From patchwork Wed May 16 20:36:40 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Ahern <dsahern@gmail.com>
X-Patchwork-Id: 914921
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="Fb7BPXja"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 40mR7C0b8Zz9s0q
	for <patchwork-incoming-netdev@ozlabs.org>;
	Thu, 17 May 2018 06:36:55 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751210AbeEPUgw (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 16 May 2018 16:36:52 -0400
Received: from mail-pg0-f65.google.com ([74.125.83.65]:40812 "EHLO
	mail-pg0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750924AbeEPUgt (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 16 May 2018 16:36:49 -0400
Received: by mail-pg0-f65.google.com with SMTP id l2-v6so782487pgc.7
	for <netdev@vger.kernel.org>; Wed, 16 May 2018 13:36:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=5z/08b7FCBgzktAakUOZIlNVqmHzV0awdOSaXsx/fJw=;
	b=Fb7BPXja2MhcySUBYVnmg52vakHnTGwvFjKdkm89aA9kfqLkQO8WTyVb9PCt8gRoto
	P9H06RU/5JE8nj0tEXJrKHegCENIE1FohMvVJBPHebkVwhW44nicu6wtMl5fuLA59o34
	hJQLYLnE3voSkyPLcV/0/oSCkXtxpRE9g6+Efah3nHvLDPLkIUWjA7v7R8J+naT9kVHL
	xJOvEahecWe/skxlsIlFAbUmXQH8jWWsp+V1NI5VZLF4T9XCJeeiExcivZzwFVyfVX0d
	YPi9undMyL/pHzCncX/ePeLJ01bbKi1932tQTlbx05sCFXgso5t/LMl+FpnR0KiB8oC1
	UcLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=5z/08b7FCBgzktAakUOZIlNVqmHzV0awdOSaXsx/fJw=;
	b=T86wjIC/UZpEycyiove8K1+1q/6QCXfVqVbOkQr+yHROxtX8Xz8sk6VKlE89twR6T2
	H3wAGX6Z/57W022TT+4EDEt5BEnKODXI9UnTxOwIOgLrXUJ1dyGJrTY1MLeFqsEmbjtm
	MsUgCjf7qFd2QxRjJHbRJovUZt8rKHT7obftK6BL4FadpaIzn7FyK8zVYJrC8alrdjE4
	MocxpUxtTY+4vlInCD92EA8ktcGXrlp1I7KJx+vv7y368mtLL0QTvYhMm+E+ibwOAiu7
	a1tcrgaEqE4qBziiqnlxsIcKBLPRBEk1MxnWtjIrKTjc+8lAn2azbF2TkUUeYkCMpxTi
	j4PQ==
X-Gm-Message-State: ALKqPwekydBFlWxUSZn9WDvlNCOPN7ZE04KA3+QXaAQPBmylBFPYruEU
	bGQYTI2cAIBHDH9GZ0pkpA6WQA==
X-Google-Smtp-Source: 
 AB8JxZrbzRRr7wpW85VtAO8Q8pfY4gNBX6P8eH+rZZjQcB8cMLRHt8/OVFvqOZ2DqKUqLnYyf4orjg==
X-Received: by 2002:a62:23d7:: with SMTP id
	q84-v6mr2426310pfj.31.1526503008411;
	Wed, 16 May 2018 13:36:48 -0700 (PDT)
Received: from kenny.it.cumulusnetworks.com. (fw.cumulusnetworks.com.
	[216.129.126.126]) by smtp.googlemail.com with ESMTPSA id
	v5-v6sm5155740pff.130.2018.05.16.13.36.46
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 16 May 2018 13:36:47 -0700 (PDT)
From: David Ahern <dsahern@gmail.com>
To: netdev@vger.kernel.org
Cc: roopa@cumulusnetworks.com, David Ahern <dsahern@gmail.com>
Subject: [PATCH v2 net] net/ipv4: Initialize proto and ports in flow struct
Date: Wed, 16 May 2018 13:36:40 -0700
Message-Id: <20180516203640.12568-1-dsahern@gmail.com>
X-Mailer: git-send-email 2.11.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Updating the FIB tracepoint for the recent change to allow rules using
the protocol and ports exposed a few places where the entries in the flow
struct are not initialized.

For __fib_validate_source add the call to fib4_rules_early_flow_dissect
since it is invoked for the input path. For netfilter, add the memset on
the flow struct to avoid future problems like this. In ip_route_input_slow
need to set the fields if the skb dissection does not happen.

Fixes: bfff4862653b ("net: fib_rules: support for match on ip_proto, sport and dport")
Signed-off-by: David Ahern <dsahern@gmail.com>
Acked-by: Roopa Prabhu <roopa@cumulusnetworks.com>
---
Have not seen any problems with the IPv6 version

v2
- do not remove tracepoint in __fib_validate_source (sent the net-next
  version of this patch)
- add set of ports and proto to ip_route_input_slow if skb dissect
  is not done

 net/ipv4/fib_frontend.c           | 8 +++++++-
 net/ipv4/netfilter/ipt_rpfilter.c | 2 +-
 net/ipv4/route.c                  | 7 ++++++-
 3 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index f05afaf3235c..4d622112bf95 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -326,10 +326,11 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
 				 u8 tos, int oif, struct net_device *dev,
 				 int rpf, struct in_device *idev, u32 *itag)
 {
+	struct net *net = dev_net(dev);
+	struct flow_keys flkeys;
 	int ret, no_addr;
 	struct fib_result res;
 	struct flowi4 fl4;
-	struct net *net = dev_net(dev);
 	bool dev_match;
 
 	fl4.flowi4_oif = 0;
@@ -347,6 +348,11 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
 	no_addr = idev->ifa_list == NULL;
 
 	fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0;
+	if (!fib4_rules_early_flow_dissect(net, skb, &fl4, &flkeys)) {
+		fl4.flowi4_proto = 0;
+		fl4.fl4_sport = 0;
+		fl4.fl4_dport = 0;
+	}
 
 	trace_fib_validate_source(dev, &fl4);
 
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index fd01f13c896a..12843c9ef142 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -89,10 +89,10 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 			return true ^ invert;
 	}
 
+	memset(&flow, 0, sizeof(flow));
 	flow.flowi4_iif = LOOPBACK_IFINDEX;
 	flow.daddr = iph->saddr;
 	flow.saddr = rpfilter_get_saddr(iph->daddr);
-	flow.flowi4_oif = 0;
 	flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
 	flow.flowi4_tos = RT_TOS(iph->tos);
 	flow.flowi4_scope = RT_SCOPE_UNIVERSE;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 29268efad247..2cfa1b518f8d 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1961,8 +1961,13 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
 	fl4.saddr = saddr;
 	fl4.flowi4_uid = sock_net_uid(net, NULL);
 
-	if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys))
+	if (fib4_rules_early_flow_dissect(net, skb, &fl4, &_flkeys)) {
 		flkeys = &_flkeys;
+	} else {
+		fl4.flowi4_proto = 0;
+		fl4.fl4_sport = 0;
+		fl4.fl4_dport = 0;
+	}
 
 	err = fib_lookup(net, &fl4, res, 0);
 	if (err != 0) {