From patchwork Tue Feb 12 19:53:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Farrell.Woods@dell.com X-Patchwork-Id: 1040812 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=dell.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=dell.com header.i=@dell.com header.b="rE6PnPCM"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43zYHs6gm1z9s7T for ; Wed, 13 Feb 2019 06:53:45 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730619AbfBLTxo (ORCPT ); Tue, 12 Feb 2019 14:53:44 -0500 Received: from esa6.dell-outbound.iphmx.com ([68.232.149.229]:44293 "EHLO esa6.dell-outbound.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727659AbfBLTxo (ORCPT ); Tue, 12 Feb 2019 14:53:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1550001223; x=1581537223; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=+OqcPYmIWSvrJE8UZGOivUwUaYep5DTg5Rjr6lxO5eg=; b=rE6PnPCM5tiZOGTurLdwvQSAgx4QlCQHc8S9QKQVToC+p7GEPKgl5fHQ JwS0bZMG5TX1DtVulNiN+zhaz1msT9GxFJb+PTAuggNGLSWAWzHKTuBps xGrjf0MkOV9LetfNq1fulkFm9Y/7BI4diALVmPQdzeT2rij9KCDK+xY2z o=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A2EuBADKI2NchyeV50NjHAEBAQQBAQcEAQGBZYJagRQxg3qIeYsRgWCCKoFIFZRNgWcLAQGEbBmDLyI4EgEDAQECAQECAQECEAEBAQoLCQgpL4I6IoMIERFXAQYcAiYCBEUSBA0IAQEegwKCAo9ojzs9Am2BAYkHAQEBb4EviimBC4s4ghaBEScMhzoOL4JyglcCiXwKhjOGdosUXAcCiySHJgYZkmAtm2gCBAIEBQIUgV2BeHCDPYFyATEDDgmOHQFAAY4HgS2BHwEB X-IPAS-Result: A2EuBADKI2NchyeV50NjHAEBAQQBAQcEAQGBZYJagRQxg3qIeYsRgWCCKoFIFZRNgWcLAQGEbBmDLyI4EgEDAQECAQECAQECEAEBAQoLCQgpL4I6IoMIERFXAQYcAiYCBEUSBA0IAQEegwKCAo9ojzs9Am2BAYkHAQEBb4EviimBC4s4ghaBEScMhzoOL4JyglcCiXwKhjOGdosUXAcCiySHJgYZkmAtm2gCBAIEBQIUgV2BeHCDPYFyATEDDgmOHQFAAY4HgS2BHwEB Received: from mx0a-00154901.pphosted.com ([67.231.149.39]) by esa6.dell-outbound.iphmx.com with ESMTP/TLS/AES256-SHA256; 12 Feb 2019 13:53:13 -0600 Received: from pps.filterd (m0142693.ppops.net [127.0.0.1]) by mx0a-00154901.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1CJm3Pn036992 for ; Tue, 12 Feb 2019 14:53:13 -0500 Received: from esa2.dell-outbound2.iphmx.com (esa2.dell-outbound2.iphmx.com [68.232.153.202]) by mx0a-00154901.pphosted.com with ESMTP id 2qm1wh10rg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 12 Feb 2019 14:53:13 -0500 From: Received: from ausxipps306.us.dell.com ([143.166.148.156]) by esa2.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-SHA256; 13 Feb 2019 01:53:01 +0600 X-LoopCount0: from 10.166.134.87 X-IronPort-AV: E=Sophos;i="5.58,362,1544508000"; d="scan'208";a="271737397" To: Subject: patch for ip6_input.c Thread-Topic: patch for ip6_input.c Thread-Index: AQHUwwyV9Ar38XbmoUqLgHKqqPuRBA== Date: Tue, 12 Feb 2019 19:53:11 +0000 Message-ID: <42724a32-c206-bc63-9674-c85eb1af1b1f@dell.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.143.242.75] Content-ID: MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-02-12_11:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902120138 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Folks, I'm proposing the following patch for ip6_input.c:                         __IP6_INC_STATS(net, idev, IPSTATS_MIB_INDELIVERS); The patch fixes an IPv6 conformance test failure (v6LC_1_2_03a in the UNH INTACT suite) that occurs specifically when IPsec is in use.  The test iterates through the set of unassigned protocol numbers (currently, 143 through 252) and inserts these into the next header field of a Destination Options header.  The expected test result is that an ICMPv6 Parameter Problem is sent back.  But if there's a policy in place that requires an active SA between the Test Node and the Device Under Test (and none exists), the inbound packet is quietly dropped. This behavior is inconsistent with, for example, how unknown tlv's are handled in extension headers (see the tlv parsing code in ipv6/exthdrs.c) or for instance how misaligned fragment headers are handled.  