dev, itag); if (reason) - return -EINVAL; + return reason; } - return 0; + return SKB_NOT_DROPPED_YET; } /* called in rcu_read_lock() section */ @@ -1702,14 +1705,14 @@ ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, { struct in_device *in_dev = __in_dev_get_rcu(dev); unsigned int flags = RTCF_MULTICAST; + enum skb_drop_reason reason; struct rtable *rth; u32 itag = 0; - int err; - err = ip_mc_validate_source(skb, daddr, saddr, dscp, dev, in_dev, - &itag); - if (err) - return SKB_DROP_REASON_NOT_SPECIFIED; + reason = ip_mc_validate_source(skb, daddr, saddr, dscp, dev, in_dev, + &itag); + if (reason) + return reason; if (our) flags |= RTCF_LOCAL; From patchwork Tue Oct 15 14:07:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836505 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5169E1C07F2; Tue, 15 Oct 2024 14:08:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.194 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001329; cv=none; b=mVBb2V6FYvznR6/d9IKRqqvVJbGhbnTYSzZEd3jASkiWwWTc6TvMcc5U3fZjBV8YqhZsYh0lPS8eM0CnN8xUoiEsAMtnQuqw+v2670lRoXfQ/vFZhi49ocyd04PqxCeNMRF1rHovhr9vLUepuWAgr4izg3+uP9jvHwyErV/w0WM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001329; c=relaxed/simple; bh=GsA6FtIUwBo1zKJkXqIxOwVFmX5xaSmglrhE3X/0RBA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=GOt/0TcpDXmwr2D5JETmK0OMfXScAsk+9NmbvqHIOJNhBAxuM0kdaoF2yZrUYh+/o9g4m2+kJ9zmTTAt2MXFYRuYbYtSjIaE4lwlB6KgMDzA9eRcIfyQtr8FRjhNNrNpBrqJTsPEWzbX3UrQzfHlEYniZdKOR+EZsCq4yeOiSTQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BmLge+fq; arc=none smtp.client-ip=209.85.214.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BmLge+fq" Received: by mail-pl1-f194.google.com with SMTP id d9443c01a7336-20cb7139d9dso28165765ad.1; Tue, 15 Oct 2024 07:08:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001327; x=1729606127; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=h9vWKxhK5T4pb/KBHT+yw7K3X7BwQfQYdiydyRU9Uk8=; b=BmLge+fqpCj0GKJFgsdU6wRFyO8U8YqPVS563914QFKQmQ/cc68wiWwst234fUs0HE B6SxKXQjh3oo7b2iS/8uilT1dt7WuNQL2m33/9tbW41PkWysQLq+XEQ+I90kaNp+tBPo O+epg20wCI9HGKVThtrFLXr2qQzgE3EqbORnmpMvBTPcVgWECWInR8tvE8GTS1VZP7SU Mg/x7I39avS4BWg1aU9moMabh1RJtQdema7oEiTOeC00MPBpgKJiYwOtHfS9VPraxoOT OWK2Ta1YvuoqIN3jlTHiewkb+k70rWaG6eOjLXSePjdk0jO+krsXA3pS1mFLrx5hP0Sh dAKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001327; x=1729606127; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=h9vWKxhK5T4pb/KBHT+yw7K3X7BwQfQYdiydyRU9Uk8=; b=CfBKI1mRnjVHkgETfd8uCZlWpuU23A9/YPtB1klrrPKb/d7zB1JvKOyZqMFtQHch5+ MI6mf+Hm+2ZsVJkLmsLXdI1ThPxC0k/ilI52UkqU9lGXk1iI+E3Fm4B+UbQ+GFPxV6Q3 +OSBHf4hyQFiQMiqqvEhMbLi2c9D1wheXED/XcXIeGz1aa6hkMWZehVOq0ciK6jWX6Vf 44WME1eCpUqyxauTjTIAGirWx2yZotsjY+QeM8IvOxQR+mQSYzfepCimQNLcH88d6Ipk S+xICxsn/tBU+SgpY6uEvGKZQssmSRSu9VbI6KV0IevWB8WOdiUV8pOKPx7htLbywHpx A3ZA== X-Forwarded-Encrypted: i=1; AJvYcCUrw8/OHnPvVX2q8uhaOs07ZqSrgTbFtP3ArKqFDtn6S1/IRlxmvr6wk5KJ/aFdg2uy/V8K57hSZeg1qJgD9Yxw@vger.kernel.org, AJvYcCVvAN4wd01KyQumtJ6TYypr9/00zGDTSV/kFIxhiwutCZvONMANiaekFB5c8bzyM7R3Q/Ee/rFWMfYD4+Vx@vger.kernel.org, AJvYcCWTDwjM4UAaBRwmAXwMeED9XyS18tnavUiAo1UB5YpiJvlNVHkBQeJKl7i4o2XIrVdPQC6LWnts@vger.kernel.org, AJvYcCXk+WAuKgP4+n9X8NJeP2l6G3VeXA6SgYPm9lGxgPKZvaik1JRzpr/hyRq3u/HlaSBvXR8=@vger.kernel.org X-Gm-Message-State: AOJu0YwZ+NQ0VjPFk8qgInAvr7uC7I+t4o9p7cyvOy1azrb0oVOKLWE0 wGmMLkyyWcy6klpZfNWyZEc9apyHmWlI8ywGonXJvMgUy1UPKJlz X-Google-Smtp-Source: AGHT+IFBSG1rXEX3ulld9iULiUd1FzmxZkMBCNGmlo18Bh2FR1zC/W6Ghezo8NmDgV/hbfjHHBjJlg== X-Received: by 2002:a17:902:e543:b0:20c:e65c:8c6c with SMTP id d9443c01a7336-20d27ea3518mr5284655ad.19.1729001327347; Tue, 15 Oct 2024 07:08:47 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.08.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:08:46 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 05/10] net: ip: make ip_route_input_slow() return drop reasons Date: Tue, 15 Oct 2024 22:07:55 +0800 Message-Id: <20241015140800.159466-6-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org In this commit, we make ip_route_input_slow() return skb drop reasons, and following new skb drop reasons are added: SKB_DROP_REASON_IP_INVALID_DEST The only caller of ip_route_input_slow() is ip_route_input_rcu(), and we adjust it by making it return -EINVAL on error. Signed-off-by: Menglong Dong --- include/net/dropreason-core.h | 6 ++++ net/ipv4/route.c | 55 ++++++++++++++++++++++------------- 2 files changed, 40 insertions(+), 21 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index a2a1fb90e0e5..74624d369d48 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -79,6 +79,7 @@ FN(IP_LOCAL_SOURCE) \ FN(IP_INVALID_SOURCE) \ FN(IP_LOCALNET) \ + FN(IP_INVALID_DEST) \ FN(PKT_TOO_BIG) \ FN(DUP_FRAG) \ FN(FRAG_REASM_TIMEOUT) \ @@ -386,6 +387,11 @@ enum skb_drop_reason { SKB_DROP_REASON_IP_INVALID_SOURCE, /** @SKB_DROP_REASON_IP_LOCALNET: source or dest ip is local net */ SKB_DROP_REASON_IP_LOCALNET, + /** + * @SKB_DROP_REASON_IP_INVALID_DEST: the dest ip is invalid: + * 1) dest ip is 0 + */ + SKB_DROP_REASON_IP_INVALID_DEST, /** * @SKB_DROP_REASON_PKT_TOO_BIG: packet size is too big (maybe exceed the * MTU) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 917f05a0a5ce..33bf83bcccdb 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2204,9 +2204,10 @@ static struct net_device *ip_rt_get_dev(struct net *net, * called with rcu_read_lock() */ -static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - struct fib_result *res) +static enum skb_drop_reason +ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + struct fib_result *res) { enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct in_device *in_dev = __in_dev_get_rcu(dev); @@ -2236,8 +2237,10 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, fl4.flowi4_tun_key.tun_id = 0; skb_dst_drop(skb); - if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) + if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; goto martian_source; + } res->fi = NULL; res->table = NULL; @@ -2247,21 +2250,29 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, /* Accept zero addresses only to limited broadcast; * I even do not know to fix it or not. Waiting for complains :-) */ - if (ipv4_is_zeronet(saddr)) + if (ipv4_is_zeronet(saddr)) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; goto martian_source; + } - if (ipv4_is_zeronet(daddr)) + if (ipv4_is_zeronet(daddr)) { + reason = SKB_DROP_REASON_IP_INVALID_DEST; goto martian_destination; + } /* Following code try to avoid calling IN_DEV_NET_ROUTE_LOCALNET(), * and call it once if daddr or/and saddr are loopback addresses */ if (ipv4_is_loopback(daddr)) { - if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) + if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) { + reason = SKB_DROP_REASON_IP_LOCALNET; goto martian_destination; + } } else if (ipv4_is_loopback(saddr)) { - if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) + if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) { + reason = SKB_DROP_REASON_IP_LOCALNET; goto martian_source; + } } /* @@ -2316,19 +2327,25 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, err = -EHOSTUNREACH; goto no_route; } - if (res->type != RTN_UNICAST) + if (res->type != RTN_UNICAST) { + reason = SKB_DROP_REASON_IP_INVALID_DEST; goto martian_destination; + } make_route: err = ip_mkroute_input(skb, res, in_dev, daddr, saddr, dscp, flkeys); -out: return err; + if (!err) + reason = SKB_NOT_DROPPED_YET; + +out: return reason; brd_input: - if (skb->protocol != htons(ETH_P_IP)) - goto e_inval; + if (skb->protocol != htons(ETH_P_IP)) { + reason = SKB_DROP_REASON_INVALID_PROTO; + goto out; + } if (!ipv4_is_zeronet(saddr)) { - err = -EINVAL; reason = fib_validate_source(skb, saddr, 0, dscp, 0, dev, in_dev, &itag); if (reason) @@ -2349,7 +2366,7 @@ out: return err; rth = rcu_dereference(nhc->nhc_rth_input); if (rt_cache_valid(rth)) { skb_dst_set_noref(skb, &rth->dst); - err = 0; + reason = SKB_NOT_DROPPED_YET; goto out; } } @@ -2386,7 +2403,7 @@ out: return err; rt_add_uncached_list(rth); } skb_dst_set(skb, &rth->dst); - err = 0; + reason = SKB_NOT_DROPPED_YET; goto out; no_route: @@ -2407,12 +2424,8 @@ out: return err; &daddr, &saddr, dev->name); #endif -e_inval: - err = -EINVAL; - goto out; - e_nobufs: - err = -ENOBUFS; + reason = SKB_DROP_REASON_NOMEM; goto out; martian_source: @@ -2469,7 +2482,7 @@ static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, return reason ? -EINVAL : 0; } - return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res); + return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res) ? -EINVAL : 0; } int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, From patchwork Tue Oct 15 14:07:56 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836506 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A55E01EF092; Tue, 15 Oct 2024 14:08:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001336; cv=none; b=usYBJBqDfkdkAv1AQ+bY8qrrqpuEPMeIR1vItC+Jm2m1s2fXP6mJ2w/PnkjDbxQ9EgEqkDZTNuP7r9/c2ftzesATSf6wQxFsX8O388hT5lF19qkLVsRfgb3SKQWoMgokk2hjp1bQSHnfUkqN5dvG2VmSzsv6EPoJzI5sNzRkUtk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001336; c=relaxed/simple; bh=lZdovlYfC6CbOD44SDy1x+Dvebj19MuTrfjxQ1Wc7DY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=rD7xOgzE7Pv5DlVSHE9fcLHfksmzoRRuHH41YZq664fj7ZQRL048wpSDazmOf7Ln4ftQ+K0YrxIunoi+zHrjxOTesoQIo3RVY3p/49AQRiUJOcydFjpS7BVdA6W75n1ApBwr9ubolWwTGXnqj6dv+zXOd5zKl9YfiCX/dPe01Yc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Q3OQt+r7; arc=none smtp.client-ip=209.85.214.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Q3OQt+r7" Received: by mail-pl1-f195.google.com with SMTP id d9443c01a7336-20caccadbeeso40415475ad.2; Tue, 15 Oct 2024 07:08:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001334; x=1729606134; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=oOE1KEGRuQOpIUWAn8WtgPiDE4IJ9ftyaosDtmgCxs0=; b=Q3OQt+r7c5LwqF6yjzYchbCCqD72KLPvkAAX2cppde/mcb0H74AJcLTNHfa3PR4zR7 M4n2dtEXNCQoEnD/VF2Zf2cBy8Jd8G8EigC2IMpVl8mAsp3uG0fc4zV284knWsjJrWGH B9CFOKNjPQQtyOMjllcwOrBJ7U8vnK8xA5KcgOzkP8OAasEvZ8ejnjC0gvwQEF9a/IEB IkIsJRhLKnVrXlT43XVE0EYd+n60bg+5OoTlefabmqpbxAXzf7oYHp8lX8s0bG3o8xg8 85lUu3J00lZkHmEJBpEnAl+51XbkctKJIX29CSzd1UvAkZ/k2wURGPjBErwb24p8lHf2 GVDw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001334; x=1729606134; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=oOE1KEGRuQOpIUWAn8WtgPiDE4IJ9ftyaosDtmgCxs0=; b=VLvfH0ix2FPGh1ytluxdVMGs0PfVB83ldeEvA01LdlesgH8l9CVsSpBvxz+D+VFUCj 9YtH8Y8Fpp3J59NJ8pPXAHikXHKTqARkuvsWnzJbjFZrKOQzX5Hawb4NqNB0lVShc0Z/ VCGqV2DgRWwBKQebBp4DlezZmjtrUQctyxmCrW70CIieefxwlrV+IbVN4Ac+/Ja/U0xs oVgXo58ead68QGBtBiuM6ohBxzK4n7gc/QY+KoGFo7kNHKuDL7O7k/No3OhcDRu+uFoC 9yoHHKxhc3NDA1NE+FXlSrvTloZ/40MXfRRhrsDztW7Z1B9mpMI5yDdYADvGjSg5Ap6Q bctQ== X-Forwarded-Encrypted: i=1; AJvYcCVpmsoz+rZlSQO7Hq4pwGhJbpDEziTAuiDIWNR5I5gSAIonT9KKTxPEIKD9lEHygtU84vs=@vger.kernel.org, AJvYcCVwf/d4Hm3cUg/mQZ7D+PH8Hkvp5Z3NmJ2YbXlnEiKnkt5IepDdpJrJGfj713M7TV+NaK5o9/TRxbowqU7K8Px0@vger.kernel.org, AJvYcCWb5Nlxp2TZfC84YB0VgqkTx/V/NesZW3LLXk9ymCS6xO48uok2J8V+qSlgR3sRlL5nluw04EBgF/Q7xkfh@vger.kernel.org, AJvYcCWgdm4x1SBVV4+/4azW9OjhnU6Gs4BKSnSSfKAXePEnO7d/SHo7NXw1DdqLwHjCICh4pA57v55z@vger.kernel.org X-Gm-Message-State: AOJu0Yyh9Hy4NKmZIn5nxC2KTpr4pzWlO2nGQBsXWg5LQNZC+XOhFxYa Zt5bvUpwMNAtxvz4nqAg7N9E6UEWSrF3IApYAIr+1mcfYoeiIf1V X-Google-Smtp-Source: AGHT+IEgiCflMtLy1/C38zFztiqfgmUIReH+WTEDV3zas5tvZpSawhYMZAytpJvBcWJRH6Z+Rclfkg== X-Received: by 2002:a17:903:110f:b0:205:968b:31ab with SMTP id d9443c01a7336-20ca16e9c13mr213326295ad.58.1729001333801; Tue, 15 Oct 2024 07:08:53 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.08.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:08:53 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 06/10] net: ip: make ip_route_input_rcu() return drop reasons Date: Tue, 15 Oct 2024 22:07:56 +0800 Message-Id: <20241015140800.159466-7-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org In this commit, we make ip_route_input_rcu() return drop reasons, which come from ip_route_input_mc() and ip_route_input_slow(). The only caller of ip_route_input_rcu() is ip_route_input_noref(). We adjust it by making it return -EINVAL on error and ignore the reasons that ip_route_input_rcu() returns. In the following patch, we will make ip_route_input_noref() returns the drop reasons. Signed-off-by: Menglong Dong --- net/ipv4/route.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 33bf83bcccdb..8ac298d69c8c 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2434,9 +2434,10 @@ out: return reason; } /* called with rcu_read_lock held */ -static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - struct fib_result *res) +static enum skb_drop_reason +ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + struct fib_result *res) { /* Multicast recognition logic is moved from route cache to here. * The problem was that too many Ethernet cards have broken/missing @@ -2479,23 +2480,23 @@ static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, reason = ip_route_input_mc(skb, daddr, saddr, dscp, dev, our); } - return reason ? -EINVAL : 0; + return reason; } - return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res) ? -EINVAL : 0; + return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res); } int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev) { + enum skb_drop_reason reason; struct fib_result res; - int err; rcu_read_lock(); - err = ip_route_input_rcu(skb, daddr, saddr, dscp, dev, &res); + reason = ip_route_input_rcu(skb, daddr, saddr, dscp, dev, &res); rcu_read_unlock(); - return err; + return reason ? -EINVAL : 0; } EXPORT_SYMBOL(ip_route_input_noref); @@ -3308,6 +3309,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, err = ip_route_input_rcu(skb, dst, src, inet_dsfield_to_dscp(rtm->rtm_tos), dev, &res); + err = err ? -EINVAL : 0; rt = skb_rtable(skb); if (err == 0 && rt->dst.error) From patchwork Tue Oct 15 14:07:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836507 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f193.google.com (mail-pl1-f193.google.com [209.85.214.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 608D11C4A21; Tue, 15 Oct 2024 14:09:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001342; cv=none; b=QKZ7OA+tpS2SfKVjmLjS4yokW64LcSIbPnjOMeQoikE92+8keQLoHynUP0wQuIN6HNitKeuDO3K/cMP2yo3NsH0nXnU+SVTI56fmueqPWhktJdH+RtAqoX+VTOuF1pHQelji/S39ECgXyf5cHymZiEG4tlnSbisi6YOEh+EPIl0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001342; c=relaxed/simple; bh=OoQOAY2OIjU+qz6vqbbMH8cX0fA2TJvTDpTKEyg2OEU=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=bmMgUrK2hxSaN2IfrPkoA+XvBlGmM8oAe1/hw+cq32ksUu+ijBkEnxiEEWcI6OjS0vY+PKoZ5Wh3t9WcEEZIbp3XjgIIc7nSmbNp+VqDp0tkvmy1BLJxFdhRs8ogeL5N5ab7wNdaOxoobUXg/3+ZGBDjs2B/M0zkYODUgMR5IL0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=kBPEZnqt; arc=none smtp.client-ip=209.85.214.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="kBPEZnqt" Received: by mail-pl1-f193.google.com with SMTP id d9443c01a7336-20cdb889222so22176395ad.3; Tue, 15 Oct 2024 07:09:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001341; x=1729606141; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=CW+1nDdA8utvPm2jP7G49D5vvInvTyAcYQzt/B4r/3E=; b=kBPEZnqttqECexn6qnxfvWNIIpzZKUlKaVbsB1XzgCN8gD4DI4uN/v3jEOEJGbrPJ0 XZJH2B9aBIbCE9EBH8oq5iBVUzjZaRVeiDzgNyGUhUuxCqYaSdRopIZKkwWwzhXOYtnN BwVxeP9h0dd9FSNr4eYeIU//+DST5YKCt+SsIohQl7EbYb3Zp7+f53j7NHjtoSzNCAPn JIF0hNYYI1VrKHs1FLnm3+h0VhSRWRfcVdBNHFVmcPLyeaYLnLnXv5yuWK7ulujnNkHL gFCanCSBttKuXPIEs1Hs+MSkdehZ2Vbge7HHdluRvVkQk5iK88fwDWuzz4mlq/xrwZXX sZwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001341; x=1729606141; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CW+1nDdA8utvPm2jP7G49D5vvInvTyAcYQzt/B4r/3E=; b=tK6XVMBK9Wi9FEcLIxOLaao7/3/buIsSngH73IFphrkWvf5QhfkCJuLVYOvDr23qvX eMOfdfoSMJqE2r2jc3/2nt3RMI6Y7Vn5LE6JlFzMTitgbZoH6g3tj554GR+wHrvrKZli Zb2ByG3pk9vLJyg47mVH7eKdq/l+oRgUTtorPAVKXGcFATEzgNPuPKn3USK7d8yn/aoW