From patchwork Thu Oct 24 09:33:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13848621 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com [209.85.215.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 581EC1B6CE4; Thu, 24 Oct 2024 09:34:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762489; cv=none; b=nZR+BjWvAq0FQdtRXwRfvS+LmChXcbcyFj6kZZBbGk8qTYn+Uxm5beRG44C7IPpjdgXCHmny9UaiXGN1cj7dKZEHKNTIBfyCqd4XwkCyXVVMQ+vABSreGsL0/LcVqJnSnkDcmLtjGUmFyyS5dZAUR+O1KSID2EB83Wd2LNZvanA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762489; c=relaxed/simple; bh=y2FaqBJ1dgItkKU95lOixnUvt8qQFhy2BOspmoTjK1s=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=fZWz7pdJP3k8t9UcKRdw0zHS44kWdQPDatrpBYqQ6yHPR/FTQqlpB/e1ljTf0zMtxqIvfoKdyizpB5k1Lj7C6Pzfq92syB5uAwB/ZfG4GRcflbz6XUSN9Wic4UENm7gY6pZrnRD05DgVUbgUMeNxamPc8AgWG5pKDOuHZr2ALno= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hMha6eFG; arc=none smtp.client-ip=209.85.215.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hMha6eFG" Received: by mail-pg1-f196.google.com with SMTP id 41be03b00d2f7-7ea76a12c32so441823a12.1; Thu, 24 Oct 2024 02:34:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729762487; x=1730367287; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=prmHa2Jv4moizPfRKfdWmdtiFsKQEgjm40Ey0Wfd4hM=; b=hMha6eFGeEk0xrYHeGADqk7+DnEkAu/Mn2s0xfKqeC2CxecA/xC4H8GCUeQgrkokRd qBeRN7Srmb6+SHvTcmwPvrQcXtn7CXJdN1/kGL1C4+ukFLjlyP3u9gHh9/PpIkDBEIVR HFFXhjvMhZs6Ka2mNJEJ1JYNCL9o3jK4F1gInwz8eTc7s9EXnhXfsLt+BgufDwS4rICr LzA1yuufZJKBPRY7eDouGR6S7iV29V6L8UTha21KmOUw42J90LZxZAfMOrA3mXXpqju3 d0RrhJiIgld47zd9xCwXI2lWSMNG8NS9knhjKV31XPAFwKg+LtRrFEMzYoAnqulf4FYn GHkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729762487; x=1730367287; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=prmHa2Jv4moizPfRKfdWmdtiFsKQEgjm40Ey0Wfd4hM=; b=sJbd36qvHVJqnZr7Ixr6VWORmWDGzymG7/JfDK5Rkmq3JCxmLOTV0vdsGlcPntZPeT 2CPNDjaZylNjnMkyYeRariDvnXTPplJc2ds1axLpG9tRxDVkkh5kbJpVrEU1FDXIlEvQ aBbsi8Q7qIJvTuS+GGG2FwMWECGmcQjs0bvyoxP/3fCHDRrJUUnBJRrV0LZ/SjpfaX5P 1FkPkWyX1Sabo9wDpVCqYXaXf9PxUzeFTDuw6s62JnqoOeyd0mtSSyShOSCbLCKJwSCZ rp6e1FpxPbOQqZ8s6Iz3grD28twtCc3fp5wwJOHGlqiQ/lrHBBnLlJcXq/iSO/otfRoc 0PTA== X-Forwarded-Encrypted: i=1; AJvYcCW4bOyYVYGutfelfzzdI+HapuQnIFu3oHKbyb8TvNWRCAVVcbE6rEE5JT16UyjtdyUUICdg8MTDZJyLfBekboAC@vger.kernel.org, AJvYcCW5UrtspPTIJelelgmPdPYmO2gVQUIbOw9tUtw96dXm4fsFRuDEQbyfZGJwNvY3BtSgSMnqHQQv@vger.kernel.org, AJvYcCWXvVcW0Cv0Ees8Eu+iVEbObNM8HOZZEPdIzbQbNddqo8FHH9zIwIyl4Y3ex3vfN4y62Ett/X9g8HcKRYbv@vger.kernel.org, AJvYcCXb2I7/AkRwsye4CgYSGAaLODQLYyBiTMiXL9VBZ2OT8/iqK80TzQWjd7lpNAzy78L2oUQ=@vger.kernel.org X-Gm-Message-State: AOJu0YxYF4ys9yyV7xKsYQCYa/KzGb56NKg6FjAbNQHZkOtjROGBF7qY 2ZN4FLKFQcQXMuXXY9CpYkGZ9tMyyNZjnXsJAiwsFryYzcglDGXkOKKXNtPL X-Google-Smtp-Source: AGHT+IFLPx9hvlqmrBOsaIDs3+bQY1hhD7xh2c0lYFAEkwiNwsAf3IDanQ3V5nYzAaMdFJsEQMQNfg== X-Received: by 2002:a05:6a20:d528:b0:1d9:1f7a:a44f with SMTP id adf61e73a8af0-1d978af3c41mr6796637637.12.1729762486527; Thu, 24 Oct 2024 02:34:46 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ec1415071sm7600287b3a.217.2024.10.24.02.34.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 02:34:46 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 1/9] net: ip: make fib_validate_source() support drop reasons Date: Thu, 24 Oct 2024 17:33:40 +0800 Message-Id: <20241024093348.353245-2-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241024093348.353245-1-dongml2@chinatelecom.cn> References: <20241024093348.353245-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net In this commit, we make fib_validate_source() and __fib_validate_source() return -reason instead of errno on error. The return value of fib_validate_source can be -errno, 0, and 1. It's hard to make fib_validate_source() return drop reasons directly. The fib_validate_source() will return 1 if the scope of the source(revert) route is HOST. And the __mkroute_input() will mark the skb with IPSKB_DOREDIRECT in this case (combine with some other conditions). And then, a REDIRECT ICMP will be sent in ip_forward() if this flag exists. We can't pass this information to __mkroute_input if we make fib_validate_source() return drop reasons. Therefore, we introduce the wrapper fib_validate_source_reason() for fib_validate_source(), which will return the drop reasons on error. In the origin logic, LINUX_MIB_IPRPFILTER will be counted if fib_validate_source() return -EXDEV. And now, we need to adjust it by checking "reason == SKB_DROP_REASON_IP_RPFILTER". However, this will take effect only after the patch "net: ip: make ip_route_input_noref() return drop reasons", as we can't pass the drop reasons from fib_validate_source() to ip_rcv_finish_core() in this patch. Following new drop reasons are added in this patch: SKB_DROP_REASON_IP_LOCAL_SOURCE SKB_DROP_REASON_IP_INVALID_SOURCE Signed-off-by: Menglong Dong --- v4: - don't refactor fib_validate_source/__fib_validate_source, and introduce a wrapper for fib_validate_source() instead. v2: - make fib_validate_source() return drop reasons, instead of -reason. --- include/net/dropreason-core.h | 10 ++++++++++ include/net/ip_fib.h | 12 ++++++++++++ net/ipv4/fib_frontend.c | 17 ++++++++++++----- net/ipv4/ip_input.c | 4 +--- net/ipv4/route.c | 33 +++++++++++++++++++-------------- 5 files changed, 54 insertions(+), 22 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index d59bb96c5a02..62a60be1db84 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -76,6 +76,8 @@ FN(INVALID_PROTO) \ FN(IP_INADDRERRORS) \ FN(IP_INNOROUTES) \ + FN(IP_LOCAL_SOURCE) \ + FN(IP_INVALID_SOURCE) \ FN(PKT_TOO_BIG) \ FN(DUP_FRAG) \ FN(FRAG_REASM_TIMEOUT) \ @@ -373,6 +375,14 @@ enum skb_drop_reason { * IPSTATS_MIB_INADDRERRORS */ SKB_DROP_REASON_IP_INNOROUTES, + /** @SKB_DROP_REASON_IP_LOCAL_SOURCE: the source ip is local */ + SKB_DROP_REASON_IP_LOCAL_SOURCE, + /** + * @SKB_DROP_REASON_IP_INVALID_SOURCE: the source ip is invalid: + * 1) source ip is multicast or limited broadcast + * 2) source ip is zero and not IGMP + */ + SKB_DROP_REASON_IP_INVALID_SOURCE, /** * @SKB_DROP_REASON_PKT_TOO_BIG: packet size is too big (maybe exceed the * MTU) diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index b6e44f4eaa4c..a113c11ab56b 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h @@ -452,6 +452,18 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, dscp_t dscp, int oif, struct net_device *dev, struct in_device *idev, u32 *itag); +static inline enum skb_drop_reason +fib_validate_source_reason(struct sk_buff *skb, __be32 src, __be32 dst, + dscp_t dscp, int oif, struct net_device *dev, + struct in_device *idev, u32 *itag) +{ + int err = fib_validate_source(skb, src, dst, dscp, oif, dev, idev, + itag); + if (err < 0) + return -err; + return SKB_NOT_DROPPED_YET; +} + #ifdef CONFIG_IP_ROUTE_CLASSID static inline int fib_num_tclassid_users(struct net *net) { diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 53bd26315df5..99dddfab95b9 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -346,6 +346,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, int rpf, struct in_device *idev, u32 *itag) { struct net *net = dev_net(dev); + enum skb_drop_reason reason; struct flow_keys flkeys; int ret, no_addr; struct fib_result res; @@ -377,9 +378,15 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, if (fib_lookup(net, &fl4, &res, 0)) goto last_resort; - if (res.type != RTN_UNICAST && - (res.type != RTN_LOCAL || !IN_DEV_ACCEPT_LOCAL(idev))) - goto e_inval; + if (res.type != RTN_UNICAST) { + if (res.type != RTN_LOCAL) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; + goto e_inval; + } else if (!IN_DEV_ACCEPT_LOCAL(idev)) { + reason = SKB_DROP_REASON_IP_LOCAL_SOURCE; + goto e_inval; + } + } fib_combine_itag(itag, &res); dev_match = fib_info_nh_uses_dev(res.fi, dev); @@ -412,9 +419,9 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, return 0; e_inval: - return -EINVAL; + return -reason; e_rpf: - return -EXDEV; + return -SKB_DROP_REASON_IP_RPFILTER; } /* Ignore rp_filter for packets protected by IPsec. */ diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index 89bb63da6852..c40a26972884 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c @@ -425,10 +425,8 @@ static int ip_rcv_finish_core(struct net *net, struct sock *sk, return NET_RX_DROP; drop_error: - if (err == -EXDEV) { - drop_reason = SKB_DROP_REASON_IP_RPFILTER; + if (drop_reason == SKB_DROP_REASON_IP_RPFILTER) __NET_INC_STATS(net, LINUX_MIB_IPRPFILTER); - } goto drop; } diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 18a08b4f4a5a..3e7a3e947b7d 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1669,7 +1669,7 @@ int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, struct in_device *in_dev, u32 *itag) { - int err; + enum skb_drop_reason reason; /* Primary sanity checks. */ if (!in_dev) @@ -1687,10 +1687,10 @@ int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, ip_hdr(skb)->protocol != IPPROTO_IGMP) return -EINVAL; } else { - err = fib_validate_source(skb, saddr, 0, dscp, 0, dev, in_dev, - itag); - if (err < 0) - return err; + reason = fib_validate_source_reason(skb, saddr, 0, dscp, 0, + dev, in_dev, itag); + if (reason) + return -EINVAL; } return 0; } @@ -1788,6 +1788,7 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, err = fib_validate_source(skb, saddr, daddr, dscp, FIB_RES_OIF(*res), in_dev->dev, in_dev, &itag); if (err < 0) { + err = -EINVAL; ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr, saddr); @@ -2140,6 +2141,7 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, struct in_device *in_dev = __in_dev_get_rcu(dev); struct rtable *rt = skb_rtable(hint); struct net *net = dev_net(dev); + enum skb_drop_reason reason; int err = -EINVAL; u32 tag = 0; @@ -2158,9 +2160,9 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, if (rt->rt_type != RTN_LOCAL) goto skip_validate_source; - err = fib_validate_source(skb, saddr, daddr, dscp, 0, dev, in_dev, - &tag); - if (err < 0) + reason = fib_validate_source_reason(skb, saddr, daddr, dscp, 0, dev, + in_dev, &tag); + if (reason) goto martian_source; skip_validate_source: @@ -2202,6 +2204,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, struct fib_result *res) { + enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct in_device *in_dev = __in_dev_get_rcu(dev); struct flow_keys *flkeys = NULL, _flkeys; struct net *net = dev_net(dev); @@ -2296,10 +2299,11 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, goto brd_input; } + err = -EINVAL; if (res->type == RTN_LOCAL) { - err = fib_validate_source(skb, saddr, daddr, dscp, 0, dev, - in_dev, &itag); - if (err < 0) + reason = fib_validate_source_reason(skb, saddr, daddr, dscp, + 0, dev, in_dev, &itag); + if (reason) goto martian_source; goto local_input; } @@ -2320,9 +2324,10 @@ out: return err; goto e_inval; if (!ipv4_is_zeronet(saddr)) { - err = fib_validate_source(skb, saddr, 0, dscp, 0, dev, in_dev, - &itag); - if (err < 0) + err = -EINVAL; + reason = fib_validate_source_reason(skb, saddr, 0, dscp, 0, + dev, in_dev, &itag); + if (reason) goto martian_source; } flags |= RTCF_BROADCAST; From patchwork Thu Oct 24 09:33:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13848622 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-oa1-f66.google.com (mail-oa1-f66.google.com [209.85.160.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2531B1BD028; Thu, 24 Oct 2024 09:34:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.66 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762495; cv=none; b=NH9m+eEXxHsV+VEJDPzjwAM0T6+RTqpYMo0szceTt5h5F3r8MKDFPGI4bGIWL1SoJrIruAUJslG3r6WOC/ai0iz1Rl75kZH7mD/uHDHf/Zc30DuRmrlhP/INFD1fXNavpuBWXo9A0Z38RvvMRTDSKnG0GCzxCjbBJlgrumHICmU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762495; c=relaxed/simple; bh=cCy/lda6L2Cz0Ny93zsNxAuokNc2e7IJ437qVAXid0Q=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=csGTOXZKNxTncclATnqNWT1knFjP3F5xZuzkEtu5hiEaHP5fHC5/B1YMybCpr8e6MbDo2wADQYVmVw/a5Ye6vtqwZDkyjw3w7nvFxrkJsdUrxsKx5mMJI1viZWZwA0T09crP2qzCnKiBTwoHLRENYrJqY+Nxr03+xdZDmiDfq4g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iM/nkeLR; arc=none smtp.client-ip=209.85.160.66 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iM/nkeLR" Received: by mail-oa1-f66.google.com with SMTP id 586e51a60fabf-288661760d3so425498fac.3; Thu, 24 Oct 2024 02:34:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729762492; x=1730367292; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=znmG4LU+dkvIoogMrj5tdOh7xv17KQWidIX+N22GnQg=; b=iM/nkeLR8yM/D8hNy1kjQSKkymYfsBr5p1nBZSWEqGZ49KEFmUX0p7B8w3OQ5tHhSe AUFHQ/Tk/CYvo4wMolwGbhqPc0xAOaB2zfGRmkemAxFygWULExxfDS1xOj5gLBOR+7du hOn2TJDO9ajc9qrl4Q/+yQBoRZ/duhlSJKnS9mv1WXepdApAkrcYX0Dp/yHuJ06FLZW7 1aKjwMv+FtVvW4xL/JTHEfLkxBybMpi+mLuVtaLMtMezZQcs01ov/PQNEioucLP7XmCC W55iV7oGyx1PzB7+RxTddKwfkJXuTeLvLzg1EchtVOLfIc/6ERY7Fbzp4FmtfSUhK+/R GpXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729762492; x=1730367292; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=znmG4LU+dkvIoogMrj5tdOh7xv17KQWidIX+N22GnQg=; b=HUQKX/VOU/cR17W2p4i3RhTlrMJtP94qd4lCzdIwNRS65tTQEYGJOzwL7SHlgLs6+4 pS5nLG4/UKkRznQZGwKM0KnF57/zfeyCKKSHhasQzOF3PYP3fRFX4dRsO9NWKHfFJ6hA 7AEwbuC6ZcLLrWlNDCShLW1sesDQg2VAZ8U5BSAXlOFQ8yZezeyqHi2x2f+BZSR8Rfov vxnwVUCv/PpBurnufXLYXEinJ/eoyKUJFmI+G4bngEqTQTyN1OCjX6Z24mHgR07WdX9I drOX2EuSJpILhsSJ5e7Iy63SRI7Jg1skdmbP79y194YERWRDNbOZQSdqiC2Gicw2mqIW w+/A== X-Forwarded-Encrypted: i=1; AJvYcCV+2Vh4Xs2SI0JyKzs+0Q/VB8pfOQYpp7vQQR1hWeRn71myzB/+nTaP1q2sVuDldI9m3K7vxSi8+eTvdA2+YAE5@vger.kernel.org, AJvYcCWXCtukQd3/x58hq7iMJW7ixuAHRT6SIrxputyJLmNu3Oq5zXnV9gE184+sgAsP30er9aI=@vger.kernel.org, AJvYcCXP0ByXrLJVd3IsIRTZemJ6ao7/5hlYZj63ZlMFh4+ThQi0zX20BAqiQs8PzhGrpdzVtIIhgvC7eZcSAzDj@vger.kernel.org, AJvYcCXQfi3EbPYU0a66+zU8Vd0eKP+ZUv69jJo80ogu1ZuAPllmSPc53jLmgxnwIvkiXdr5o8S9TXwP@vger.kernel.org X-Gm-Message-State: AOJu0Ywywk2pamkegiErsGvMwb77pLCanEgYpc3NSsHvtHlUzMlMmhvC cWffuvys04SudBtqXI9HIGwMlvxVNEKjFH3ePYJUlMGHmH+DugFE X-Google-Smtp-Source: AGHT+IHlP78/7AG+7AUKWTVBYlw/SMFQGR68T7fk+J3NIh7b170uLsi52Y+9MJB2QEu/FZGvx+zaeA== X-Received: by 2002:a05:6870:1f0a:b0:287:886:2e62 with SMTP id 586e51a60fabf-28ced26f849mr1367558fac.12.1729762491885; Thu, 24 Oct 2024 02:34:51 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ec1415071sm7600287b3a.217.2024.10.24.02.34.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 02:34:51 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 2/9] net: ip: make ip_route_input_mc() return drop reason Date: Thu, 24 Oct 2024 17:33:41 +0800 Message-Id: <20241024093348.353245-3-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241024093348.353245-1-dongml2@chinatelecom.cn> References: <20241024093348.353245-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net Make ip_route_input_mc() return drop reason, and adjust the call of it in ip_route_input_rcu(). Signed-off-by: Menglong Dong --- net/ipv4/route.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 3e7a3e947b7d..e579fe5bd3d3 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1696,8 +1696,9 @@ int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, } /* called in rcu_read_lock() section */ -static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, int our) +static enum skb_drop_reason +ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, int our) { struct in_device *in_dev = __in_dev_get_rcu(dev); unsigned int flags = RTCF_MULTICAST; @@ -1708,7 +1709,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, err = ip_mc_validate_source(skb, daddr, saddr, dscp, dev, in_dev, &itag); if (err) - return err; + return SKB_DROP_REASON_NOT_SPECIFIED; if (our) flags |= RTCF_LOCAL; @@ -1719,7 +1720,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, rth = rt_dst_alloc(dev_net(dev)->loopback_dev, flags, RTN_MULTICAST, false); if (!rth) - return -ENOBUFS; + return SKB_DROP_REASON_NOMEM; #ifdef CONFIG_IP_ROUTE_CLASSID rth->dst.tclassid = itag; @@ -1735,7 +1736,7 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, skb_dst_drop(skb); skb_dst_set(skb, &rth->dst); - return 0; + return SKB_NOT_DROPPED_YET; } @@ -2433,12 +2434,12 @@ static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, * route cache entry is created eventually. */ if (ipv4_is_multicast(daddr)) { + enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct in_device *in_dev = __in_dev_get_rcu(dev); int our = 0; - int err = -EINVAL; if (!in_dev) - return err; + return -EINVAL; our = ip_check_mc_rcu(in_dev, daddr, saddr, ip_hdr(skb)->protocol); @@ -2459,10 +2460,10 @@ static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, IN_DEV_MFORWARD(in_dev)) #endif ) { - err = ip_route_input_mc(skb, daddr, saddr, dscp, dev, - our); + reason = ip_route_input_mc(skb, daddr, saddr, dscp, + dev, our); } - return err; + return reason ? -EINVAL : 0; } return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res); From patchwork Thu Oct 24 09:33:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13848623 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com [209.85.210.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 333471C4A31; Thu, 24 Oct 2024 09:34:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762500; cv=none; b=QtN4BGcnwGHDrc5U3I/XP9xMHO92mxN88v1nX8+4rY4w7YspkaqlcXjmSx48wMAZgjZKupuZK6ux2UY5xZ4tAm45kkvRcy0nT5yf3ZyqXFpewbZA7GgHQhKQnXeX84LWdLj8/CpNrkqn2vgNzvKSptxlIQ1pH2V7+5vwlX1TCGE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762500; c=relaxed/simple; bh=3YElXoEQ+yUNbFW9Wyxpt2iVq3RLFcdsi8PfQ7hukmQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=n89Lrav1s2nx1FJrVYSQ5BdJfigVy8TevHXZjnU+ckQfoAHR/vT9wCN5lptDKPbVNVIdtoTDZjPngqV8/jEKXo5gdQJx6CP8Jh67wnTa7F9VT2zlUIibAcIKJQOb+GHt5mgHr8mV6w9WME16o4UnAyb5A5fz2xXuAY/Ekfmj7qE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=aqBG812n; arc=none smtp.client-ip=209.85.210.