Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/851559/?format=api
{ "id": 851559, "url": "http://patchwork.ozlabs.org/api/patches/851559/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/20171220170607.41516-6-lorenzo@google.com/", "project": { "id": 7, "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api", "name": "Linux network development", "link_name": "netdev", "list_id": "netdev.vger.kernel.org", "list_email": "netdev@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20171220170607.41516-6-lorenzo@google.com>", "list_archive_url": null, "date": "2017-12-20T17:06:05", "name": "[ipsec-next,5/7] net: xfrm: Deliver packets to keyed VTI tunnels.", "commit_ref": null, "pull_url": null, "state": "awaiting-upstream", "archived": true, "hash": "946910b03ba158f42b1c768eabaacf522613354a", "submitter": { "id": 3403, "url": "http://patchwork.ozlabs.org/api/people/3403/?format=api", "name": "Lorenzo Colitti", "email": "lorenzo@google.com" }, "delegate": { "id": 34, "url": "http://patchwork.ozlabs.org/api/users/34/?format=api", "username": "davem", "first_name": "David", "last_name": "Miller", "email": "davem@davemloft.net" }, "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/20171220170607.41516-6-lorenzo@google.com/mbox/", "series": [ { "id": 19695, "url": "http://patchwork.ozlabs.org/api/series/19695/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=19695", "date": "2017-12-20T17:06:00", "name": ": Support multiple VTIs with the same src+dst pair", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/19695/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/851559/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/851559/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<netdev-owner@vger.kernel.org>", "X-Original-To": "patchwork-incoming@ozlabs.org", "Delivered-To": "patchwork-incoming@ozlabs.org", "Authentication-Results": [ "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=google.com header.i=@google.com\n\theader.b=\"RsyL7pdU\"; dkim-atps=neutral" ], "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3z21R846Vfz9s83\n\tfor <patchwork-incoming@ozlabs.org>;\n\tThu, 21 Dec 2017 04:07:16 +1100 (AEDT)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1755819AbdLTRHN (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tWed, 20 Dec 2017 12:07:13 -0500", "from mail-pl0-f67.google.com ([209.85.160.67]:38315 \"EHLO\n\tmail-pl0-f67.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1755607AbdLTRGh (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Wed, 20 Dec 2017 12:06:37 -0500", "by mail-pl0-f67.google.com with SMTP id s10so9355238plj.5\n\tfor <netdev@vger.kernel.org>; Wed, 20 Dec 2017 09:06:37 -0800 (PST)", "from lorenzo.tok.corp.google.com ([100.103.3.232])\n\tby smtp.gmail.com with ESMTPSA