Commit 7f9562a1 authored by Jiri Benc's avatar Jiri Benc Committed by David S. Miller

ip_tunnels: record IP version in tunnel info

There's currently nothing preventing directing packets with IPv6
encapsulation data to IPv4 tunnels (and vice versa). If this happens,
IPv6 addresses are incorrectly interpreted as IPv4 ones.

Track whether the given ip_tunnel_key contains IPv4 or IPv6 data. Store this
in ip_tunnel_info. Reject packets at appropriate places if they are supposed
to be encapsulated into an incompatible protocol.
Signed-off-by: default avatarJiri Benc <jbenc@redhat.com>
Acked-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
Acked-by: default avatarThomas Graf <tgraf@suug.ch>
Acked-by: default avatarPravin B Shelar <pshelar@nicira.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 46fa062a
...@@ -627,6 +627,8 @@ static netdev_tx_t geneve_xmit(struct sk_buff *skb, struct net_device *dev) ...@@ -627,6 +627,8 @@ static netdev_tx_t geneve_xmit(struct sk_buff *skb, struct net_device *dev)
netdev_dbg(dev, "no tunnel metadata\n"); netdev_dbg(dev, "no tunnel metadata\n");
goto tx_error; goto tx_error;
} }
if (info && ip_tunnel_info_af(info) != AF_INET)
goto tx_error;
} }
rt = geneve_get_rt(skb, dev, &fl4, info); rt = geneve_get_rt(skb, dev, &fl4, info);
......
...@@ -1903,6 +1903,8 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev, ...@@ -1903,6 +1903,8 @@ static void vxlan_xmit_one(struct sk_buff *skb, struct net_device *dev,
dev->name); dev->name);
goto drop; goto drop;
} }
if (family != ip_tunnel_info_af(info))
goto drop;
dst_port = info->key.tp_dst ? : vxlan->cfg.dst_port; dst_port = info->key.tp_dst ? : vxlan->cfg.dst_port;
vni = be64_to_cpu(info->key.tun_id); vni = be64_to_cpu(info->key.tun_id);
......
...@@ -105,6 +105,7 @@ static inline struct metadata_dst *ipv6_tun_rx_dst(struct sk_buff *skb, ...@@ -105,6 +105,7 @@ static inline struct metadata_dst *ipv6_tun_rx_dst(struct sk_buff *skb,
info->key.u.ipv6.dst = ip6h->daddr; info->key.u.ipv6.dst = ip6h->daddr;
info->key.tos = ipv6_get_dsfield(ip6h); info->key.tos = ipv6_get_dsfield(ip6h);
info->key.ttl = ip6h->hop_limit; info->key.ttl = ip6h->hop_limit;
info->mode = IP_TUNNEL_INFO_IPV6;
return tun_dst; return tun_dst;
} }
......
...@@ -4,6 +4,7 @@ ...@@ -4,6 +4,7 @@
#include <linux/if_tunnel.h> #include <linux/if_tunnel.h>
#include <linux/netdevice.h> #include <linux/netdevice.h>
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/socket.h>
#include <linux/types.h> #include <linux/types.h>
#include <linux/u64_stats_sync.h> #include <linux/u64_stats_sync.h>
#include <net/dsfield.h> #include <net/dsfield.h>
...@@ -52,6 +53,7 @@ struct ip_tunnel_key { ...@@ -52,6 +53,7 @@ struct ip_tunnel_key {
/* Flags for ip_tunnel_info mode. */ /* Flags for ip_tunnel_info mode. */
#define IP_TUNNEL_INFO_TX 0x01 /* represents tx tunnel parameters */ #define IP_TUNNEL_INFO_TX 0x01 /* represents tx tunnel parameters */
#define IP_TUNNEL_INFO_IPV6 0x02 /* key contains IPv6 addresses */
struct ip_tunnel_info { struct ip_tunnel_info {
struct ip_tunnel_key key; struct ip_tunnel_key key;
...@@ -208,6 +210,8 @@ static inline void __ip_tunnel_info_init(struct ip_tunnel_info *tun_info, ...@@ -208,6 +210,8 @@ static inline void __ip_tunnel_info_init(struct ip_tunnel_info *tun_info,
tun_info->options = opts; tun_info->options = opts;
tun_info->options_len = opts_len; tun_info->options_len = opts_len;
tun_info->mode = 0;