fDnJP0USquzsJoPWzPBTgUVl6ryOhbbeLj5Q2B6crCmFqu0JlExVhQ7tpiYCaoYqEk3o rQgm83vGI+dqwTRTLp4qYts8OVDrqGB3gQRrVNVbbLsOUAbpwCmFsfjRcwjKjHxtoxHs plyw== X-Forwarded-Encrypted: i=1; AJvYcCUARA6KYqMwkJSuGL3ViEm10SQVr6ccHaKBd9+bVl28vtI/6bBOTXU5C/NG0C9dHgzywd8=@vger.kernel.org, AJvYcCUYtTIeGZw2/D8zsL2uCrqngWfJcwqJHF0uRKIlIW6cZfXU5WPouPzYl1UE5FaJG7J8/+k9hw+f@vger.kernel.org, AJvYcCWpcfWEZjXQVdaKWA2zbycLT7rWhuQzghTBZqyuM4G1hDWj1CU62KE3S7+Yw/1VH/gt8iKd0cflHCEYY7cE@vger.kernel.org, AJvYcCX5gWhay7O5xCUy0ZpWjBVnjX5Ruf/+c2F41ULgdcw6xd84hTkyZDwwxNMbhHUJ8WbkWvTtSIQAms4ccIhMFIuJ@vger.kernel.org X-Gm-Message-State: AOJu0Yw9X7K9NC62LJ/xds+Rac5t/9ydqmWHEOhlIcFDS1q6KqmO40wC vWAi6+dKVeYJKwI3EclfLZ/VngoZCH6B9edMJPI6so/OepcYq9No X-Google-Smtp-Source: AGHT+IFM+h+UidhY1yUdM2sbMLG9ioWHi58m/J4aqzMYLTVGO9SSSCYk8ttlRJ9p164FGG21NWtORA== X-Received: by 2002:a17:902:e805:b0:20c:7eaf:8945 with SMTP id d9443c01a7336-20ca14601b3mr227787995ad.28.1729001340617; Tue, 15 Oct 2024 07:09:00 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.08.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:09:00 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 07/10] net: ip: make ip_route_input_noref() return drop reasons Date: Tue, 15 Oct 2024 22:07:57 +0800 Message-Id: <20241015140800.159466-8-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org In this commit, we make ip_route_input_noref() return drop reasons, which come from ip_route_input_rcu(). We need adjust the callers of ip_route_input_noref() to make sure the return value of ip_route_input_noref() is used properly. The errno that ip_route_input_noref() returns comes from ip_route_input and bpf_lwt_input_reroute in the origin logic, and we make them return -EINVAL on error instead. In the following patch, we will make ip_route_input() returns drop reasons too. Signed-off-by: Menglong Dong --- include/net/route.h | 15 ++++++++------- net/core/lwt_bpf.c | 1 + net/ipv4/ip_fragment.c | 12 +++++++----- net/ipv4/ip_input.c | 7 ++++--- net/ipv4/route.c | 7 ++++--- 5 files changed, 24 insertions(+), 18 deletions(-) diff --git a/include/net/route.h b/include/net/route.h index a828a17a6313..11674f7c6be6 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -203,8 +203,9 @@ enum skb_drop_reason ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, struct in_device *in_dev, u32 *itag); -int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev); +enum skb_drop_reason +ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev); int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, const struct sk_buff *hint); @@ -212,18 +213,18 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, dscp_t dscp, struct net_device *devin) { - int err; + enum skb_drop_reason reason; rcu_read_lock(); - err = ip_route_input_noref(skb, dst, src, dscp, devin); - if (!err) { + reason = ip_route_input_noref(skb, dst, src, dscp, devin); + if (!reason) { skb_dst_force(skb); if (!skb_dst(skb)) - err = -EINVAL; + reason = SKB_DROP_REASON_NOT_SPECIFIED; } rcu_read_unlock(); - return err; + return reason ? -EINVAL : 0; } void ipv4_update_pmtu(struct sk_buff *skb, struct net *net, u32 mtu, int oif, diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c index e0ca24a58810..a4652f2a103a 100644 --- a/net/core/lwt_bpf.c +++ b/net/core/lwt_bpf.c @@ -98,6 +98,7 @@ static int bpf_lwt_input_reroute(struct sk_buff *skb) skb_dst_drop(skb); err = ip_route_input_noref(skb, iph->daddr, iph->saddr, ip4h_dscp(iph), dev); + err = err ? -EINVAL : 0; dev_put(dev); } else if (skb->protocol == htons(ETH_P_IPV6)) { skb_dst_drop(skb); diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index 48e2810f1f27..52b991e976ba 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -132,12 +132,12 @@ static bool frag_expire_skip_icmp(u32 user) */ static void ip_expire(struct timer_list *t) { + enum skb_drop_reason reason = SKB_DROP_REASON_FRAG_REASM_TIMEOUT; struct inet_frag_queue *frag = from_timer(frag, t, timer); const struct iphdr *iph; struct sk_buff *head = NULL; struct net *net; struct ipq *qp; - int err; qp = container_of(frag, struct ipq, q); net = qp->q.fqdir->net; @@ -175,10 +175,12 @@ static void ip_expire(struct timer_list *t) /* skb has no dst, perform route lookup again */ iph = ip_hdr(head); - err = ip_route_input_noref(head, iph->daddr, iph->saddr, ip4h_dscp(iph), - head->dev); - if (err) + reason = ip_route_input_noref(head, iph->daddr, iph->saddr, + ip4h_dscp(iph), head->dev); + if (reason) goto out; + else + reason = SKB_DROP_REASON_FRAG_REASM_TIMEOUT; /* Only an end host needs to send an ICMP * "Fragment Reassembly Timeout" message, per RFC792. @@ -195,7 +197,7 @@ static void ip_expire(struct timer_list *t) spin_unlock(&qp->q.lock); out_rcu_unlock: rcu_read_unlock(); - kfree_skb_reason(head, SKB_DROP_REASON_FRAG_REASM_TIMEOUT); + kfree_skb_reason(head, reason); ipq_put(qp); } diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index c40a26972884..513eb0c6435a 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c @@ -362,10 +362,11 @@ static int ip_rcv_finish_core(struct net *net, struct sock *sk, * how the packet travels inside Linux networking. */ if (!skb_valid_dst(skb)) { - err = ip_route_input_noref(skb, iph->daddr, iph->saddr, - ip4h_dscp(iph), dev); - if (unlikely(err)) + drop_reason = ip_route_input_noref(skb, iph->daddr, iph->saddr, + ip4h_dscp(iph), dev); + if (unlikely(drop_reason)) goto drop_error; + drop_reason = SKB_DROP_REASON_NOT_SPECIFIED; } else { struct in_device *in_dev = __in_dev_get_rcu(dev); diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 8ac298d69c8c..86a964734b1d 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2486,8 +2486,9 @@ ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res); } -int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev) +enum skb_drop_reason ip_route_input_noref(struct sk_buff *skb, __be32 daddr, + __be32 saddr, dscp_t dscp, + struct net_device *dev) { enum skb_drop_reason reason; struct fib_result res; @@ -2496,7 +2497,7 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, reason = ip_route_input_rcu(skb, daddr, saddr, dscp, dev, &res); rcu_read_unlock(); - return reason ? -EINVAL : 0; + return reason; } EXPORT_SYMBOL(ip_route_input_noref); From patchwork Tue Oct 15 14:07:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836508 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E96541B21AA; Tue, 15 Oct 2024 14:09:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001350; cv=none; b=RDoEtNH4K2LnjWpVEWfYAAomim5ovp6vMvIuejkklKAXHz7pGmdQOkmg2SV65G+wuNB0KvFXT9fFHG6aSgZJVOVaJTFQC6I7Fyzc9t5HUwUzOzmMi0Cs0jlOZhfOzHpG3GJi1NKRpwmOPX3SkgkTtDV3ggggGF+Of0m54woCMPo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001350; c=relaxed/simple; bh=hRfn5rQNGzGek2Rl/WYwV2CDrJdk9y+72tdDnLlRft0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=X8+LdOwsdpORv17p4f8rI7d8/+4fW0fTwHQz/2bn/7Jx4DC8aqCuzvwJ8+jdFC5tBXRvzH5+JpOo0kETXq7x+Hg7rUkYwGlMFWof7jrnf9UpTAokp6Ffut7DKOPOGT5krEHAxu6uW/0C1+Ws61q+PP7bG6jtg+pAF2c+2jLNHNA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=T7CfowX3; arc=none smtp.client-ip=209.85.214.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="T7CfowX3" Received: by mail-pl1-f195.google.com with SMTP id d9443c01a7336-20cb7139d9dso28171075ad.1; Tue, 15 Oct 2024 07:09:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001348; x=1729606148; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=byj17PnEdOWNMLLbQ9DjmcaQd6Z/d2VuphpY3zlwdig=; b=T7CfowX3L9l4QR+niwhkGGIevVgaaJcxW/a5ObAsawJo1vRQ4fo5+VuLRQbxQupYB2 KbcatjamsNh+pnTOV26xIq0SV0X0SJ9cJ/1kQoSDHPSqBbEiI1BHPt0eD9IPhN0DSbt9 egXkGTys/HyRaFp3WJsHzPS2tXdzKq6/SM1ZoDmQO8ndoGsxqtTVnyuzhDXF7f7ERFPQ J1cb9PW5si3jzBLlA1Z6S2Cix/KqN43nMG7fTrcSOxbdjKd0tVUnV1AKcTyn5+ijfRKH /49E5hr0c4egai03aw8Y+irtnU8MA7Kwz5hQXc/X7gfELGhUEoXPVvua0yH4F1FZeKf3 6gsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001348; x=1729606148; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=byj17PnEdOWNMLLbQ9DjmcaQd6Z/d2VuphpY3zlwdig=; b=fr77C1jT2oNP+m3MSt4cRokDGLsBFyowEX9wd+/fwvrxasUOmJ+Yase1zeGiJX0XJ6 Wnkn1BwvdlXSUmIU7Rdu5EglWjD242pXzhE9EePGTPZhvNIhSy7L1uUBRIzNWueC2Lk4 zlet/kHyFRWIogLiI8SENGK63muL9UIZ2ufOElgVWewuEO4+wMBtuyNOMLjsLXqIbZfN cQ3p3VfR1QNa5cLfKMKs3+SmdHrO/nXM89LSnUVVMBZwskyEIp33yQqd2ltjFROtM58p HwbOaesR4agr7rCluBDwBvrXFaAGCjtTSIQkD7abys5bJzKwlMKQs+euZIwGBGeY3K0q ndCw== X-Forwarded-Encrypted: i=1; AJvYcCVHInib2L4l2f/lPCWL2PQEjU0m3Gyl9mlCClR1o7gSatzdWr9GLquENpM/UodaAEEGMmbXuFrSjMYyUQIJFyEy@vger.kernel.org, AJvYcCWYzz4ReYRpsSXTrEUKyOCF3U8Ixg5LGaF6ZlaI3Vufavyqx/tv+4iJ8UI7XqIumnjwKgGL7/Xs@vger.kernel.org, AJvYcCX/+XMi5m4/ejZ//hse12ZYPzzB7CMLNGEqOoYmjes4xwiJUzvoe5ACePKRw49rMqB4JOw=@vger.kernel.org, AJvYcCXFTy9H3qg3g6JyVvJsA2z6bPGBb5vtvx8e9b+Ht74mNBogNMb+n8vcrwgvSi2V3hgJux6qNynfRcovmD1m@vger.kernel.org X-Gm-Message-State: AOJu0Yw9az5UtJNlYZnOxQ51WdDhGAL6uxIJlBqIQzytoyAPyhB1Ij5h wfQtRSEwt+2K77HCHwjYZrOU+CNknRbG4y66x6fLcJOY2DPiCMuR X-Google-Smtp-Source: AGHT+IFho0wkJSC3nuCh8eieAcM7whz7jbKavyQJaZKAu/jxcgJCiyMBMEcoEEjLgWEevXYGayEQiA== X-Received: by 2002:a17:902:ceca:b0:20c:8839:c517 with SMTP id d9443c01a7336-20d27f26c00mr5475865ad.53.1729001348049; Tue, 15 Oct 2024 07:09:08 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.09.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:09:07 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 08/10] net: ip: make ip_route_input() return drop reasons Date: Tue, 15 Oct 2024 22:07:58 +0800 Message-Id: <20241015140800.159466-9-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org In this commit, we make ip_route_input() return skb drop reasons that come from ip_route_input_noref(). Meanwhile, adjust all the call to it. Signed-off-by: Menglong Dong --- include/net/route.h | 7 ++++--- net/bridge/br_netfilter_hooks.c | 11 ++++++----- net/ipv4/icmp.c | 1 + 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/include/net/route.h b/include/net/route.h index 11674f7c6be6..f4ab5412c9c9 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -210,8 +210,9 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, const struct sk_buff *hint); -static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, - dscp_t dscp, struct net_device *devin) +static inline enum skb_drop_reason +ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, dscp_t dscp, + struct net_device *devin) { enum skb_drop_reason reason; @@ -224,7 +225,7 @@ static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, } rcu_read_unlock(); - return reason ? -EINVAL : 0; + return reason; } void ipv4_update_pmtu(struct sk_buff *skb, struct net *net, u32 mtu, int oif, diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index 17a5f5923d61..110cffc24a1d 