id\n\tt62sm29103067pgt.23.2017.12.20.09.06.34\n\t(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);\n\tWed, 20 Dec 2017 09:06:35 -0800 (PST)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=google.com; s=20161025;\n\th=from:to:cc:subject:date:message-id:in-reply-to:references;\n\tbh=8YJkZzbgj2ng1KMqPg88zsHzS5oUB7f5ECd+oNJ/tsU=;\n\tb=RsyL7pdULI9fqsoTat0sXJyDgo6beZB1Wh8xsKe87VpkcUA1bLO+M9ek3XS2gmwF1T\n\tnbOHVjknnALrxk//T8vmJlS7ET/HemgoNRYWFwwxQAKigBHpgiCGD8elkyRtimcKYt8G\n\t52wwKfqemJzZm6NMmnsbqhFJdGqhSyLemyzf/IC8EEZ8LT6oEEyA61SRxg6sMUc70JBj\n\tie6UikWMxPKHJrP+/e0kHegMa/PmKp0RXL4qQCS8RTCkJiIbxLAzXM/CRiRU9HWOGGjC\n\tfd1gVuEI/zPC5sa0kpxQpu5QKjjVEO7rdRBQ1SNu/wjeYjjOyf9UP2gxXcio9g7QMT56\n\ttZFA==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to\n\t:references;\n\tbh=8YJkZzbgj2ng1KMqPg88zsHzS5oUB7f5ECd+oNJ/tsU=;\n\tb=AVSqF86GbQh/RK4PYThf1zBN+iYYr1BiS0b5JPQzc08GceIONthFwPmVe5D3j+6Vid\n\tHeLBQyDDgeHbsH5EII7RzwFSoFeVvTycO3W7Z1qc5Tm76y6kdMqJsdfvnWlKJguxncx/\n\tkx1frvVfUwwdsoih5ttBbI+QkVExang9u4zPl7revPOfMtvIZ5Z+mK5n5esg2mckPRPv\n\tgYl7zfcgDq0Ovgvg4coYoWnEJv5D3xif0tDWOHU+bRjJwYAvW6WDmCnAv7xZRgj9wVhh\n\tSC7JvCKPmno/3dJMFs6WBQP2blMCKy3ITBNJssRwQl3TM5IxxQwBv3l1Jj+zk2D4H5Ip\n\t6CJw==", "X-Gm-Message-State": "AKGB3mJU92vklSWmiPNI25AATp96uMzBKBfeWWRXhUrZmD46BHcOVXn5\n\tRJpiOvLQTVCne/QZZcw7PJ2WP6ynGG0=", "X-Google-Smtp-Source": "ACJfBovGuurosOKB3w9P3PPjOY4tVKULXF8MeqkkWro9oEM111HYb11OmJgzT8tHK1hTfu8zrURS6w==", "X-Received": "by 10.84.193.129 with SMTP id f1mr7587907pld.355.1513789596600; \n\tWed, 20 Dec 2017 09:06:36 -0800 (PST)", "From": "Lorenzo Colitti <lorenzo@google.com>", "To": "netdev@vger.kernel.org", "Cc": "steffen.klassert@secunet.com, subashab@codeaurora.org,\n\tnharold@google.com, davem@davemloft.net,\n\tLorenzo Colitti <lorenzo@google.com>", "Subject": "[PATCH ipsec-next 5/7] net: xfrm: Deliver packets to keyed VTI\n\ttunnels.", "Date": "Thu, 21 Dec 2017 02:06:05 +0900", "Message-Id": "<20171220170607.41516-6-lorenzo@google.com>", "X-Mailer": "git-send-email 2.15.1.620.gb9897f4670-goog", "In-Reply-To": "<20171220170607.41516-1-lorenzo@google.com>", "References": "<20171220170607.41516-1-lorenzo@google.com>", "Sender": "netdev-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<netdev.vger.kernel.org>", "X-Mailing-List": "netdev@vger.kernel.org" }, "content": "- Input works as follows:\n 1. Attempt to match a regular VTI by IP addresses only. If that\n succeeds, use the i_key as the mark to look up the xfrm\n state.\n 2. If the match failed, do an XFRM state lookup that ignores\n the mark. If that finds an state, then use the state match's\n mark to find the tunnel by its i_key.\n- ICMP errors: similar to input, except the search is for the\n outbound XFRM state and the tunnel is found by o_key instead of\n by i_key.\n- The output path is the same as existing VTIs. A routing lookup\n matches a VTI interface. The VTI uses its o_key as the mark to\n select an XFRM state. The state transforms the packet.