} }
static inline void ip_tunnel_info_init(struct ip_tunnel_info *tun_info, static inline void ip_tunnel_info_init(struct ip_tunnel_info *tun_info,
...@@ -221,6 +225,12 @@ static inline void ip_tunnel_info_init(struct ip_tunnel_info *tun_info, ...@@ -221,6 +225,12 @@ static inline void ip_tunnel_info_init(struct ip_tunnel_info *tun_info,
tun_id, tun_flags, opts, opts_len); tun_id, tun_flags, opts, opts_len);
} }
static inline unsigned short ip_tunnel_info_af(const struct ip_tunnel_info
*tun_info)
{
return tun_info->mode & IP_TUNNEL_INFO_IPV6 ? AF_INET6 : AF_INET;
}
#ifdef CONFIG_INET #ifdef CONFIG_INET
int ip_tunnel_init(struct net_device *dev); int ip_tunnel_init(struct net_device *dev);
......
...@@ -1493,6 +1493,8 @@ static u64 bpf_skb_get_tunnel_key(u64 r1, u64 r2, u64 size, u64 flags, u64 r5) ...@@ -1493,6 +1493,8 @@ static u64 bpf_skb_get_tunnel_key(u64 r1, u64 r2, u64 size, u64 flags, u64 r5)
if (unlikely(size != sizeof(struct bpf_tunnel_key) || flags || !info)) if (unlikely(size != sizeof(struct bpf_tunnel_key) || flags || !info))
return -EINVAL; return -EINVAL;
if (ip_tunnel_info_af(info) != AF_INET)
return -EINVAL;
to->tunnel_id = be64_to_cpu(info->key.tun_id); to->tunnel_id = be64_to_cpu(info->key.tun_id);
to->remote_ipv4 = be32_to_cpu(info->key.u.ipv4.src); to->remote_ipv4 = be32_to_cpu(info->key.u.ipv4.src);
......
...@@ -511,7 +511,8 @@ static void gre_fb_xmit(struct sk_buff *skb, struct net_device *dev) ...@@ -511,7 +511,8 @@ static void gre_fb_xmit(struct sk_buff *skb, struct net_device *dev)
int err; int err;
tun_info = skb_tunnel_info(skb); tun_info = skb_tunnel_info(skb);
if (unlikely(!tun_info || !(tun_info->mode & IP_TUNNEL_INFO_TX))) if (unlikely(!tun_info || !(tun_info->mode & IP_TUNNEL_INFO_TX) ||
ip_tunnel_info_af(tun_info) != AF_INET))
goto err_free_skb; goto err_free_skb;
key = &tun_info->key; key = &tun_info->key;
......
...@@ -356,7 +356,7 @@ static int ip6_tun_build_state(struct net_device *dev, struct nlattr *attr, ...@@ -356,7 +356,7 @@ static int ip6_tun_build_state(struct net_device *dev, struct nlattr *attr,
if (tb[LWTUNNEL_IP6_FLAGS]) if (tb[LWTUNNEL_IP6_FLAGS])
tun_info->key.tun_flags = nla_get_u16(tb[LWTUNNEL_IP6_FLAGS]); tun_info->key.tun_flags = nla_get_u16(tb[LWTUNNEL_IP6_FLAGS]);
tun_info->mode = IP_TUNNEL_INFO_TX; tun_info->mode = IP_TUNNEL_INFO_TX | IP_TUNNEL_INFO_IPV6;
tun_info->options = NULL; tun_info->options = NULL;
tun_info->options_len = 0; tun_info->options_len = 0;
......
...@@ -688,6 +688,8 @@ int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info, ...@@ -688,6 +688,8 @@ int ovs_flow_key_extract(const struct ip_tunnel_info *tun_info,
{ {
/* Extract metadata from packet. */ /* Extract metadata from packet. */
if (tun_info) { if (tun_info) {
if (ip_tunnel_info_af(tun_info) != AF_INET)
return -EINVAL;
memcpy(&key->tun_key, &tun_info->key, sizeof(key->tun_key)); memcpy(&key->tun_key, &tun_info->key, sizeof(key->tun_key));
if (tun_info->options) { if (tun_info->options) {
......
...@@ -587,6 +587,8 @@ int ovs_tunnel_get_egress_info(struct ip_tunnel_info *egress_tun_info, ...@@ -587,6 +587,8 @@ int ovs_tunnel_get_egress_info(struct ip_tunnel_info *egress_tun_info,
if (unlikely(!tun_info)) if (unlikely(!tun_info))
return -EINVAL; return -EINVAL;
if (ip_tunnel_info_af(tun_info) != AF_INET)
return -EINVAL;
tun_key = &tun_info->key; tun_key = &tun_info->key;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment