From patchwork Wed Feb 14 23:18:08 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gregory Rose X-Patchwork-Id: 873571 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="UX3My+W6"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zhb4y6CDqz9t2l for ; Thu, 15 Feb 2018 10:21:22 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id D9151FCA; Wed, 14 Feb 2018 23:18:37 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id B2C4DF8A for ; Wed, 14 Feb 2018 23:18:36 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pg0-f66.google.com (mail-pg0-f66.google.com [74.125.83.66]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 25ECD419 for ; Wed, 14 Feb 2018 23:18:36 +0000 (UTC) Received: by mail-pg0-f66.google.com with SMTP id f6so2775835pgs.10 for ; Wed, 14 Feb 2018 15:18:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=+9Aq2Elo/gapD7trf8wqyn9ew75FEqK3U2ogtVZduwo=; b=UX3My+W6q1PZ6w/JJ1A7qmZ8QhbTlkM3qGbyGAb6ynC1aFOk9GXn8V/2aXenFQaWWC 6UYsNAnwa+pVAdSdUJwAlRlEPlpYTa+fWxCi1bWWfa0eojS2IPsCUxi5H5xCGJqnhC0E YYVsalhFqe+hYK375rEdxd1ikzfkMRZ/RHgk6ykgKSUv+eaorK1ez6qK9JJLWtjXuWiH 6ITtvCgMhNEvZzWVruK1rFQlcAGeGxVCpLZEEo+jXNhXsjeVw0ox7oI+ydCVtAddBtah Hse8VsPxc+YQgFOX4bVuf+iH7d58iynkk4KNjgLCCM/rZiqkiWI0vtrLo3YKnhq/AHdU URNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=+9Aq2Elo/gapD7trf8wqyn9ew75FEqK3U2ogtVZduwo=; b=RS59pVCKyscgbkrev32yVcQcfT/mrQaYfUmy/2tf8PG8lzKoQHwtBWHGhKpbUL67I0 9i8JYdsA5M4lLAlN8QuMkxh4H7aBg41eTrhLvgbT52eWuYSdaW9Sl9W1oIHhGnrc/hkO nG3CBCWNtWR2qJztl8L5jQDWwNEDUi4iumTgRF6cYaM2VQ82JsY6pRzJBMxDDq1Ue5a9 krrnfDai1Lbs/Yk2wq7ufeqrS0u9SV8UqbWrteqEw9nk8B22SGMIqoUOk3GSoBnVFnUz TXl8oOjpsBYVtNFmduTtIhtBRSTsdzbDwISA/IUF1vG0k/vEMbj6d5rq1jdYWrEGEYvG BNdQ== X-Gm-Message-State: APf1xPCBFyh05J+umiqkRi1YTCu2KA2EdLwdCfYDdmD4eYVRKjBG5Wdl FBVLRtpHhSwLIXMvqXt/iUMkaA== X-Google-Smtp-Source: AH8x224G9NRnwv9xDhYqsD7ZwtNA0NY3kycCfCMja50lHbY809lVnrStD4ENixs2FeUBeFovowuVkw== X-Received: by 10.98.87.195 with SMTP id i64mr679517pfj.34.1518650315247; Wed, 14 Feb 2018 15:18:35 -0800 (PST) Received: from gizo.domain (184-100-240-187.ptld.qwest.net. [184.100.240.187]) by smtp.gmail.com with ESMTPSA id v1sm34681912pfg.33.2018.02.14.15.18.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Feb 2018 15:18:34 -0800 (PST) From: Greg Rose To: dev@openvswitch.org Date: Wed, 14 Feb 2018 15:18:08 -0800 Message-Id: <1518650290-31536-7-git-send-email-gvrose8192@gmail.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1518650290-31536-1-git-send-email-gvrose8192@gmail.com> References: <1518650290-31536-1-git-send-email-gvrose8192@gmail.com> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 6/8] datapath: Remove padding from packet before L3+ conntrack processing X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org From: Ed Swierk Upstream commit: commit 9382fe71c0058465e942a633869629929102843d Author: Ed Swierk Date: Wed Jan 31 18:48:02 2018 -0800 openvswitch: Remove padding from packet before L3+ conntrack processing IPv4 and IPv6 packets may arrive with lower-layer padding that is not included in the L3 length. For example, a short IPv4 packet may have up to 6 bytes of padding following the IP payload when received on an Ethernet device with a minimum packet length of 64 bytes. Higher-layer processing functions in netfilter (e.g. nf_ip_checksum(), and help() in nf_conntrack_ftp) assume skb->len reflects the length of the L3 header and payload, rather than referring back to ip_hdr->tot_len or ipv6_hdr->payload_len, and get confused by lower-layer padding. In the normal IPv4 receive path, ip_rcv() trims the packet to ip_hdr->tot_len before invoking netfilter hooks. In the IPv6 receive path, ip6_rcv() does the same using ipv6_hdr->payload_len. Similarly in the br_netfilter receive path, br_validate_ipv4() and br_validate_ipv6() trim the packet to the L3 length before invoking netfilter hooks. Currently in the OVS conntrack receive path, ovs_ct_execute() pulls the skb to the L3 header but does not trim it to the L3 length before calling nf_conntrack_in(NF_INET_PRE_ROUTING). When nf_conntrack_proto_tcp encounters a packet with lower-layer padding, nf_ip_checksum() fails causing a "nf_ct_tcp: bad TCP checksum" log message. While extra zero bytes don't affect the checksum, the length in the IP pseudoheader does. That length is based on skb->len, and without trimming, it doesn't match the length the sender used when computing the checksum. In ovs_ct_execute(), trim the skb to the L3 length before higher-layer processing. Signed-off-by: Ed Swierk Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Cc: Ed Swierk Signed-off-by: Greg Rose --- datapath/conntrack.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/datapath/conntrack.c b/datapath/conntrack.c index d58240b..e53b8e3 100644 --- a/datapath/conntrack.c +++ b/datapath/conntrack.c @@ -1138,6 +1138,36 @@ static int ovs_ct_commit(struct net *net, struct sw_flow_key *key, return 0; } +/* Trim the skb to the length specified by the IP/IPv6 header, + * removing any trailing lower-layer padding. This prepares the skb + * for higher-layer processing that assumes skb->len excludes padding + * (such as nf_ip_checksum). The caller needs to pull the skb to the + * network header, and ensure ip_hdr/ipv6_hdr points to valid data. + */ +static int ovs_skb_network_trim(struct sk_buff *skb) +{ + unsigned int len; + int err; + + switch (skb->protocol) { + case htons(ETH_P_IP): + len = ntohs(ip_hdr(skb)->tot_len); + break; + case htons(ETH_P_IPV6): + len = sizeof(struct ipv6hdr) + + ntohs(ipv6_hdr(skb)->payload_len); + break; + default: + len = skb->len; + } + + err = pskb_trim_rcsum(skb, len); + if (err) + kfree_skb(skb); + + return err; +} + /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero * value if 'skb' is freed. */ @@ -1152,6 +1182,10 @@ int ovs_ct_execute(struct net *net, struct sk_buff *skb, nh_ofs = skb_network_offset(skb); skb_pull_rcsum(skb, nh_ofs); + err = ovs_skb_network_trim(skb); + if (err) + return err; + if (key->ip.frag != OVS_FRAG_TYPE_NONE) { err = handle_fragments(net, key, info->zone.id, skb); if (err)