\n\nSigned-off-by: Lorenzo Colitti <lorenzo@google.com>\n---\n net/ipv4/ip_vti.c | 52 ++++++++++++++++++++++++++++++------------\n net/ipv6/ip6_vti.c | 67 ++++++++++++++++++++++++++++++++++++++++--------------\n 2 files changed, 88 insertions(+), 31 deletions(-)", "diff": "diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c\nindex 21f93e398e..9d28433a60 100644\n--- a/net/ipv4/ip_vti.c\n+++ b/net/ipv4/ip_vti.c\n@@ -63,6 +63,18 @@ vti4_find_tunnel(struct sk_buff *skb, __be32 spi, struct xfrm_state **x)\n \t\t*x = xfrm_state_lookup(net, be32_to_cpu(tunnel->parms.i_key),\n \t\t\t\t (xfrm_address_t *)&iph->daddr,\n \t\t\t\t spi, iph->protocol, AF_INET);\n+\t} else {\n+\t\t*x = xfrm_state_lookup_loose(net, skb->mark,\n+\t\t\t\t\t (xfrm_address_t *)&iph->daddr,\n+\t\t\t\t\t spi, iph->protocol, AF_INET);\n+\t\tif (!*x)\n+\t\t\treturn NULL;\n+\t\ttunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_KEY,\n+\t\t\t\t\t TUNNEL_LOOKUP_NO_KEY,\n+\t\t\t\t\t iph->saddr, iph->daddr,\n+\t\t\t\t\t cpu_to_be32((*x)->mark.v));\n+\t\tif (!tunnel)\n+\t\t\txfrm_state_put(*x);\n \t}\n \n \treturn tunnel;\n@@ -302,7 +314,6 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)\n static int vti4_err(struct sk_buff *skb, u32 info)\n {\n \t__be32 spi;\n-\t__u32 mark;\n \tstruct xfrm_state *x;\n \tstruct ip_tunnel *tunnel;\n \tstruct ip_esp_hdr *esph;\n@@ -313,13 +324,6 @@ static int vti4_err(struct sk_buff *skb, u32 info)\n \tint protocol = iph->protocol;\n \tstruct ip_tunnel_net *itn = net_generic(net, vti_net_id);\n \n-\ttunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, 0,\n-\t\t\t\t iph->daddr, iph->saddr, 0);\n-\tif (!tunnel)\n-\t\treturn -1;\n-\n-\tmark = be32_to_cpu(tunnel->parms.o_key);\n-\n \tswitch (protocol) {\n \tcase IPPROTO_ESP:\n \t\tesph = (struct ip_esp_hdr *)(skb->data+(iph->ihl<<2));\n@@ -347,18 +351,38 @@ static int vti4_err(struct sk_buff *skb, u32 info)\n \t\treturn 0;\n \t}\n \n-\tx = xfrm_state_lookup(net, mark, (const xfrm_address_t *)&iph->daddr,\n-\t\t\t spi, protocol, AF_INET);\n-\tif (!x)\n-\t\treturn 0;\n+\ttunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, 0,\n+\t\t\t\t iph->daddr, iph->saddr, 0);\n+\tif (tunnel) {\n+\t\tx = xfrm_state_lookup(net, be32_to_cpu(tunnel->parms.o_key),\n+\t\t\t\t (xfrm_address_t *)&iph->daddr,\n+\t\t\t\t spi, iph->protocol, AF_INET);\n+\t} else {\n+\t\tx = xfrm_state_lookup_loose(net, skb->mark,\n+\t\t\t\t\t (xfrm_address_t *)&iph->daddr,\n+\t\t\t\t\t spi, iph->protocol, AF_INET);\n+\t\tif (!x)\n+\t\t\tgoto out;\n+\t\ttunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_KEY,\n+\t\t\t\t\t TUNNEL_LOOKUP_NO_KEY |\n+\t\t\t\t\t TUNNEL_LOOKUP_OKEY,\n+\t\t\t\t\t iph->daddr, iph->saddr,\n+\t\t\t\t\t cpu_to_be32(x->mark.v));\n+\t}\n+\n+\tif (!tunnel || !x)\n+\t\tgoto out;\n \n \tif (icmp_hdr(skb)->type == ICMP_DEST_UNREACH)\n \t\tipv4_update_pmtu(skb, net, info, 0, 0, protocol, 0);\n \telse\n \t\tipv4_redirect(skb, net, 0, 0, protocol, 0);\n-\txfrm_state_put(x);\n \n-\treturn 0;\n+out:\n+\tif (x)\n+\t\txfrm_state_put(x);\n+\n+\treturn tunnel ? 