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aqBG812n" Received: by mail-pf1-f196.google.com with SMTP id d2e1a72fcca58-71e49ef3bb9so458843b3a.1; Thu, 24 Oct 2024 02:34:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729762497; x=1730367297; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=P4XG1zbVojbOWNVJydovPrjgNaiIX/ME9FvHgIXEZso=; b=aqBG812nBwclRbjrQ+c6/BCb/iM0k71Aq2NUnuRMKIQirEvmxSjTa2ez2dZQMgRkbh OOpKIV6Y5ANFgwdJT2y8EGXEgBFTNH+sFCfspXHUy7LTWrZ5x9X+hsH/WOaB1SFiVrHG p4B18G1i108S3V471c9gvNis1nV5ucWUmnwJ9EjvlaQF6zswLh6KLbze6VbzXiLJ2wUI FN+m+0U3PNoQU5cGI5vpjRYYtGNPOLBuBofkit8VlHvOcfd5WcPeSKE/IKsXKKAt2/NZ Ba2GezTo8McEP1k2Fn3wSYl8tM6+vGm1iPPO3JuiBwgfJksgiJb10O1MeSHHOPA9ZLhE /Lbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729762497; x=1730367297; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=P4XG1zbVojbOWNVJydovPrjgNaiIX/ME9FvHgIXEZso=; b=h2hPzoAbCg+3CYxD6CM/3kSd5EdlAU5i/qiN3hPaYBzgMUMX9tE3WYNVhlKEbftNzq daDnIbT6V1VQOpZ8L1mnzOVSvBE2Dk/RYB8Ev49doUEdSFYh7isXXJPEy4IEr4UGuV/r 1VLMNJj4t98AIpsmftgF2K3JL5bdUODwR7PGNiVqBOSJsphPmEGOW5Y9Wd9d3JZbC/6g W75sg2jtPPJKvISZR7Z7mZrXTbBEufi6Rn2b46uUuD4+lH32eM0QtQqwuSOToR38W/ca FLPnkRRVufir3bGXI4M8zQ+QBUZpvedZGIWHpfkcBi8ow+WhORYFVYYEe6zMo8b83DFR scwg== X-Forwarded-Encrypted: i=1; AJvYcCU0JjTlHz/PxxVU3C5cVCo6FIRi03r7XiCkjicaMqM7/cUKLpVXPtQ0BII0dxRzgUr2kgh3rssf@vger.kernel.org, AJvYcCWWwIFuctNzM9qhOWUmw16kNWRg2z45Nstp3zLaEVUmR2Dh1RI5PSXuq+oKJfGSojpp98th85mVO3Ussgyd@vger.kernel.org, AJvYcCXCf3RXLBYt9uk44LmbAto9YQ2WM78BazE9hU2AGkgAL5qE6nzm9+sIsQaVABiYQugtcp6m1iFbhqAsR3j/HcX+@vger.kernel.org, AJvYcCXMwZw2adJYdZGCZPD4xq+GZUVHIXIKBGhgurDlRGmp0Vj9E3m33l9wCM3xtLiqWR10zuM=@vger.kernel.org X-Gm-Message-State: AOJu0Yy6YzkfahkOe9Hmb5Q6E/gNEWzyKB7VYecZw9DUyTlr+nr/s4Kg 5ZXpcOvotnkCs+Fztj+XKMIIMl3hRBmshuxVyC0DS4UU2D6kTQZo X-Google-Smtp-Source: AGHT+IFpJ2ifGDdJxovxXUSpx2JOiU4f7ldmWt08Z0KdPCaCCYmMzpNca0VPAbmqmRgKECdIInsjfA== X-Received: by 2002:a05:6a00:4610:b0:71e:60d9:910d with SMTP id d2e1a72fcca58-7204525ff55mr2542210b3a.6.1729762497299; Thu, 24 Oct 2024 02:34:57 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ec1415071sm7600287b3a.217.2024.10.24.02.34.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 02:34:56 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 3/9] net: ip: make ip_mc_validate_source() return drop reason Date: Thu, 24 Oct 2024 17:33:42 +0800 Message-Id: <20241024093348.353245-4-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241024093348.353245-1-dongml2@chinatelecom.cn> References: <20241024093348.353245-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net Make ip_mc_validate_source() return drop reason, and adjust the call of it in ip_route_input_mc(). Another caller of it is ip_rcv_finish_core->udp_v4_early_demux, and the errno is not checked in detail, so we don't do more adjustment for it. The drop reason "SKB_DROP_REASON_IP_LOCALNET" is added in this commit. Signed-off-by: Menglong Dong --- include/net/dropreason-core.h | 3 +++ include/net/route.h | 7 ++++--- net/ipv4/route.c | 35 +++++++++++++++++++---------------- 3 files changed, 26 insertions(+), 19 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index 62a60be1db84..a2a1fb90e0e5 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -78,6 +78,7 @@ FN(IP_INNOROUTES) \ FN(IP_LOCAL_SOURCE) \ FN(IP_INVALID_SOURCE) \ + FN(IP_LOCALNET) \ FN(PKT_TOO_BIG) \ FN(DUP_FRAG) \ FN(FRAG_REASM_TIMEOUT) \ @@ -383,6 +384,8 @@ enum skb_drop_reason { * 2) source ip is zero and not IGMP */ SKB_DROP_REASON_IP_INVALID_SOURCE, + /** @SKB_DROP_REASON_IP_LOCALNET: source or dest ip is local net */ + SKB_DROP_REASON_IP_LOCALNET, /** * @SKB_DROP_REASON_PKT_TOO_BIG: packet size is too big (maybe exceed the * MTU) diff --git a/include/net/route.h b/include/net/route.h index 586e59f7ed8a..a828a17a6313 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -199,9 +199,10 @@ static inline struct rtable *ip_route_output_gre(struct net *net, struct flowi4 return ip_route_output_key(net, fl4); } -int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - struct in_device *in_dev, u32 *itag); +enum skb_drop_reason +ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + struct in_device *in_dev, u32 *itag); int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev); int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, diff --git a/net/ipv4/route.c b/net/ipv4/route.c index e579fe5bd3d3..61e316f93291 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1665,34 +1665,37 @@ struct rtable *rt_dst_clone(struct net_device *dev, struct rtable *rt) EXPORT_SYMBOL(rt_dst_clone); /* called in rcu_read_lock() section */ -int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - struct in_device *in_dev, u32 *itag) +enum skb_drop_reason +ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + struct in_device *in_dev, u32 *itag) { enum skb_drop_reason reason; /* Primary sanity checks. */ if (!in_dev) - return -EINVAL; + return SKB_DROP_REASON_NOT_SPECIFIED; - if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr) || - skb->protocol != htons(ETH_P_IP)) - return -EINVAL; + if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) + return SKB_DROP_REASON_IP_INVALID_SOURCE; + + if (skb->protocol != htons(ETH_P_IP)) + return SKB_DROP_REASON_INVALID_PROTO; if (ipv4_is_loopback(saddr) && !IN_DEV_ROUTE_LOCALNET(in_dev)) - return -EINVAL; + return SKB_DROP_REASON_IP_LOCALNET; if (ipv4_is_zeronet(saddr)) { if (!ipv4_is_local_multicast(daddr) && ip_hdr(skb)->protocol != IPPROTO_IGMP) - return -EINVAL; + return SKB_DROP_REASON_IP_INVALID_SOURCE; } else { reason = fib_validate_source_reason(skb, saddr, 0, dscp, 0, dev, in_dev, itag); if (reason) - return -EINVAL; + return reason; } - return 0; + return SKB_NOT_DROPPED_YET; } /* called in rcu_read_lock() section */ @@ -1702,14 +1705,14 @@ ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, { struct in_device *in_dev = __in_dev_get_rcu(dev); unsigned int flags = RTCF_MULTICAST; + enum skb_drop_reason reason; struct rtable *rth; u32 itag = 0; - int err; - err = ip_mc_validate_source(skb, daddr, saddr, dscp, dev, in_dev, - &itag); - if (err) - return SKB_DROP_REASON_NOT_SPECIFIED; + reason = ip_mc_validate_source(skb, daddr, saddr, dscp, dev, in_dev, + &itag); + if (reason) + return reason; if (our) flags |= RTCF_LOCAL; From patchwork Thu Oct 24 09:33:43 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13848624 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CE8011CBA10; Thu, 24 Oct 2024 09:35:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.195 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762506; cv=none; b=m185IZAH2ZZKkFLM5lTlycdkiQZcNCtkrTHt9zpw7CYQsLiEXBTIveUwHjN0T+5jcrNJLLjLsO43busJ4nkIU8xb6QPYSXv173sO6un54QnpZJYjCX5nn926/IElJrPoCRyny6ExgaQ/JdQ29MGg0O65uaBduXmxfEGsAWJibrQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762506; c=relaxed/simple; bh=t2qbhSnr2J280GmqHB3cOqoaPQoBk9NuwAi6VMRWxwY=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Hek7Z9JY6YIBvvdnGRV8hdwJcZFyxrCTcBoK4skqQ+fF7wrRPxYxIewvF8UnMNif5/DvFCzBYqpy9HnxHgalSZxv6r0wEha7mbRE7/0+6HoxU/lkAs+rdHK4z2gQtKppiBfRDkhNMYLSmlm/ilgiC0q21decVE1IWWnXoaceKEs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mpfLS0rJ; arc=none smtp.client-ip=209.85.214.195 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mpfLS0rJ" Received: by mail-pl1-f195.google.com with SMTP id d9443c01a7336-20cdb889222so5436135ad.3; Thu, 24 Oct 2024 02:35:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729762503; x=1730367303; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8sYHu3jOQDhnsGiy2j7wnqe5lcTLCFT6TdpJY1JQ60c=; b=mpfLS0rJHVjqJxE+7cEcV659MOlvKSHZVn5KU8QG6Oa2eijqnziZwdFKYaijXiIt8p VJWfjp7R0K2JQy/IoHcKbaRdMtRDz3DXXypQrCB99ZE9Ltiv048TmDUo6fXQ8Cai8g4k NnBMYc/ftTgPKkCfUKt/XMYUg80ul+Jh6puztr2ikt95DdiRPKxH6qgoh5Ppje8af//o 4LS2zCjM7iAZFoKAOhTNRV8ggD2tHHfbE6INTEeFdEiXG4BY95M5d+Qv7ZBNaztq0W0N vUfuBJf/INIIb3aQMUZzGG2vngKuwGVvYJ8wLPmtxlJt4kSTS6V2ZA1baZ1GzmPx11c/ yfAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729762503; x=1730367303; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8sYHu3jOQDhnsGiy2j7wnqe5lcTLCFT6TdpJY1JQ60c=; b=SsPyfRiLhDfd7C5Os76UYkeYflYix5UKckiiLpg8T8nJMtDvqUHVSXQcnTEKg7S/wR UtTQhZb/FHWaMnw1cbWy24aRumJ3jO3BUSqFh7Lta50xtvccXU4lR1bJc2FbO3/Z/lMw ESoe7E6zQKS79Pgmi6Lt1R+mh8eZI6U5R6gS3E5BEnXCrQVnlCwrliL13pjXfYsokp6G iAuuVF9tcEMLa/Uy+N7tN9eCr8ihyUUrk0cUQcLy3jeVHZPp7JSWdXeYuTbcuQz0afcX 19pGaR6ENKWp3A5gufbYZNYdPrSHJ2zZ0+tts87aXSYIHhWsK+LmK8CwdZvVqIDda2Vx gBYQ== X-Forwarded-Encrypted: i=1; AJvYcCUGEUfqfYAWtOoOMnylqN2eanHinCGFmFAk1pVrimzwKlHmHxYLWBH7D6wYtz76gWDXukCyZe48@vger.kernel.org, AJvYcCUJ1aF4Ipptb2AWURGBI3j4vTHDQcO8fFpe2Y1IWSNTt9Pj/Jhzpd6mhsBK6QyR7z8A5AOvLCVlIQinmQQ2Sl2P@vger.kernel.org, AJvYcCUefaNmUGSzmLCoHR/40AYORl+4p2dclihhn9ckn4JZPPZ1FWp0HbiVbvUBKogJgYx+CSo=@vger.kernel.org, AJvYcCWJZCyjQ64/5UPcePqtH7UOHCseVrV0pX24/b9HOdhtY9/2aPENdqgXX6+1/4kuZ/xgVb6XNPxE2YQ3OXMU@vger.kernel.org X-Gm-Message-State: AOJu0YxncXDmg+ZE+2Qn/EKcjzGT9FXtyy8DTZ7edvz9+0cKgSYOKIxk Ae2hKZbvBBEyGQWxSZgbKQUChxXi9wkJhNIDmFqBzbg8UyvAwzfa X-Google-Smtp-Source: AGHT+IFA2/ZyjL+ClK4gyJ1frpG1cZXgBHF08kEZXuKcPerDgVOxZbqCB9MgVDu5Zl/rKCC8Aomcvw== X-Received: by 2002:a05:6a21:2d88:b0:1d9:2453:4343 with SMTP id adf61e73a8af0-1d978bd2ff7mr6757395637.41.1729762502939; Thu, 24 Oct 2024 02:35:02 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ec1415071sm7600287b3a.217.2024.10.24.02.34.