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -373,8 +373,8 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_ struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); struct net_device *dev = skb->dev, *br_indev; const struct iphdr *iph = ip_hdr(skb); + enum skb_drop_reason reason; struct rtable *rt; - int err; br_indev = nf_bridge_get_physindev(skb, net); if (!br_indev) { @@ -390,9 +390,9 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_ } nf_bridge->in_prerouting = 0; if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) { - err = ip_route_input(skb, iph->daddr, iph->saddr, - ip4h_dscp(iph), dev); - if (err) { + reason = ip_route_input(skb, iph->daddr, iph->saddr, + ip4h_dscp(iph), dev); + if (reason) { struct in_device *in_dev = __in_dev_get_rcu(dev); /* If err equals -EHOSTUNREACH the error is due to a @@ -402,7 +402,8 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_ * martian destinations: loopback destinations and destination * 0.0.0.0. In both cases the packet will be dropped because the * destination is the loopback device and not the bridge. */ - if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev)) + if (reason != SKB_DROP_REASON_IP_INADDRERRORS || !in_dev || + IN_DEV_FORWARD(in_dev)) goto free_skb; rt = ip_route_output(net, iph->daddr, 0, diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 23664434922e..c3bafff093e0 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -546,6 +546,7 @@ static struct rtable *icmp_route_lookup(struct net *net, struct flowi4 *fl4, skb_dst_set(skb_in, NULL); err = ip_route_input(skb_in, fl4_dec.daddr, fl4_dec.saddr, dscp, rt2->dst.dev); + err = err ? -EINVAL : 0; dst_release(&rt2->dst); rt2 = skb_rtable(skb_in); From patchwork Tue Oct 15 14:07:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836509 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2DD331C4A2E; Tue, 15 Oct 2024 14:09:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001357; cv=none; b=WH9AlDkEwoyDl1kRKREPUI7cA06wf7lslMEJP3Pnlce/cK0cwe9wDilzSTY8nxkOiB+Lf9bU8pl/4mhen8y3w54+AtKN43pOAfQdgn10cp82jbypfrVSWkQQkAdIJZ1dWs83W/k/qj9eRXhCONo418OeOIfJo5hHfdUzVwtu1Ew= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001357; c=relaxed/simple; bh=deRFnQwRg+kHlAO3InS8HPWdrPzjO/lid9s4IAPn5Ho=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=mQld4WzDYVnl9wG8XifMwsg5vfgUUvY536vDkFQ98atEwj/gm9L7Ila6TQiSHGLLsl1K2lE6s8eYQO0otwOLLSuNWe6u9uAhx713NlHcQ/FyaiB1zHgOxDNGTJcKh1hc7vn6FGIOYvt/7sySWBnSbQXZrVTQIRgGRCxXQcNnw8o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=YLtN+ooL; arc=none smtp.client-ip=209.85.214.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="YLtN+ooL" Received: by mail-pl1-f195.google.com with SMTP id d9443c01a7336-20cbca51687so28403545ad.1; Tue, 15 Oct 2024 07:09:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001356; x=1729606156; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xb6Keu+mjnQTG+TZRKzxO8S5SFad7ATh4n914sZaJ58=; b=YLtN+ooLJ8lEhtCFU+/UHIX/NSqQTpyqZYkSEOcRQg6mIhH70+lECSwjAIxGKe4tgE CZtDTviJblM29MIUfBTCM3nh3BQOc0gJ8lcyRITDMH6UpbllpKNwOASfF9JsTlTWpqyA UXKzKwarjyKcUPJR47INKP6I0Ka8z9buK6Ag4O8ObsVHXQHnik5OW8Y2iIEOHuOFQEEj 82Zzc/drISTX526FmvLvN4Ewgeh+mrVh59IepYbRLhx4y5J8wCMETw/Ibi7nP1pYRgma sQS0Ny3mm/Zol4/8+8MQmOFbnKTxGsXk2idMZsFz4MQigz7JTxHyeEUCgspuT3G25uZj YJlg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001356; x=1729606156; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xb6Keu+mjnQTG+TZRKzxO8S5SFad7ATh4n914sZaJ58=; b=CPKzo+xEHSdM+XvALNOHsxmCy4MVtXATr7Fw+LTsZ8P2M+USStWXPj+MIUXj1FSMLm Bdi9yM2JW0sj2IKEUiAlx7a53uIeNUf3rclV/8B9hWqcEMXZB77sUuEtu0pZCPwxMiUK mNttuLLvYFQafQueHTPG3hLW/Q6pkKvuDME/Zo3adAf/o/NDwfwz2lDAvXYdhQ2mcwgC 7jENjxIchrItsDBNIQxo4hx1JLw7OMASZjA/S9rXtx+iIntLlVVDTWbuFoZqVInQpMld n4ZGGiSrSbghIvwEaY/WfeYO/Fc7EY3hmy8+sn8PTvHJlCeRM0Y02GtBxxUik4vsmVaa kTyw== X-Forwarded-Encrypted: i=1; AJvYcCU0x3vaubQDKkgo5NVoaA+OhTdaSbJtHT8+PlaLdUm9SrPNuNx6cTppFjcIvU+VKzzWVrmkWz3tyFS66Lvd1k+7@vger.kernel.org, AJvYcCUfE+2/RN4PSN1GRjMy/DbcslqR0Fc9QQG7toVdO4awM9vKUWJRPQhP7GbdLeyG4tGlAEhdxQ3g@vger.kernel.org, AJvYcCW9VEuH264xVbWdE4UNIzQhCQlHFca7OcjpGhzBZAsjZHdxTYyrkZyUHpJe1TWLyMhNqwk=@vger.kernel.org, AJvYcCXsX3VwHDh71XtagadQ+ZmAGSsc6tPaMZ1i0aE3w3WX88tTLtf1BL026Khbvg5ktAy7Rdagc42o9cQCom5a@vger.kernel.org X-Gm-Message-State: AOJu0YzsOJ6Yueri+H6BusaLBY7EELRCGJhMZpAhsUbU/Je/e+UPOFj+ VECDawAQKTcQnA0zyiCTwyIxMX3ALcraf2Es0HDf6GBaJl0M+Qtd X-Google-Smtp-Source: AGHT+IGWOmfDSpyBXQ2KoMTkoFeGQU4J/bwskUqMV7x2PbaD9NjoBS5aXiZoLhs/g3mwmYmhUchSjw== X-Received: by 2002:a17:903:22c7:b0:20c:9062:fb88 with SMTP id d9443c01a7336-20cbb1a983dmr170607795ad.1.1729001355567; Tue, 15 Oct 2024 07:09:15 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.09.