0 : -1;\n }\n \n static int\ndiff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c\nindex 5994fedd19..bf64821b8a 100644\n--- a/net/ipv6/ip6_vti.c\n+++ b/net/ipv6/ip6_vti.c\n@@ -78,11 +78,21 @@ struct vti6_net {\n #define for_each_vti6_tunnel_rcu(start) \\\n \tfor (t = rcu_dereference(start); t; t = rcu_dereference(t->next))\n \n+static bool vti6_match_key(const struct ip6_tnl *t, __be32 key, bool in)\n+{\n+\t__be16 tunnel_key = in ? t->parms.i_key : t->parms.o_key;\n+\t__be16 flags = in ? t->parms.i_flags : t->parms.o_flags;\n+\n+\treturn !(flags & TUNNEL_KEY) || tunnel_key == key;\n+}\n+\n /**\n- * vti6_tnl_lookup - fetch tunnel matching the end-point addresses\n+ * vti6_tnl_lookup - fetch tunnel matching the end-point addresses and key\n * @net: network namespace\n * @remote: the address of the tunnel exit-point\n * @local: the address of the tunnel entry-point\n+ * @key: the key of the tunnel\n+ * @in: whether to match i_key or i_key\n *\n * Return:\n * tunnel matching given end-points if found,\n@@ -91,7 +101,7 @@ struct vti6_net {\n **/\n static struct ip6_tnl *\n vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,\n-\t\tconst struct in6_addr *local)\n+\t\tconst struct in6_addr *local, __be32 key, bool in)\n {\n \tunsigned int hash = HASH(remote, local);\n \tstruct ip6_tnl *t;\n@@ -101,6 +111,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,\n \tfor_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {\n \t\tif (ipv6_addr_equal(local, &t->parms.laddr) &&\n \t\t ipv6_addr_equal(remote, &t->parms.raddr) &&\n+\t\t vti6_match_key(t, key, in) &&\n \t\t (t->dev->flags & IFF_UP))\n \t\t\treturn t;\n \t}\n@@ -109,6 +120,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,\n \thash = HASH(&any, local);\n \tfor_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {\n \t\tif (ipv6_addr_equal(local, &t->parms.laddr) &&\n+\t\t vti6_match_key(t, key, in) &&\n \t\t (t->dev->flags & IFF_UP))\n \t\t\treturn t;\n \t}\n@@ -116,6 +128,7 @@ vti6_tnl_lookup(struct net *net, const struct in6_addr *remote,\n \thash = HASH(remote, &any);\n \tfor_each_vti6_tunnel_rcu(ip6n->tnls_r_l[hash]) {\n \t\tif (ipv6_addr_equal(remote, &t->parms.raddr) &&\n+\t\t vti6_match_key(t, key, in) &&\n \t\t (t->dev->flags & IFF_UP))\n \t\t\treturn t;\n \t}\n@@ -266,7 +279,8 @@ static struct ip6_tnl *vti6_locate(struct net *net, struct __ip6_tnl_parm *p,\n \t (t = rtnl_dereference(*tp)) != NULL;\n \t tp = &t->next) {\n \t\tif (ipv6_addr_equal(local, &t->parms.laddr) &&\n-\t\t ipv6_addr_equal(remote, &t->parms.raddr)) {\n+\t\t