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 02:35:02 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 4/9] net: ip: make ip_route_input_slow() return drop reasons Date: Thu, 24 Oct 2024 17:33:43 +0800 Message-Id: <20241024093348.353245-5-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241024093348.353245-1-dongml2@chinatelecom.cn> References: <20241024093348.353245-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net In this commit, we make ip_route_input_slow() return skb drop reasons, and following new skb drop reasons are added: SKB_DROP_REASON_IP_INVALID_DEST The only caller of ip_route_input_slow() is ip_route_input_rcu(), and we adjust it by making it return -EINVAL on error. Signed-off-by: Menglong Dong --- v4: - use indentation after the out label --- include/net/dropreason-core.h | 6 ++++ net/ipv4/route.c | 56 ++++++++++++++++++++++------------- 2 files changed, 41 insertions(+), 21 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index a2a1fb90e0e5..74624d369d48 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -79,6 +79,7 @@ FN(IP_LOCAL_SOURCE) \ FN(IP_INVALID_SOURCE) \ FN(IP_LOCALNET) \ + FN(IP_INVALID_DEST) \ FN(PKT_TOO_BIG) \ FN(DUP_FRAG) \ FN(FRAG_REASM_TIMEOUT) \ @@ -386,6 +387,11 @@ enum skb_drop_reason { SKB_DROP_REASON_IP_INVALID_SOURCE, /** @SKB_DROP_REASON_IP_LOCALNET: source or dest ip is local net */ SKB_DROP_REASON_IP_LOCALNET, + /** + * @SKB_DROP_REASON_IP_INVALID_DEST: the dest ip is invalid: + * 1) dest ip is 0 + */ + SKB_DROP_REASON_IP_INVALID_DEST, /** * @SKB_DROP_REASON_PKT_TOO_BIG: packet size is too big (maybe exceed the * MTU) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 61e316f93291..7976f687d039 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2204,9 +2204,10 @@ static struct net_device *ip_rt_get_dev(struct net *net, * called with rcu_read_lock() */ -static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - struct fib_result *res) +static enum skb_drop_reason +ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + struct fib_result *res) { enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct in_device *in_dev = __in_dev_get_rcu(dev); @@ -2236,8 +2237,10 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, fl4.flowi4_tun_key.tun_id = 0; skb_dst_drop(skb); - if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) + if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; goto martian_source; + } res->fi = NULL; res->table = NULL; @@ -2247,21 +2250,29 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, /* Accept zero addresses only to limited broadcast; * I even do not know to fix it or not. Waiting for complains :-) */ - if (ipv4_is_zeronet(saddr)) + if (ipv4_is_zeronet(saddr)) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; goto martian_source; + } - if (ipv4_is_zeronet(daddr)) + if (ipv4_is_zeronet(daddr)) { + reason = SKB_DROP_REASON_IP_INVALID_DEST; goto martian_destination; + } /* Following code try to avoid calling IN_DEV_NET_ROUTE_LOCALNET(), * and call it once if daddr or/and saddr are loopback addresses */ if (ipv4_is_loopback(daddr)) { - if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) + if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) { + reason = SKB_DROP_REASON_IP_LOCALNET; goto martian_destination; + } } else if (ipv4_is_loopback(saddr)) { - if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) + if (!IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) { + reason = SKB_DROP_REASON_IP_LOCALNET; goto martian_source; + } } /* @@ -2316,19 +2327,26 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, err = -EHOSTUNREACH; goto no_route; } - if (res->type != RTN_UNICAST) + if (res->type != RTN_UNICAST) { + reason = SKB_DROP_REASON_IP_INVALID_DEST; goto martian_destination; + } make_route: err = ip_mkroute_input(skb, res, in_dev, daddr, saddr, dscp, flkeys); -out: return err; + if (!err) + reason = SKB_NOT_DROPPED_YET; + +out: + return reason; brd_input: - if (skb->protocol != htons(ETH_P_IP)) - goto e_inval; + if (skb->protocol != htons(ETH_P_IP)) { + reason = SKB_DROP_REASON_INVALID_PROTO; + goto out; + } if (!ipv4_is_zeronet(saddr)) { - err = -EINVAL; reason = fib_validate_source_reason(skb, saddr, 0, dscp, 0, dev, in_dev, &itag); if (reason) @@ -2349,7 +2367,7 @@ out: return err; rth = rcu_dereference(nhc->nhc_rth_input); if (rt_cache_valid(rth)) { skb_dst_set_noref(skb, &rth->dst); - err = 0; + reason = SKB_NOT_DROPPED_YET; goto out; } } @@ -2386,7 +2404,7 @@ out: return err; rt_add_uncached_list(rth); } skb_dst_set(skb, &rth->dst); - err = 0; + reason = SKB_NOT_DROPPED_YET; goto out; no_route: @@ -2407,12 +2425,8 @@ out: return err; &daddr, &saddr, dev->name); #endif -e_inval: - err = -EINVAL; - goto out; - e_nobufs: - err = -ENOBUFS; + reason = SKB_DROP_REASON_NOMEM; goto out; martian_source: @@ -2469,7 +2483,7 @@ static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, return reason ? -EINVAL : 0; } - return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res); + return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res) ? -EINVAL : 0; } int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, From patchwork Thu Oct 24 09:33:44 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13848625 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pf1-f194.google.com (mail-pf1-f194.google.com [209.85.210.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFE7D1B6D18; Thu, 24 Oct 2024 09:35:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.194 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762511; cv=none; b=SPhwto276HaKk/feiow0b7NN5OHhsCL5OfMxXR+qB0BgjCrN/jN/HKhn/rJ1UFn86q5UJszLGjLpBt3DS45X0PoodOl+t4vHiCgzU8pigzuxYxVfI0ahm2oNXnPGGc1a3gRCEe47QI8nPq7zmYM5ikCjErsnq42y5Unir7pNDt4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762511; c=relaxed/simple; bh=SMznvpM6I8IKeqpx/OkxMk7v5dBsmBPNdSI5IDb8K4g=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Zp6e0pPKN7Q/TWEJQDARUCpgt4DRtyVqeltNg6NJkKRUzrNmptwu4ZOIEFmwdHOHbI+ftIG2u90Iarqyk326cgtQYgfGfvZvOYaFNWKNjw8uA/4ahAFYN2VItKnVgRCFx6MDBleXh77IYKVU5KTOM35xQKSGh30cITWl+fuXOG0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Ht+HkOVd; arc=none smtp.client-ip=209.85.210.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Ht+HkOVd" Received: by mail-pf1-f194.google.com with SMTP id d2e1a72fcca58-71e7086c231so525771b3a.0; Thu, 24 Oct 2024 02:35:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729762509; x=1730367309; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yKF8GRab9vIGC7OVVlgdZTWcvJOyU79YNruFFlVjlr0=; b=Ht+HkOVdHGo0o1/DlV51SlRANnMFvsQq6mchq0SA/nf04zuTNJN/sczsjv93O5JC34 u4h1L3G2OWWeT6eTIaeUximNfKy6MRvvN7UC6GakmggUcyHiCKCjmAID6s+AXiOJmUgI 8zUqwviRe33HTd0KLPXqnepncM0EyiPWMfiBlswhl1Cu/kr26iyj1OtQNkC4/PMH36T6 ZTkCzwXQMsIV1SErSxYL6BvIUrV0Vyyz/zgLkFZwa9zxYeG1q2fZG0gsF2YV+zi58Tjq zqnM0ZCJgAon1I0ZMng4BxObPyv4wNU5MS2gET6k8v32zSFT39sVxuiTcFKcP9CGYJqa ADRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729762509; x=1730367309; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yKF8GRab9vIGC7OVVlgdZTWcvJOyU79YNruFFlVjlr0=; b=fdWbXwxJheAM+ShMwBUInF/MpmZ4MIfevjdfmJeLR3CwbJ3CiZAGOlUcrSHFWBaRz5 pKS2Ts0GD0b6uB4bQdDqabp4L3yGtwczq3HNoekXi1/KEfUCJB8BCo3bfeonzNT5YIBd t6x3bHJKLb1uHXZOP1gWaA7/Lzgy8BpJl8eWpmamKvmlw92e5dyjIbzb1u9M2EyLp9Jo KGzqUlgwu3vpQphb9O45c1sh/EyTlaa+Cl0fR6b0eXc230nRjldzTKXfB1j1uH1WyXbw aUcZ1vpxpsJjInCEtoiiDwZ08Yzex051Xvh6QVHLtBQpfVqYUxVrE+ERq7I6+1r7RWjr H6+g== X-Forwarded-Encrypted: i=1; AJvYcCU3xjFLHFuuVMEGo7EITiqBQOl91pE9fcEWj1ZbcXF5+U0UWGK6SwHCewkTrTvl/hkf5ks=@vger.kernel.org, AJvYcCV/qdNlSHCQxQm9D92vqdnjuiHoaK3HmTH4EjiP2yT1HLr0qzQR8vx9L3mbRtoBETCXNWENHz6XtYwDdkJQ@vger.kernel.org, AJvYcCVT6R1470Wdcscs+qanFVXyg7Nk0PB40Mjicp3C9YInVpKUMltcbKCpSLTd46DDPrb58vY/g3eoqWyFD0XFMkdu@vger.kernel.org, AJvYcCX3Hoz7IiP1EbG6igEjhUAmjdl78rWN281U9B/9J1gL7AQ30BTGXjINmXoAnCOR6TRqNjrq09P2@vger.kernel.org X-Gm-Message-State: AOJu0Yx3Me8GqtP3DQgWhPh3mq6zX5Y8h6ydi6q2J6f0o4Yk6/zE5Drb igo8zKorKOAGpPpkc2z8fzwfqnKP1cZEsx3uDSiVjzAE6/TdCCtC X-Google-Smtp-Source: AGHT+IHJTsb9JJqJmmOmnSfNY64SPM8B2FQqgpuC1Eyu27a/9C0R/Xb6xWsHo14tMoRY2Ov75owgcg== X-Received: by 2002:a05:6a20:db0d:b0:1d9:87e3:120c with SMTP id adf61e73a8af0-1d989ca8e6cmr1171984637.32.1729762509195; Thu, 24 Oct 2024 02:35:09 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ec1415071sm7600287b3a.217.2024.10.24.02.35.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 02:35:08 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 5/9] net: ip: make ip_route_input_rcu() return drop reasons Date: Thu, 24 Oct 2024 17:33:44 +0800 Message-Id: <20241024093348.353245-6-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241024093348.353245-1-dongml2@chinatelecom.cn> References: <20241024093348.353245-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net In this commit, we make ip_route_input_rcu() return drop reasons, which come from ip_route_input_mc() and ip_route_input_slow(). The only caller of ip_route_input_rcu() is ip_route_input_noref(). We adjust it by making it return -EINVAL on error and ignore the reasons that ip_route_input_rcu() returns. In the following patch, we will make ip_route_input_noref() returns the drop reasons. Signed-off-by: Menglong Dong --- v4: - collapse the 2 lines that we modify in inet_rtm_getroute() --- net/ipv4/route.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 7976f687d039..4b0daf3510d7 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2435,9 +2435,10 @@ ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, } /* called with rcu_read_lock held */ -static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - struct fib_result *res) +static enum skb_drop_reason +ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + struct fib_result *res) { /* Multicast recognition logic is moved from route cache to here. * The problem was that too many Ethernet cards have broken/missing @@ -2480,23 +2481,23 @@ static int ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, reason = ip_route_input_mc(skb, daddr, saddr, dscp, dev, our); } - return reason ? -EINVAL : 0; + return reason; } - return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res) ? -EINVAL : 0; + return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res); } int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev) { + enum skb_drop_reason reason; struct fib_result res; - int err; rcu_read_lock(); - err = ip_route_input_rcu(skb, daddr, saddr, dscp, dev, &res); + reason = ip_route_input_rcu(skb, daddr, saddr, dscp, dev, &res); rcu_read_unlock(); - return err; + return reason ? -EINVAL : 0; } EXPORT_SYMBOL(ip_route_input_noref); @@ -3308,7 +3309,7 @@ static int inet_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh, skb->mark = mark; err = ip_route_input_rcu(skb, dst, src, inet_dsfield_to_dscp(rtm->rtm_tos), - dev, &res); + dev, &res) ? -EINVAL : 0; rt = skb_rtable(skb); if (err == 0 && rt->dst.error) From patchwork Thu Oct 24 09:33:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13848626 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com [209.85.215.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7912B1B85DF; Thu, 24 Oct 2024 09:35:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.194 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762517; cv=none; b=RZ2sw5xkfOqoidgUcMYTHYfL2s6Yr8cPWscoS/CkB58/H1vYwl1uyeOFptpxtG5LhcfhNz3gx4FBc3lyQMq7mMxJjEhjBgMD2s9MHA4+Z9DLdV5OF7VbnjrdiCYp1iI56mCcawtCeFSGUePJsrT7r6jfLZkML8lgQI1ibxJ9ZUU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762517; c=relaxed/simple; bh=cJ0OGLfON7rfzJI4gOqeXOhVCn6upuw2yPV7fi7n4MQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Y7GRxLwlIHWYL1XchQFif/xc2bpoaHC7rqjJ32LtKkm8m0IXCobT1c1Ai/YGzahnrce7gZ/EIXwkve+aIakt5TRZWOreyYvlc1cAPh8aNtJe8AGx2LhDdFCR21es7DPrOP/qD96INJBPIieqxpO3ON/xkjuNHW4yNV12/Ga0ZBs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ISwmANcV; arc=none smtp.client-ip=209.85.215.194 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ISwmANcV" Received: by mail-pg1-f194.google.com with SMTP id 41be03b00d2f7-7ea0ff74b15so384834a12.3; Thu, 24 Oct 2024 02:35:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729762515; x=1730367315; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=4GMKPzguG4mlKFwZhzBDmmWl0vg75LYwmRRCcfaNtRw=; b=ISwmANcVNLlEqm7qjsVBatnEuW7HdSQOFdDzhX5fD2FOg7Ryfle4LfJ/9fV7qwgBfn 7vP8wK6GijjsjW+ta9XFf1UKD1oYgx+kIY1CyLIwkIUqv5orqtJZmwcmTSyZMiqZnJ/u eNPTK+ChF5gzcT6pf1Px58S5FBT4C9V2d77x/OGdr1j15yQ9k3lqP1T8FEq6aMZ5bdjl CivOqMYI+9TjxQo6QJ4P0QVTN8YP9Oy26Ef1h58FwDfwmDgeYsey8AKKCKYl+/xx8h77 HoR6cdF3VILBWWc2wFn9icZHtdWkumbyRtBAFLmu7uhKVDszLMTbVh1Fzi0GnJjl7tJT +pYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729762515; x=1730367315; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4GMKPzguG4mlKFwZhzBDmmWl0vg75LYwmRRCcfaNtRw=; b=xGE1tYXVbZG1KMuEoeyREzuZUHJF240YgjavJ/1U+EqSQC4+/bk+q8IXXzOgONa9Jf mFXKOY1uAP11OjXArbCzrRF6+Ywx7Ion/z/WEhRm0w8fUrKlRClw8Funu31sSQRtxmTe sqWut9Co1o5l7v9CHKzvzruVKnpYq8pWiXCOhg8pMSHZSk3VzHOw9ZYBS7hYHGjSBd4j 1Z7QzeHwm4Zv6/PwjKGTmbYpFEltDErkNui1ivCxTEd9zC/ueb4pwImWexxcMdQYAJOV cWUcL7+R7hwgqYigmuTMFT2qna10Yr+X47dlQigUqRevy97Cd/k9rYwqB1gxzyh/HKvX HpJA== X-Forwarded-Encrypted: i=1; AJvYcCUiMGu/JCa2eJCSFdy1TXy2Jo1Awao5HMlDOe+drpU4ekXnUmV+Zi2AOk/jIKgHQKGaxTwj5jpq@vger.kernel.org, AJvYcCUkuk4QHpz7zMVZ3XJsP47EYUEOJmZZmiN8tStqBuy6LCwWjYtK1SS7PEWXh8+E+J9QV6ztSORWlAZgsdq5dwRg@vger.kernel.org, AJvYcCW9VQ1wZ8Qr0B7k1m2sk6sLr48bZtNzjsDs1SZ7t2Ka/T75Kg7ytpgC/Lc3RceJw364/icawRGVVI4s6al2@vger.kernel.org, AJvYcCWBN6PRC6ulbougmA2s1L7v7Sc7Q3YbSPJqX1+FHYoOzk5stXSA72uv60y9cO8xk4XYxHQ=@vger.kernel.org X-Gm-Message-State: AOJu0Yx2rjW+ECvHDW36O8Fzs3dafGQH1M6+lendAyxskm7ttF/dyK0S w5pBS+la6QjGII24telszwKyWGPwIch4XtZbgnVp32wKA6aPH2eK X-Google-Smtp-Source: AGHT+IH9dDA5gU7g4QgEHskFkl8XfuOQh79z1eQgclz1Dh1YoNkH/2OIUkhoMgBdVlcei/4GI6Xn+w== X-Received: by 2002:a05:6300:4043:b0:1d9:29c8:2d32 with SMTP id adf61e73a8af0-1d9898ff732mr1534360637.5.1729762514698; Thu, 24 Oct 2024 02:35:14 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ec1415071sm7600287b3a.217.2024.10.24.02.35.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 02:35:14 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 6/9] net: ip: make ip_route_input_noref() return drop reasons Date: Thu, 24 Oct 2024 17:33:45 +0800 Message-Id: <20241024093348.353245-7-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241024093348.353245-1-dongml2@chinatelecom.cn> References: <20241024093348.353245-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net In this commit, we make ip_route_input_noref() return drop reasons, which come from ip_route_input_rcu(). We need adjust the callers of ip_route_input_noref() to make sure the return value of ip_route_input_noref() is used properly. The errno that ip_route_input_noref() returns comes from ip_route_input and bpf_lwt_input_reroute in the origin logic, and we make them return -EINVAL on error instead. In the following patch, we will make ip_route_input() returns drop reasons too. Signed-off-by: Menglong Dong --- v4: - introduce the variable "reason" in bpf_lwt_input_reroute() to make things clear --- include/net/route.h | 15 ++++++++------- net/core/lwt_bpf.c | 6 ++++-- net/ipv4/ip_fragment.c | 12 +++++++----- net/ipv4/ip_input.c | 7 ++++--- net/ipv4/route.c | 7 ++++--- 5 files changed, 27 insertions(+), 20 deletions(-) diff --git a/include/net/route.h b/include/net/route.h index a828a17a6313..11674f7c6be6 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -203,8 +203,9 @@ enum skb_drop_reason ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, struct in_device *in_dev, u32 *itag); -int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev); +enum skb_drop_reason +ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev); int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, const struct sk_buff *hint); @@ -212,18 +213,18 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, dscp_t dscp, struct net_device *devin) { - int err; + enum skb_drop_reason reason; rcu_read_lock(); - err = ip_route_input_noref(skb, dst, src, dscp, devin); - if (!err) { + reason = ip_route_input_noref(skb, dst, src, dscp, devin); + if (!reason) { skb_dst_force(skb); if (!skb_dst(skb)) - err = -EINVAL; + reason = SKB_DROP_REASON_NOT_SPECIFIED; } rcu_read_unlock(); - return err; + return reason ? -EINVAL : 0; } void ipv4_update_pmtu(struct sk_buff *skb, struct net *net, u32 mtu, int oif, diff --git a/net/core/lwt_bpf.c b/net/core/lwt_bpf.c index e0ca24a58810..8a78bff53b2c 100644 --- a/net/core/lwt_bpf.c +++ b/net/core/lwt_bpf.c @@ -88,6 +88,7 @@ static int run_lwt_bpf(struct sk_buff *skb, struct bpf_lwt_prog *lwt, static int bpf_lwt_input_reroute(struct sk_buff *skb) { + enum skb_drop_reason reason; int err = -EINVAL; if (skb->protocol == htons(ETH_P_IP)) { @@ -96,8 +97,9 @@ static int bpf_lwt_input_reroute(struct sk_buff *skb) dev_hold(dev); skb_dst_drop(skb); - err = ip_route_input_noref(skb, iph->daddr, iph->saddr, - ip4h_dscp(iph), dev); + reason = ip_route_input_noref(skb, iph->daddr, iph->saddr, + ip4h_dscp(iph), dev); + err = reason ? -EINVAL : 0; dev_put(dev); } else if (skb->protocol == htons(ETH_P_IPV6)) { skb_dst_drop(skb); diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index 48e2810f1f27..52b991e976ba 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c @@ -132,12 +132,12 @@ static bool frag_expire_skip_icmp(u32 user) */ static void ip_expire(struct timer_list *t) { + enum skb_drop_reason reason = SKB_DROP_REASON_FRAG_REASM_TIMEOUT; struct inet_frag_queue *frag = from_timer(frag, t, timer); const struct iphdr *iph; struct sk_buff *head = NULL; struct net *net; struct ipq *qp; - int err; qp = container_of(frag, struct ipq, q); net = qp->q.fqdir->net; @@ -175,10 +175,12 @@ static void ip_expire(struct timer_list *t) /* skb has no dst, perform route lookup again */ iph = ip_hdr(head); - err = ip_route_input_noref(head, iph->daddr, iph->saddr, ip4h_dscp(iph), - head->dev); - if (err) + reason = ip_route_input_noref(head, iph->daddr, iph->saddr, + ip4h_dscp(iph), head->dev); + if (reason) goto out; + else + reason = SKB_DROP_REASON_FRAG_REASM_TIMEOUT; /* Only an end host needs to send an ICMP * "Fragment Reassembly Timeout" message, per RFC792. @@ -195,7 +197,7 @@ static void ip_expire(struct timer_list *t) spin_unlock(&qp->q.lock); out_rcu_unlock: rcu_read_unlock(); - kfree_skb_reason(head, SKB_DROP_REASON_FRAG_REASM_TIMEOUT); + kfree_skb_reason(head, reason); ipq_put(qp); } diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index c40a26972884..513eb0c6435a 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c @@ -362,10 +362,11 @@ static int ip_rcv_finish_core(struct net *net, struct sock *sk, * how the packet travels inside Linux networking. */ if (!skb_valid_dst(skb)) { - err = ip_route_input_noref(skb, iph->daddr, iph->saddr, - ip4h_dscp(iph), dev); - if (unlikely(err)) + drop_reason = ip_route_input_noref(skb, iph->daddr, iph->saddr, + ip4h_dscp(iph), dev); + if (unlikely(drop_reason)) goto drop_error; + drop_reason = SKB_DROP_REASON_NOT_SPECIFIED; } else { struct in_device *in_dev = __in_dev_get_rcu(dev); diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 4b0daf3510d7..757526e450fd 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2487,8 +2487,9 @@ ip_route_input_rcu(struct sk_buff *skb, __be32 daddr, __be32 saddr, return ip_route_input_slow(skb, daddr, saddr, dscp, dev, res); } -int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev) +enum skb_drop_reason ip_route_input_noref(struct sk_buff *skb, __be32 daddr, + __be32 saddr, dscp_t dscp, + struct net_device *dev) { enum skb_drop_reason reason; struct fib_result res; @@ -2497,7 +2498,7 @@ int ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, reason = ip_route_input_rcu(skb, daddr, saddr, dscp, dev, &res); rcu_read_unlock(); - return reason ? -EINVAL : 0; + return reason; } EXPORT_SYMBOL(ip_route_input_noref); From patchwork Thu Oct 24 09:33:46 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13848627 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pg1-f196.google.com (mail-pg1-f196.google.com [209.85.215.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DF1C11D515B; Thu, 24 Oct 2024 09:35:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.196 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762523; cv=none; b=N7HgbpWQ77Ud0uEmsZrgtvWzxXJNQvG3JjKuJ4SOD/fe/TETRPH3KCOEoGirjX1e07jCIvwwwMucn5BhmMZ4JMlXB3ZUG1kIq9W6fXvVuz6LY/T5p3fxrfRD9epSQOS3uF56zQVuxGJoVhn3fSUfVVrYnigqg1rh0jIQ18gZva8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762523; c=relaxed/simple; bh=ZBCJSiNa4CsjTZLKPAoPbJkdOPZmUXoqjlRHJMtpBEg=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=E/tpLliwWhtRcLcqh9HJVbg1DQt83hjWpvCnNaELV7u2WF3KJ7FH36x5RTeqWold9tEu8BZuS2rrHNSRg/ONWfWFr2V75CX2HDXjtMiInjqaXRID4a0krd15xNlImrChFpCC2c9Uzm7rWv+pO1tS31jz0JNRxaYQ2Upcx+FAN9w= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=QIuQsJjV; arc=none smtp.client-ip=209.85.215.196 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="QIuQsJjV" Received: by mail-pg1-f196.google.com with SMTP id 41be03b00d2f7-7ea7e250c54so465858a12.0; Thu, 24 Oct 2024 02:35:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729762520; x=1730367320; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=d6zwyUv2KGSH8PlgsFrB+o93Y53y7wbnB82m1YBj/UE=; b=QIuQsJjVXnLWZJUzlZJc6GaqJ8Z2JwYTW+JvfmJ6xVO6NgKyseCxjocgFkPvhF4Wsm DrtvPDVAR3SBgjTbowtLTHKMECV4hTBTYmnoaHY/IWU5KH/C5z4YxOLYJsqefWJ2rZYf odVC0WSK0O1aAHI7DiO1+hb6EnCv+IOT89hQiIMyMveBH7845PUkK/ZlkMLrGetqyu2L 1X/2TXus2p/CVbRQhw7TjdXhxu71SLkPHMQEQJkmBxGvf8bIzfFQrb5pc9ir5xhn/eIt 3DEGftY3oONBCCjO6jL2OdEpFPmWFkWL4Ex/ubu9B26O8BDnKzzL1OT9JlSOIr6sNWUK /f3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729762520; x=1730367320; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=d6zwyUv2KGSH8PlgsFrB+o93Y53y7wbnB82m1YBj/UE=; b=OkXHvxEaaEUh8ANjeIwElQ5PgYpKn+FlbGkEwaA3SpXxlCQffhZMhls5S8KNWTGRHh NI7zu6dQAmDMEbZqtCdWbcD2tyYV+ES91o33H1tZzb6LjFtTYb+KZcXJpGNvxvykicdR /MEqK1XukoGkzZk8x8SKizXI48zE2q/AgZ+dWUtv/kG4ZmF8DY8faL4bnZqn8jPhyuA4 JNgIwJrb1LEjiVwcChcqASYE7s+Ps3XdKRDP0FrHwjFUcUjS8j2shrcNYwRIs6OsCRJA hf/QF5HptC0tXvViC4evr0smSYY+AR+W+CbYdrHdp4TebHayCt/hhAftvI6c5dMPsmTV NoqA== X-Forwarded-Encrypted: i=1; AJvYcCURd5vwU7P8zMaoSRU6X0a0usZSaeQNqkb4OJqMkLEtbFUQQLUOeRyWzpi9IcCOlr5QYKQtUrmxf0Jv6VgV@vger.kernel.org, AJvYcCUmeeUY0K8HbxIqSt9eKIH+eWwQf66xzjouBDG9BjnB35y9HrAgp1NnshxeKmPNnIVCcw0YVNHgbk5+19NjalmI@vger.kernel.org, AJvYcCWEIRi50GY96L1+o6cd/2wnczcaeJ+hmhSbJJwgWeifK6+8I6c3jRSXbYS77bIte1O/pCyhL/6m@vger.kernel.org, AJvYcCXAnsbDmG6IWo5zqbTRuhQFe+cs9u59esadrNfBZZOnRoICeEq7PJAsqW9zfbV0UFUxZDc=@vger.kernel.org X-Gm-Message-State: AOJu0Yz1Z5Z/H6AVpcnPfN7RLstxqkSAcj7RyWfKJY5DzyGqhHAdcs1w w/G/QJ1vPoIsqYTkLf4WCvjiylbqGhaiDvjkJM2ipbSVffwDi2ly X-Google-Smtp-Source: AGHT+IEhH9mv4sRJVGrpIlkJrNHBz3f9CnsIgWLrxbEHkg0baOEdR6HmBCN2l2m6Svm3SbVXLsLMzA== X-Received: by 2002:a05:6a21:1709:b0:1d9:782f:8c9a with SMTP id adf61e73a8af0-1d978b2d8b7mr6909181637.21.1729762520057; Thu, 24 Oct 2024 02:35:20 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ec1415071sm7600287b3a.217.2024.10.24.02.35.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 02:35:19 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 7/9] net: ip: make ip_route_input() return drop reasons Date: Thu, 24 Oct 2024 17:33:46 +0800 Message-Id: <20241024093348.353245-8-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241024093348.353245-1-dongml2@chinatelecom.cn> References: <20241024093348.353245-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net In this commit, we make ip_route_input() return skb drop reasons that come from ip_route_input_noref(). Meanwhile, adjust all the call to it. Signed-off-by: Menglong Dong --- v4: - replace the variable "err" with "reason" for the return value of ip_route_input() --- include/net/route.h | 7 ++++--- net/bridge/br_netfilter_hooks.c | 11 ++++++----- net/ipv4/icmp.c | 2 +- net/ipv4/ip_options.c | 2 +- net/ipv6/seg6_local.c | 14 +++++++------- 5 files changed, 19 insertions(+), 17 deletions(-) diff --git a/include/net/route.h b/include/net/route.h index 11674f7c6be6..f4ab5412c9c9 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -210,8 +210,9 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev, const struct sk_buff *hint); -static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, - dscp_t dscp, struct net_device *devin) +static inline enum skb_drop_reason +ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, dscp_t dscp, + struct net_device *devin) { enum skb_drop_reason reason; @@ -224,7 +225,7 @@ static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, } rcu_read_unlock(); - return reason ? -EINVAL : 0; + return reason; } void ipv4_update_pmtu(struct sk_buff *skb, struct net *net, u32 mtu, int oif, diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c index 17a5f5923d61..110cffc24a1d 100644 --- a/net/bridge/br_netfilter_hooks.c +++ b/net/bridge/br_netfilter_hooks.c @@ -373,8 +373,8 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_ struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); struct net_device *dev = skb->dev, *br_indev; const struct iphdr *iph = ip_hdr(skb); + enum skb_drop_reason reason; struct rtable *rt; - int err; br_indev = nf_bridge_get_physindev(skb, net); if (!br_indev) { @@ -390,9 +390,9 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_ } nf_bridge->in_prerouting = 0; if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) { - err = ip_route_input(skb, iph->daddr, iph->saddr, - ip4h_dscp(iph), dev); - if (err) { + reason = ip_route_input(skb, iph->daddr, iph->saddr, + ip4h_dscp(iph), dev); + if (reason) { struct in_device *in_dev = __in_dev_get_rcu(dev); /* If err equals -EHOSTUNREACH the error is due to a @@ -402,7 +402,8 @@ static int br_nf_pre_routing_finish(struct net *net, struct sock *sk, struct sk_ * martian destinations: loopback destinations and destination * 0.0.0.0. In both cases the packet will be dropped because the * destination is the loopback device and not the bridge. */ - if (err != -EHOSTUNREACH || !in_dev || IN_DEV_FORWARD(in_dev)) + if (reason != SKB_DROP_REASON_IP_INADDRERRORS || !in_dev || + IN_DEV_FORWARD(in_dev)) goto free_skb; rt = ip_route_output(net, iph->daddr, 0, diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c index 23664434922e..69ea33f64a54 100644 --- a/net/ipv4/icmp.c +++ b/net/ipv4/icmp.c @@ -545,7 +545,7 @@ static struct rtable *icmp_route_lookup(struct net *net, struct flowi4 *fl4, orefdst = skb_in->_skb_refdst; /* save old refdst */ skb_dst_set(skb_in, NULL); err = ip_route_input(skb_in, fl4_dec.daddr, fl4_dec.saddr, - dscp, rt2->dst.dev); + dscp, rt2->dst.dev) ? -EINVAL : 0; dst_release(&rt2->dst); rt2 = skb_rtable(skb_in); diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c index 81e86e5defee..e3321932bec0 100644 --- a/net/ipv4/ip_options.c +++ b/net/ipv4/ip_options.c @@ -618,7 +618,7 @@ int ip_options_rcv_srr(struct sk_buff *skb, struct net_device *dev) orefdst = skb->_skb_refdst; skb_dst_set(skb, NULL); err = ip_route_input(skb, nexthop, iph->saddr, ip4h_dscp(iph), - dev); + dev) ? -EINVAL : 0; rt2 = skb_rtable(skb); if (err || (rt2->rt_type != RTN_UNICAST && rt2->rt_type != RTN_LOCAL)) { skb_dst_drop(skb); diff --git a/net/ipv6/seg6_local.c b/net/ipv6/seg6_local.c index c74705ead984..ac1dbd492c22 100644 --- a/net/ipv6/seg6_local.c +++ b/net/ipv6/seg6_local.c @@ -954,10 +954,10 @@ static int input_action_end_dx4_finish(struct net *net, struct sock *sk, struct sk_buff *skb) { struct dst_entry *orig_dst = skb_dst(skb); + enum skb_drop_reason reason; struct seg6_local_lwt *slwt; struct iphdr *iph; __be32 nhaddr; - int err; slwt = seg6_local_lwtunnel(orig_dst->lwtstate); @@ -967,9 +967,9 @@ static int input_action_end_dx4_finish(struct net *net, struct sock *sk, skb_dst_drop(skb); - err = ip_route_input(skb, nhaddr, iph->saddr, 0, skb->dev); - if (err) { - kfree_skb(skb); + reason = ip_route_input(skb, nhaddr, iph->saddr, 0, skb->dev); + if (reason) { + kfree_skb_reason(skb, reason); return -EINVAL; } @@ -1174,8 +1174,8 @@ static struct sk_buff *end_dt_vrf_core(struct sk_buff *skb, static int input_action_end_dt4(struct sk_buff *skb, struct seg6_local_lwt *slwt) { + enum skb_drop_reason reason; struct iphdr *iph; - int err; if (!decap_and_validate(skb, IPPROTO_IPIP)) goto drop; @@ -1193,8 +1193,8 @@ static int input_action_end_dt4(struct sk_buff *skb, iph = ip_hdr(skb); - err = ip_route_input(skb, iph->daddr, iph->saddr, 0, skb->dev); - if (unlikely(err)) + reason = ip_route_input(skb, iph->daddr, iph->saddr, 0, skb->dev); + if (unlikely(reason)) goto drop; return dst_input(skb); From patchwork Thu Oct 24 09:33:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13848628 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2006D1C07C3; Thu, 24 Oct 2024 09:35:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762530; cv=none; b=KG6lTxnSyNU7ODvV2jEXxBVxtXNAdJrK23SMb+E+GY73v3gDF7OEwqvPaM0yD5Ttz9IHbrG+2fAjW9QcT1rIRH+N2pYSZ10A9ZN6heVGJeswf7RohsyP8vK2zlkp2gR/nAh3dWPztiVXef66NeS77lGaFCYgX/Dv0kqUntoxBqk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762530; c=relaxed/simple; bh=hEGV0orOzX8fGmrpn/mSJk8E7gQJlPcmRUdkkpTUsTc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qm4KMm+/0a2ruV0bR8+zcqQs0vZK+oBXPhNxQKMZ0ocIgmUqY3rupQJ0uc1+g83E1hykwafzwsCvPTvSVIQdh/41hYN/iQrUXgS3kjoHPFuaQAHtSFGEKN9gzXkFYzZJ+nLUCo+FTih5fDrpEIeqgm71vKFOTGgOu8tKDOnZPfY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=BP9IslTA; arc=none smtp.client-ip=209.85.210.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="BP9IslTA" Received: by mail-pf1-f193.google.com with SMTP id d2e1a72fcca58-71e52582d0bso501572b3a.3; Thu, 24 Oct 2024 02:35:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729762525; x=1730367325; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SjiOcvjWN3rfOnxH2qS/gj/uoa+l778sjVnoaX+Yeyw=; b=BP9IslTAqgrP1bpVLJCXH6thL4jnxZPTE4eMmwHB/dVEUPKPmALChxvkybl/sODnLD TyUrfh4ydZbSMRjy6r817yPXZhJRvOYbsTJQfD60zP2eFKb7HSSY05LfbgRBesiqZE9s eG2fc8AdFFCodmn3zWV/2HSwrkikGE5yxmUcKzOFHP/RLv0+LPn3ynKeMndg+IZb88mu 6nq7cFqmRRyswJxf7xL2pnhJ83FoaEc5ZIhgzyHB92xMDhylKuQ6oFuEMSh8uqTOpXWY ZE8Yh6++3u0lIozhNbpWUyJ0LczqbH4S98hi8XdlEYpYB101zCrF+cRLti3LyFXRXkce cgnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729762525; x=1730367325; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SjiOcvjWN3rfOnxH2qS/gj/uoa+l778sjVnoaX+Yeyw=; b=CrfZqH2yK2+IiQsx6EO6T6RHczf/oIPbdBPz9HhcdqVdbeW7jQkW7o5kbFT6SxXr/r Dus0YvTGSJ9joAfUi/gtS7gxoPhxtJ5pN2a8twtbX4je/22e/OqjJBUt1vcLPIEjXHSU fZfRC5/LSvLzwghFESzut5vr7af8AGFwCEE/Lj1TJLp266hTPU1FIlkhUl3bZ43CEI4E iSUjvM0ZNyB0x8RAlNA4DpEd0G25ItdfSlrvFPza6UotpQJoTa9whOFvxSRPNrgzhCe5 Pvm3eZeJETwC5omp62eMejUHb+U2v1asyFJymKGG0j9kbIeXNDvAUZEV4UPoJ04nU7/O lejg== X-Forwarded-Encrypted: i=1; AJvYcCUKyBUiBVHxBh2n8fWQv3nfhK7oQT7hi35zRNsfF9d/46OaLrXHcZYRbaQ+TUbTeusOxpdEOS77iKAAJHdmSM7N@vger.kernel.org, AJvYcCUnN0JngpwswTJX4hYKCmiYGpI3VL1w9D3KLeCNsI61hd9caiOn+DhJ9gmHKjuN2t6mGic=@vger.kernel.org, AJvYcCVtNA3fHE6kgO0lgV5VQVSJJj8vjTEfKCpueqEhnoQvM0258ks2lBlFE4/cgaZvsfKEShCBtga+NznIpyiq@vger.kernel.org, AJvYcCWHct96D4iVaRix0QjxZg36Ft+rck5LeDLGm7oOrTgsWsAsa2XCS+0KJhqt8d+m7UQ4Q/uGpgsN@vger.kernel.org X-Gm-Message-State: AOJu0YykJJBdBoVPrHZA6p8U7N89ISjNo4oKgHUoFshePpg8cEnV5hNQ /qpCvjllaVrU5GLYEdsRJteljATT/vGSNVcN5u2ldN53ISZNnkbj X-Google-Smtp-Source: AGHT+IFN5Ipw66nqfwr0BFzwrNhHZ1wx9abARssLV7ZYEHowb7n28tDKYtncRE2WZmFRVkX9pjzV7Q== X-Received: by 2002:a05:6a00:b89:b0:71e:452:13dc with SMTP id d2e1a72fcca58-72030bcce48mr7521175b3a.13.1729762525269; Thu, 24 Oct 2024 02:35:25 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ec1415071sm7600287b3a.217.2024.10.24.02.35.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 02:35:24 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 8/9] net: ip: make ip_mkroute_input/__mkroute_input return drop reasons Date: Thu, 24 Oct 2024 17:33:47 +0800 Message-Id: <20241024093348.353245-9-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241024093348.353245-1-dongml2@chinatelecom.cn> References: <20241024093348.353245-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net In this commit, we make ip_mkroute_input() and __mkroute_input() return drop reasons. The drop reason "SKB_DROP_REASON_ARP_PVLAN_DISABLE" is introduced for the case: the packet which is not IP is forwarded to the in_dev, and the proxy_arp_pvlan is not enabled. This name is ugly, and I have not figure out a suitable name for this case yet :/ Signed-off-by: Menglong Dong --- include/net/dropreason-core.h | 7 +++++++ net/ipv4/route.c | 35 +++++++++++++++++++---------------- 2 files changed, 26 insertions(+), 16 deletions(-) diff --git a/include/net/dropreason-core.h b/include/net/dropreason-core.h index 74624d369d48..6c5a1ea209a2 100644 --- a/include/net/dropreason-core.h +++ b/include/net/dropreason-core.h @@ -104,6 +104,7 @@ FN(IP_TUNNEL_ECN) \ FN(TUNNEL_TXINFO) \ FN(LOCAL_MAC) \ + FN(ARP_PVLAN_DISABLE) \ FNe(MAX) /** @@ -477,6 +478,12 @@ enum skb_drop_reason { * the MAC address of the local netdev. */ SKB_DROP_REASON_LOCAL_MAC, + /** + * @SKB_DROP_REASON_ARP_PVLAN_DISABLE: packet which is not IP is + * forwarded to the in_dev, and the proxy_arp_pvlan is not + * enabled. + */ + SKB_DROP_REASON_ARP_PVLAN_DISABLE, /** * @SKB_DROP_REASON_MAX: the maximum of core drop reasons, which * shouldn't be used as a real 'reason' - only for tracing code gen diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 757526e450fd..d47d7ae9fc61 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1769,10 +1769,12 @@ static void ip_handle_martian_source(struct net_device *dev, } /* called in rcu_read_lock() section */ -static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, - struct in_device *in_dev, __be32 daddr, - __be32 saddr, dscp_t dscp) +static enum skb_drop_reason +__mkroute_input(struct sk_buff *skb, const struct fib_result *res, + struct in_device *in_dev, __be32 daddr, + __be32 saddr, dscp_t dscp) { + enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct fib_nh_common *nhc = FIB_RES_NHC(*res); struct net_device *dev = nhc->nhc_dev; struct fib_nh_exception *fnhe; @@ -1786,13 +1788,13 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, out_dev = __in_dev_get_rcu(dev); if (!out_dev) { net_crit_ratelimited("Bug in ip_route_input_slow(). Please report.