From patchwork Fri Dec 28 08:07:16 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Li RongQing X-Patchwork-Id: 208421 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A164C2C00D6 for ; Fri, 28 Dec 2012 19:07:27 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751636Ab2L1IHV (ORCPT ); Fri, 28 Dec 2012 03:07:21 -0500 Received: from mail-ie0-f175.google.com ([209.85.223.175]:41703 "EHLO mail-ie0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751480Ab2L1IHT (ORCPT ); Fri, 28 Dec 2012 03:07:19 -0500 Received: by mail-ie0-f175.google.com with SMTP id qd14so12525710ieb.34 for ; Fri, 28 Dec 2012 00:07:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:from:to:subject:date:message-id:x-mailer; bh=qCJME7zxlmL1PWylTIWK1oqGOt1OCx8cZ6Ne2SH7g9M=; b=WC4ZHzRgsZ6noelYfw5cIwMxazt+I5Izfwo4S4baVxMRUiE8KobFXv6Nh4KcWLtAok Yz1TmO6pXwk2yRJInAVT0li6n6Q8ac8+3OYCeDCj8jq5y8n/R7BkG8krlV8kfiPXDSqh W4c+SiPKJMw+s49v7GXCyCY1t2tcLpvejVzxyQVeTQnLJSAfFVSY1hpReRiWcnYxsIve haNJAEpZKvofzJbBfYDT9TgBt7dkzA2g4dm1PhOIMsspmPgvEtoF3VLRKrMfvk81g9Lq 4i70JXyUgDeaIyxaYwzWij/nh0T5EcSJ2zxwgasdIb0L8hwCuv+F2klMLzimiYPR4mac Fkvw== X-Received: by 10.50.185.230 with SMTP id ff6mr28606499igc.7.1356682039041; Fri, 28 Dec 2012 00:07:19 -0800 (PST) Received: from localhost ([61.148.56.138]) by mx.google.com with ESMTPS id az6sm30750154igb.11.2012.12.28.00.07.17 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Dec 2012 00:07:18 -0800 (PST) From: roy.qing.li@gmail.com To: netdev@vger.kernel.org Subject: [RFC PATCH] ah4/esp4: set transport header correctly for IPsec tunnel mode. Date: Fri, 28 Dec 2012 16:07:16 +0800 Message-Id: <1356682036-25642-1-git-send-email-roy.qing.li@gmail.com> X-Mailer: git-send-email 1.7.10.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Li RongQing IPsec tunnel does not set ECN field to CE in inner header when the ECN field in the outer header is CE, and the ECN field in the inner header is ECT(0) or ECT(1). The cause is ipip_hdr() does not return the correct address of inner header since skb->transport-header is not the inner header after esp_input_done2(), or ah_input(). Signed-off-by: Li RongQing --- I know this bug, but no lab to verify if my patch is correct, hope netdev experts can inspect this patch carefully, if this can be accepted, I will do same fix for ah6/esp6 net/ipv4/ah4.c | 11 +++++++++-- net/ipv4/esp4.c | 5 ++++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index a0d8392..a154d0a 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c @@ -269,7 +269,11 @@ static void ah_input_done(struct crypto_async_request *base, int err) skb->network_header += ah_hlen; memcpy(skb_network_header(skb), work_iph, ihl); __skb_pull(skb, ah_hlen + ihl); - skb_set_transport_header(skb, -ihl); + + if (x->props.mode == XFRM_MODE_TUNNEL) + skb_reset_transport_header(skb); + else + skb_set_transport_header(skb, -ihl); out: kfree(AH_SKB_CB(skb)->tmp); xfrm_input_resume(skb, err); @@ -381,7 +385,10 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb) skb->network_header += ah_hlen; memcpy(skb_network_header(skb), work_iph, ihl); __skb_pull(skb, ah_hlen + ihl); - skb_set_transport_header(skb, -ihl); + if (x->props.mode == XFRM_MODE_TUNNEL) + skb_reset_transport_header(skb); + else + skb_set_transport_header(skb, -ihl); err = nexthdr; diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index b61e9de..fd26ff4 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -346,7 +346,10 @@ static int esp_input_done2(struct sk_buff *skb, int err) pskb_trim(skb, skb->len - alen - padlen - 2); __skb_pull(skb, hlen); - skb_set_transport_header(skb, -ihl); + if (x->props.mode == XFRM_MODE_TUNNEL) + skb_reset_transport_header(skb); + else + skb_set_transport_header(skb, -ihl); err = nexthdr[1];