ipv6_addr_equal(remote, &t->parms.raddr) &&\n+\t\t vti6_match_key(t, p->i_key, true)) {\n \t\t\tif (create)\n \t\t\t\treturn NULL;\n \n@@ -304,11 +318,21 @@ vti6_find_tunnel(struct sk_buff *skb, __be32 spi, struct xfrm_state **x)\n \tstruct net *net = dev_net(skb->dev);\n \tstruct ip6_tnl *t;\n \n-\tt = vti6_tnl_lookup(net, &ipv6h->saddr, &ipv6h->daddr);\n+\tt = vti6_tnl_lookup(net, &ipv6h->saddr, &ipv6h->daddr, 0, true);\n \tif (t) {\n \t\t*x = xfrm_state_lookup(net, be32_to_cpu(t->parms.i_key),\n \t\t\t\t (xfrm_address_t *)&ipv6h->daddr,\n \t\t\t\t spi, ipv6h->nexthdr, AF_INET6);\n+\t} else {\n+\t\t*x = xfrm_state_lookup_loose(net, skb->mark,\n+\t\t\t\t\t (xfrm_address_t *)&ipv6h->daddr,\n+\t\t\t\t\t spi, ipv6h->nexthdr, AF_INET6);\n+\t\tif (!*x)\n+\t\t\treturn NULL;\n+\t\tt = vti6_tnl_lookup(net, &ipv6h->saddr, &ipv6h->daddr,\n+\t\t\t\t cpu_to_be32((*x)->mark.v), true);\n+\t\tif (!t)\n+\t\t\txfrm_state_put(*x);\n \t}\n \n \treturn t;\n@@ -613,7 +637,6 @@ static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,\n \t\t u8 type, u8 code, int offset, __be32 info)\n {\n \t__be32 spi;\n-\t__u32 mark;\n \tstruct xfrm_state *x;\n \tstruct ip6_tnl *t;\n \tstruct ip_esp_hdr *esph;\n@@ -623,12 +646,6 @@ static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,\n \tconst struct ipv6hdr *iph = (const struct ipv6hdr *)skb->data;\n \tint protocol = iph->nexthdr;\n \n-\tt = vti6_tnl_lookup(dev_net(skb->dev), &iph->daddr, &iph->saddr);\n-\tif (!t)\n-\t\treturn -1;\n-\n-\tmark = be32_to_cpu(t->parms.o_key);\n-\n \tswitch (protocol) {\n \tcase IPPROTO_ESP:\n \t\tesph = (struct ip_esp_hdr *)(skb->data + offset);\n@@ -650,19 +667,35 @@ static int vti6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,\n \t type != NDISC_REDIRECT)\n \t\treturn 0;\n \n-\tx = xfrm_state_lookup(net, mark, (const xfrm_address_t *)&iph->daddr,\n-\t\t\t spi, protocol, AF_INET6);\n-\tif (!x)\n-\t\treturn 0;\n+\tt = vti6_tnl_lookup(net, &iph->daddr, &iph->saddr, 0, false);\n+\tif (t) {\n+\t\tx = xfrm_state_lookup(net, be32_to_cpu(t->parms.o_key),\n+\t\t\t\t (xfrm_address_t *)&iph->daddr,\n+\t\t\t\t spi, protocol, AF_INET6);\n+\t} else {\n+\t\tx = xfrm_state_lookup_loose(net, skb->mark,\n+\t\t\t\t\t (xfrm_address_t *)&iph->daddr,\n+\t\t\t\t\t spi, protocol, AF_INET6);\n+\t\tif (!x)\n+\t\t\tgoto out;\n+\t\tt = vti6_tnl_lookup(net, &iph->daddr, &iph->saddr,\n+\t\t\t\t cpu_to_be32(x->mark.v), false);\n+\t}\n+\n+\tif (!t || !x)\n+\t\tgoto out;\n \n \tif (type == NDISC_REDIRECT)\n \t\tip6_redirect(skb, net, skb->dev->ifindex, 0,\n \t\t\t sock_net_uid(net, NULL));\n \telse\n \t\tip6_update_pmtu(skb, net, info, 0, 0, sock_net_uid(net, NULL));\n-\txfrm_state_put(x);\n \n-\treturn 0;\n+out:\n+\tif (x)\n+\t\txfrm_state_put(x);\n+\n+\treturn t ? 0 : -1;\n }\n \n static void vti6_link_config(struct ip6_tnl *t)\n", "prefixes": [ "ipsec-next", "5/7" ] }