\n"); - return -EINVAL; + return reason; } err = fib_validate_source(skb, saddr, daddr, dscp, FIB_RES_OIF(*res), in_dev->dev, in_dev, &itag); if (err < 0) { - err = -EINVAL; + reason = -err; ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr, saddr); @@ -1820,7 +1822,8 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, */ if (out_dev == in_dev && IN_DEV_PROXY_ARP_PVLAN(in_dev) == 0) { - err = -EINVAL; + /* what do we name this situation? */ + reason = SKB_DROP_REASON_ARP_PVLAN_DISABLE; goto cleanup; } } @@ -1843,7 +1846,7 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, rth = rt_dst_alloc(out_dev->dev, 0, res->type, IN_DEV_ORCONF(out_dev, NOXFRM)); if (!rth) { - err = -ENOBUFS; + reason = SKB_DROP_REASON_NOMEM; goto cleanup; } @@ -1857,9 +1860,9 @@ static int __mkroute_input(struct sk_buff *skb, const struct fib_result *res, lwtunnel_set_redirect(&rth->dst); skb_dst_set(skb, &rth->dst); out: - err = 0; - cleanup: - return err; + reason = SKB_NOT_DROPPED_YET; +cleanup: + return reason; } #ifdef CONFIG_IP_ROUTE_MULTIPATH @@ -2117,9 +2120,10 @@ int fib_multipath_hash(const struct net *net, const struct flowi4 *fl4, } #endif /* CONFIG_IP_ROUTE_MULTIPATH */ -static int ip_mkroute_input(struct sk_buff *skb, struct fib_result *res, - struct in_device *in_dev, __be32 daddr, - __be32 saddr, dscp_t dscp, struct flow_keys *hkeys) +static enum skb_drop_reason +ip_mkroute_input(struct sk_buff *skb, struct fib_result *res, + struct in_device *in_dev, __be32 daddr, + __be32 saddr, dscp_t dscp, struct flow_keys *hkeys) { #ifdef CONFIG_IP_ROUTE_MULTIPATH if (res->fi && fib_info_num_path(res->fi) > 1) { @@ -2333,9 +2337,8 @@ ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, } make_route: - err = ip_mkroute_input(skb, res, in_dev, daddr, saddr, dscp, flkeys); - if (!err) - reason = SKB_NOT_DROPPED_YET; + reason = ip_mkroute_input(skb, res, in_dev, daddr, saddr, dscp, + flkeys); out: return reason; From patchwork Thu Oct 24 09:33:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Menglong Dong X-Patchwork-Id: 13848629 X-Patchwork-Delegate: kuba@kernel.org Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com [209.85.210.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7F1EE1D63DD; Thu, 24 Oct 2024 09:35:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.193 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762533; cv=none; b=kRV4XARNDbxx4/vdKHkx6WyPnt8fFZX5OSktXLCIZZksAwkk1uYGOXZb4EL4BYzJPpjCXE1jeOdXPjg62ofcFSvAa71CHR+jgEqnp1YsQmxvwEyQnjoL6BHTeiwpaRj4REmWXlzvHJtdKoZsYRNiihW7KKRPB0XApvI7/5eGPhw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1729762533; c=relaxed/simple; bh=JOjiHl0o7arpbaGI4fKyn60i1TcmeSt2tbS6VcLQj6I=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=E5Qmn+HASnsWV89DM9GP1w3fvu/NQV9VYVXe6JpOPfxWb/md8fiB6l/L0yroDVH+WHZJwEBfvwcpsJwiTjGaVBwG4Gmab8wd3oSGRWDHKYTksld78g4NSuT3LodAyVFVHoGqVJncpd6dQrXHZ7HVrGFldBoILKURMnIvRAfoDl4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=PyS/PHj6; arc=none smtp.client-ip=209.85.210.193 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PyS/PHj6" Received: by mail-pf1-f193.google.com with SMTP id d2e1a72fcca58-71e7086c231so525888b3a.0; Thu, 24 Oct 2024 02:35:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729762531; x=1730367331; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=stvt/ug7FcaGbWi1ypKLhLB7lISmAXSv7hL3d+pTSLw=; b=PyS/PHj6aU80YmpFaEeiYhYFPXQHqHobn2F04+ixUP5a0gVUzTdR5VxGcIn6hq1Dsi AQEOfF3Wx2D860sCDUIHL9o9ux4WNZAS5Fl4LzpFJqQ53gieTrwCMlVQ2XwMNcaepffR dCEhXGduuEGECZhdnkFLc4Y8C2m9aJKIic07UjWBKQxNqsVuKeLme8DKt/xRL7+DW8mG sGFsBwFOHsOycnHfNApeZuPLe9yBurdTcezIIji38Xm/bZ2elTU/jV5zm5CJ2xWQ1boR hmk5djN75RuHJgQ+oaVK0E20ObyAl5C8vlQjDOE6mpJuRz0WU7EZMOa0daEXxinCb70h Ph4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729762531; x=1730367331; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=stvt/ug7FcaGbWi1ypKLhLB7lISmAXSv7hL3d+pTSLw=; b=YMMvoMEVNU6s/JyzJNpfYOAbGaxC+QD+8Qpl43i04Gp17EG23KZXNQpKzvoA7Nj6fu KNmwwHmEZNGgVL/wtTYT1nRXpDX4qxvyRxCOurF4R76PfHd83Gwrb3wtRu6qPaqJj3+X lQmGYytj6nDmWOM44wsLqC40228Ee2f8AFKFMewgyaG+3yKZJkQ/KcXWRCR0J8/JUlvB s68Vxbi9lCUSXGLkq/yyAdU/0PKHdYHm5WaJC1C0AvbxZ/ufOS07CXInWEZar+EaYb7C 55BHyuvsMKFcU1vx2Sz6kkZ8iDP3MvQnl5mx+r940bq6190CADpxDKNGPM+n7nYrCRaZ f2XQ== X-Forwarded-Encrypted: i=1; AJvYcCVHTxk40fY0KKaUB+qf5DxWizuESpQxKw8exgOXr9XBsebkgTV+WTGwh1I7NcMlrPFc2zSGQ9Sk@vger.kernel.org, AJvYcCVyfNUaOYWmCM/E6cF+v+fJtnwbMQM1eyCOgqZgaO5Kg1uGdiHADbDfoyQrTzeaxAAAymcVZwa8nO0/6w0nm5LN@vger.kernel.org, AJvYcCXgH9Y4myhxmOq7iNl37TGA0VQGTb9Eqj1fuXdaFmOgAYB8UH3KPExwXhRG25e+0DhF74bV7dE1B9igReW7@vger.kernel.org, AJvYcCXqqLWcWPK9FWDK723IOr01dlV13/yknO/tzDx+sKMw5I4RHdXcsqo3V8KzBXvYBme5F70=@vger.kernel.org X-Gm-Message-State: AOJu0YxB4zaLDJadHD3NiopthPiQACltqRp/NYrbhEs2F4CGEbq6FeyX kxHHNXtA2pqnNryiyf1f5gJlQgw/Tx56PBgL/mTFLZxXvuG+HpJz X-Google-Smtp-Source: AGHT+IEI2KbIxBuhuDZXrMTT1Lpj9/l1Jy9coAQRCILORelpf8QIpMfgUp97aC8o2zTFfXjHv6SKWQ== X-Received: by 2002:a05:6a00:8d4:b0:71e:617:63c1 with SMTP id d2e1a72fcca58-72045fe2578mr1263741b3a.27.1729762530766; Thu, 24 Oct 2024 02:35:30 -0700 (PDT) Received: from localhost.localdomain ([43.129.25.208]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-71ec1415071sm7600287b3a.217.2024.10.24.02.35.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 02:35:30 -0700 (PDT) From: Menglong Dong X-Google-Original-From: Menglong Dong To: pabeni@redhat.com Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org, dsahern@kernel.org, pablo@netfilter.org, kadlec@netfilter.org, roopa@nvidia.com, razor@blackwall.org, gnault@redhat.com, bigeasy@linutronix.de, idosch@nvidia.com, ast@kernel.org, dongml2@chinatelecom.cn, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, bpf@vger.kernel.org Subject: [PATCH bpf-next v4 9/9] net: ip: make ip_route_use_hint() return drop reasons Date: Thu, 24 Oct 2024 17:33:48 +0800 Message-Id: <20241024093348.353245-10-dongml2@chinatelecom.cn> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20241024093348.353245-1-dongml2@chinatelecom.cn> References: <20241024093348.353245-1-dongml2@chinatelecom.cn> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: bpf@iogearbox.net In this commit, we make ip_route_use_hint() return drop reasons. The drop reasons that we return are similar to what we do in ip_route_input_slow(), and no drop reasons are added in this commit. Signed-off-by: Menglong Dong --- include/net/route.h | 7 ++++--- net/ipv4/ip_input.c | 9 ++++----- net/ipv4/route.c | 26 ++++++++++++++++---------- 3 files changed, 24 insertions(+), 18 deletions(-) diff --git a/include/net/route.h b/include/net/route.h index f4ab5412c9c9..4debc335d276 100644 --- a/include/net/route.h +++ b/include/net/route.h @@ -206,9 +206,10 @@ ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr, enum skb_drop_reason ip_route_input_noref(struct sk_buff *skb, __be32 daddr, __be32 saddr, dscp_t dscp, struct net_device *dev); -int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - const struct sk_buff *hint); +enum skb_drop_reason +ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + const struct sk_buff *hint); static inline enum skb_drop_reason ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, dscp_t dscp, diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c index 513eb0c6435a..f0a4dda246ab 100644 --- a/net/ipv4/ip_input.c +++ b/net/ipv4/ip_input.c @@ -322,15 +322,14 @@ static int ip_rcv_finish_core(struct net *net, struct sock *sk, int err, drop_reason; struct rtable *rt; - drop_reason = SKB_DROP_REASON_NOT_SPECIFIED; - if (ip_can_use_hint(skb, iph, hint)) { - err = ip_route_use_hint(skb, iph->daddr, iph->saddr, - ip4h_dscp(iph), dev, hint); - if (unlikely(err)) + drop_reason = ip_route_use_hint(skb, iph->daddr, iph->saddr, + ip4h_dscp(iph), dev, hint); + if (unlikely(drop_reason)) goto drop_error; } + drop_reason = SKB_DROP_REASON_NOT_SPECIFIED; if (READ_ONCE(net->ipv4.sysctl_ip_early_demux) && !skb_dst(skb) && !skb->sk && diff --git a/net/ipv4/route.c b/net/ipv4/route.c index d47d7ae9fc61..7a064e3a2d49 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -2142,28 +2142,34 @@ ip_mkroute_input(struct sk_buff *skb, struct fib_result *res, * assuming daddr is valid and the destination is not a local broadcast one. * Uses the provided hint instead of performing a route lookup. */ -int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, - dscp_t dscp, struct net_device *dev, - const struct sk_buff *hint) +enum skb_drop_reason +ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, + dscp_t dscp, struct net_device *dev, + const struct sk_buff *hint) { + enum skb_drop_reason reason = SKB_DROP_REASON_NOT_SPECIFIED; struct in_device *in_dev = __in_dev_get_rcu(dev); struct rtable *rt = skb_rtable(hint); struct net *net = dev_net(dev); - enum skb_drop_reason reason; - int err = -EINVAL; u32 tag = 0; if (!in_dev) - return -EINVAL; + return reason; - if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) + if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr)) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; goto martian_source; + } - if (ipv4_is_zeronet(saddr)) + if (ipv4_is_zeronet(saddr)) { + reason = SKB_DROP_REASON_IP_INVALID_SOURCE; goto martian_source; + } - if (ipv4_is_loopback(saddr) && !IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) + if (ipv4_is_loopback(saddr) && !IN_DEV_NET_ROUTE_LOCALNET(in_dev, net)) { + reason = SKB_DROP_REASON_IP_LOCALNET; goto martian_source; + } if (rt->rt_type != RTN_LOCAL) goto skip_validate_source; @@ -2179,7 +2185,7 @@ int ip_route_use_hint(struct sk_buff *skb, __be32 daddr, __be32 saddr, martian_source: ip_handle_martian_source(dev, in_dev, skb, daddr, saddr); - return err; + return reason; } /* get device for dst_alloc with local routes */