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:09:15 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 09/10] net: ip: make ip_mkroute_input/__mkroute_input return drop reasons Date: Tue, 15 Oct 2024 22:07:59 +0800 Message-Id: <20241015140800.159466-10-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org In this commit, we make ip_mkroute_input() and __mkroute_input() return drop reasons. The drop reason "SKB_DROP_REASON_ARP_PVLAN_DISABLE" is introduced for the case: the packet which is not IP is forwarded to the in_dev, and the proxy_arp_pvlan is not enabled. This name is ugly, and I have not figure out a suitable name for this case yet :/ Signed-off-by: Menglong Dong --- include/net/dropreason-core.h | 7 +++++++ net/ipv4/route.c | 35 +++++++++++++++++++---------------- 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index 74624d369d48..6c5a1ea209a2 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -104,6 +104,7 @@ FN(IP_TUNNEL_ECN) \ FN(TUNNEL_TXINFO) \ FN(LOCAL_MAC) \ + FN(ARP_PVLAN_DISABLE) \ FNe(MAX) /** @@ -477,6 +478,12 @@ enum skb_drop_reason { * the MAC address of the local netdev. */ SKB_DROP_REASON_LOCAL_MAC, + /** + * @SKB_DROP_REASON_ARP_PVLAN_DISABLE: packet which is not IP is + * forwarded to the in_dev, and the proxy_arp_pvlan is not + * enabled. + */ + SKB_DROP_REASON_ARP_PVLAN_DISABLE, /** * @SKB_DROP_REASON_MAX: the maximum of core drop reasons, which * shouldn't be used as a real 'reason' - only for tracing code gen diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 86a964734b1d..cb6beb270265 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1769,10 +1769,12 @@ static void ip_handle_martian_source(struct net_device *dev, } /* called in rcu_read_lock() section */ -static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, - struct in_device *in_dev, __be32 daddr, - __be32 saddr, dscp_t dscp) +static enum skb_drop_reason +__mkroute_input(struct sk_buff *skb, const struct fib_result *res, + struct in_device *in_dev, __be32 daddr, + __be32 saddr, dscp_t dscp) { + enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct fib_nh_common *nhc = FIB_RES_NHC(*res); struct net_device *dev = nhc->nhc_dev; struct fib_nh_exception *fnhe; @@ -1786,13 +1788,13 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, out_dev = __in_dev_get_rcu(dev); if (!out_dev) { net_crit_ratelimited("Bug in ip_route_input_slow(). Please report.\n"); - return -EINVAL; + return reason; } err = __fib_validate_source(skb, saddr, daddr, dscp, FIB_RES_OIF(*res), in_dev->dev, in_dev, &itag); if (err < 0) { - err = -EINVAL; + reason = -err; ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr, saddr); @@ -1820,7 +1822,8 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, */ if (out_dev == in_dev && IN_DEV_PROXY_ARP_PVLAN(in_dev) == 0) { - err = -EINVAL; + /* what do we name this situation? */ + reason = SKB_DROP_REASON_ARP_PVLAN_DISABLE; goto cleanup; } } @@ -1843,7 +1846,7 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, rth = rt_dst_alloc(out_dev->dev, 0, res->type, IN_DEV_ORCONF(out_dev, NOXFRM)); if (!rth) { - err = -ENOBUFS; + reason = SKB_DROP_REASON_NOMEM; goto cleanup; } @@ -1857,9 +1860,9 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, lwtunnel_set_redirect(&rth->dst); skb_dst_set(skb, &rth->dst); out: - err = 0; - cleanup: - return err; + reason = SKB_NOT_DROPPED_YET; +cleanup: + return reason; } #ifdef CONFIG_IP_ROUTE_MULTIPATH @@ -2117,9 +2120,10 @@ int fib_multipath_hash(const struct net *net, const struct flowi4 *fl4, } #endif /* CONFIG_IP_ROUTE_MULTIPATH */ -static int ip_mkroute_input(struct sk_buff *skb, struct fib_result *res, - struct in_device *in_dev, __be32 daddr, - __be32 saddr, dscp_t dscp, struct flow_keys *hkeys) +static enum skb_drop_reason +ip_mkroute_input(struct sk_buff *skb, struct fib_result *res, + struct in_device *in_dev, __be32 daddr, + __be32 saddr, dscp_t dscp, struct flow_keys *hkeys) { #ifdef CONFIG_IP_ROUTE_MULTIPATH if (res->fi && fib_info_num_path(res->fi) > 1) { @@ -2333,9 +2337,8 @@ ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, } make_route: - err = ip_mkroute_input(skb, res, in_dev, daddr, saddr, dscp, flkeys); - if (!err) - reason = SKB_NOT_DROPPED_YET; + reason = ip_mkroute_input(skb, res, in_dev, daddr, saddr, dscp, + flkeys); out: return reason; From patchwork Tue Oct 15 14:08:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13836510 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3B6B81C4A2E; Tue, 15 Oct 2024 14:09:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.194 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001367; cv=none; b=rnVKUfG2wCOXhwWMUL6+dDYR0KXfNa6ZwGRveVVrRItjXDlBfsLir2fGqRr5alZSIDn+WxB2y5uxaeUl7EV3N7OlsI85sVvtBjGGX4rCdGlDgDiZ88JUKZVQOMbyi+EOgTv91C0ZZGVlroMrh66PIpwQmF45WwXfkIQcRIWKPo8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729001367; c=relaxed/simple; bh=J47DiM7it9UqLoIOTYLS3JMdWYRznJt9vbjuYFkxJkY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=kPmkXvCr2Gtk4UMm6fOgiDkqMpsJe/F9toK5Q+9FmIRpHfuxj3urg7fmk+CHtCxgoJypBFJBA8L4Lm7+XJAB/+e3AwWAQke8qOcpZtLYh2ZAnkunuZIulFEKM2QaLNZrmxZ+s9r5kSdf6f/+rohprLBLuN/99uaNUqYP7kzQslc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ncg+p762; arc=none smtp.client-ip=209.85.214.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ncg+p762" Received: by mail-pl1-f194.google.com with SMTP id d9443c01a7336-20c805a0753so44526025ad.0; Tue, 15 Oct 2024 07:09:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729001366; x=1729606166; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Xu2WL8L9YsDBkU34XcEw9nzL+sIi7gQQkUV02cDwen8=; b=ncg+p762iO+ME0Omj2KSQiDgTQ2alR8jywHug2sqGtokmR+iR0o9OJqCjUXwINoBu4 3pleluKzXNIbRbhzz57Hp1fcz7gOfNgyd13FwhpLMQWMTfvN0KlYJeprrOwwGT8S9cHE uo2Bl0x95WnfVir8P08TsxZ9hHr5WiJ5j2UhEcot+Wvuyb/nm0QVCkujVUlXSBLW8qYF U5gEHPgl1KFRp3uQtFg0f7mlkrHARyfWjeUOj0S7PwIdn0Ht5x5bs7WJibXAjuDFAKpd WqKAOiUVk3b9IZ8wXK+Vm2giN7V+W8mpV3PWp0U+XQMCfZwEfE+7oR42QDHKN7Fxt5aK ulhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729001366; x=1729606166; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Xu2WL8L9YsDBkU34XcEw9nzL+sIi7gQQkUV02cDwen8=; b=vgL2YClR6jLAVa1Ry/Sa+Tf47OkKSSkXGMxZ/CHwxLj1Hd2tLvwWAoibnq5HDdWXqu A6sXF8LNgBpBRp37mmPr2lnZybL9YHJAwH4UGjeTPEs38cwBI1uZ8d98Nl+3+71NLBEQ pUSeFG45pEANgsVwci1MJZZpMLuFyxNqVemCuMYoUAwR6AEja60MBBQd2ZhsVpcDajDD jeroDfgwkcSFLK0ifbPvxjHTHa5lS1KEibc3ECOAfqNP4o3QSQ56mCptLDxae25K+r54 qAHvhPiqQ8qhGE1k1IhVVwcrAp05bhMsuQHWtjVttJYKgX1QylfQYGMQhEfipEohT2Uo 7unA== X-Forwarded-Encrypted: i=1; AJvYcCUAv6LzlfdwMdBiy51IPdoXP1EqqtR409WabNRl9e9fjQFLplGCmc5hvoJKocHBZsN/bqD/Xsol@vger.kernel.org, AJvYcCUKQklcpf8pt8tww0HHjMu4tpmYMe88QuESN7NpwlRDw/B8zfQJT1IJeew4fn0oFJoAMB5XyxF5a6cuuZtqUFTB@vger.kernel.org, AJvYcCUUw3cpcRYkRKDOAMf1XGfAsfEz1WkwumYUaVJCEGhhWaaVxPud7XwqNo1mVoKGn5ta8GFAgFt0n9B5p1Vv@vger.kernel.org, AJvYcCWZAHHks3xlmqKNf54n9kidqoxs4bgraoZ3kI7F4gSW8gfEtjDeiyF9GPsNae+9l0/3DwY=@vger.kernel.org X-Gm-Message-State: AOJu0YxSuNUzqZVeYaXLxMRXGCkwdsSWYqQbg5FDKDENlyjMdII+1h7o 6Y/F4XjxP3gy52pRWLRwRsxlrQDPcIYSC+9k/bZ+3m8sJSaoclJZ X-Google-Smtp-Source: AGHT+IEEdhkY93DkVnsHYKcg3Nn1LJ22CyQpWTu6lhDCBND8N0iZZ4Hbvrszipi9s+zu9OsPn3PgDw== X-Received: by 2002:a17:903:230b:b0:20c:e262:2580 with SMTP id d9443c01a7336-20d27f0d040mr5161505ad.44.1729001365587; Tue, 15 Oct 2024 07:09:25 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-20d17f9d419sm12437625ad.93.2024.10.15.07.09.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 15 Oct 2024 07:09:25 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH net-next v3 10/10] net: ip: make ip_route_use_hint() return drop reasons Date: Tue, 15 Oct 2024 22:08:00 +0800 Message-Id: <20241015140800.159466-11-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241015140800.159466-1-dongml2@chinatelecom.cn> References: <20241015140800.159466-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org In this commit, we make ip_route_use_hint() return drop reasons. The drop reasons that we return are similar to what we do in ip_route_input_slow(), and no drop reasons are added in this commit. Signed-off-by: Menglong Dong --- include/net/route.h | 7 ++++--- net/ipv4/ip_input.c | 9 ++++----- net/ipv4/route.c | 26 ++++++++++++++++---------- 3 files changed, 24 insertions(+), 18 deletions(-) diff --git a/include/net/route.h b/include/net/route.h index f4ab5412c9c9..4debc335d276 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -206,9 +206,10 @@ ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, enum skb_drop_reason ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev); -int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - const struct sk_buff *hint); +enum skb_drop_reason +ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + const struct sk_buff *hint); static inline enum skb_drop_reason ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, dscp_t dscp, diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index 513eb0c6435a..f0a4dda246ab 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c @@ -322,15 +322,14 @@ static int ip_rcv_finish_core(struct net *net, struct sock *sk, int err, drop_reason; struct rtable *rt; - drop_reason = SKB_DROP_REASON_NOT_SPECIFIED; - if (ip_can_use_hint(skb, iph, hint)) { - err = ip_route_use_hint(skb, iph->daddr, iph->saddr, - ip4h_dscp(iph), dev, hint); - if (unlikely(err)) + drop_reason = ip_route_use_hint(skb, iph->daddr, iph->saddr, + ip4h_dscp(iph), dev, hint); + if (unlikely(drop_reason)) goto drop_error; } + drop_reason = SKB_DROP_REASON_NOT_SPECIFIED; if (READ_ONCE(net->ipv4.sysctl_ip_early_demux) && !skb_dst(skb) && !skb->sk && diff --git a/net/ipv4/route.c b/net/ipv4/route.c index cb6beb270265..fe57f6abf53e 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2142,28 +2142,34 @@ ip_mkroute_input(struct sk_buff *skb, struct fib_result *res, * assuming daddr is valid and the destination is not a local broadcast one. * Uses the provided hint instead of performing a route lookup. */ -int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - const struct sk_buff *hint) +enum skb_drop_reason +ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + const struct sk_buff *hint) { + enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct in_device *in_dev = __in_dev_get_rcu(dev); struct rtable *rt = skb_rtable(hint); struct net *net = dev_net(dev); - enum skb_drop_reason reason; - int err = -EINVAL; u32 tag = 0; if (!in_dev) - return -EINVAL; + return reason; - if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) + if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; goto martian_source; + } - if (ipv4_is_zeronet(saddr)) + if (ipv4_is_zeronet(saddr)) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; goto martian_source; + } - if (ipv4_is_loopback(saddr) && !IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) + if (ipv4_is_loopback(saddr) && !IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) { + reason = SKB_DROP_REASON_IP_LOCALNET; goto martian_source; + } if (rt->rt_type != RTN_LOCAL) goto skip_validate_source; @@ -2179,7 +2185,7 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, martian_source: ip_handle_martian_source(dev, in_dev, skb, daddr, saddr); - return err; + return reason; } /* get device for dst_alloc with local routes */