These will always cause a Parameter Problem message to get sent back to the source. I have verified that with the policy check removed, that the unit test passes. FYI here's a trace of the test in question: No.     Time           Source Destination           Protocol Length Info       1 0.000000000    fe80::200:10ff:fe10:1080 fe80::260:16ff:fe97:ebf2 IPv6     71 *Unknown IP Protocol: Unassigned (143)* Frame 1: 71 bytes on wire (568 bits), 71 bytes captured (568 bits) on interface 0     Interface id: 0 (unknown)         Interface name: unknown     Encapsulation type: Ethernet (1)     Arrival Time: Feb  6, 2019 13:27:29.949609000 EST     [Time shift for this packet: 0.000000000 seconds]     Epoch Time: 1549477649.949609000 seconds     [Time delta from previous captured frame: 0.000000000 seconds]     [Time delta from previous displayed frame: 0.000000000 seconds]     [Time since reference or first frame: 0.000000000 seconds]     Frame Number: 1     Frame Length: 71 bytes (568 bits)     Capture Length: 71 bytes (568 bits)     [Frame is marked: False]     [Frame is ignored: False]     [Protocols in frame: eth:ethertype:ipv6:ipv6.dstopts:data] Ethernet II, Src: Sytek_10:10:80 (00:00:10:10:10:80), Dst: Clariion_97:eb:f2 (00:60:16:97:eb:f2)     Destination: Clariion_97:eb:f2 (00:60:16:97:eb:f2)         Address: Clariion_97:eb:f2 (00:60:16:97:eb:f2)         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)     Source: Sytek_10:10:80 (00:00:10:10:10:80)         Address: Sytek_10:10:80 (00:00:10:10:10:80)         .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)         .... ...0 .... .... .... .... = IG bit: Individual address (unicast)     Type: IPv6 (0x86dd) Internet Protocol Version 6, Src: fe80::200:10ff:fe10:1080, Dst: fe80::260:16ff:fe97:ebf2     0110 .... = Version: 6     .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)         .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)         .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)     .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000     Payload Length: 17     Next Header: Destination Options for IPv6 (60)     Hop Limit: 255     Source: fe80::200:10ff:fe10:1080     Destination: fe80::260:16ff:fe97:ebf2     [Source SA MAC: Sytek_10:10:80 (00:00:10:10:10:80)]     [Destination SA MAC: Clariion_97:eb:f2 (00:60:16:97:eb:f2)]     Destination Options for IPv6 *Next Header: Unassigned (143**)*         Length: 0         [Length: 8 bytes]         PadN             Type: PadN (0x01)                 00.. .... = Action: Skip and continue (0)                 ..0. .... = May Change: No                 ...0 0001 = Low-Order Bits: 0x01             Length: 4             PadN: 00000000 Data (9 bytes) 0000  80 00 5c eb 00 00 00 00 00 ..\......     Data: 80005ceb0000000000     [Length: 9] I am working on a product that will ship with IPsec enabled and with a set of traffic selectors in place that will exclude most inbound traffic.  Since this is how it will ship to the customer, we must leave IPsec enabled when this goes to UNH for USGv6 certification. Thanks for your consideration.     -- Farrell diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c index c7ed2b6..5aba6a6 100644 --- a/net/ipv6/ip6_input.c +++ b/net/ipv6/ip6_input.c @@ -409,12 +409,10 @@ void ip6_protocol_deliver_rcu(struct net *net, struct sk_buff *skb, int nexthdr,                 }         } else {                 if (!raw) { -                       if (xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) { -                               __IP6_INC_STATS(net, idev, - IPSTATS_MIB_INUNKNOWNPROTOS); -                               icmpv6_send(skb, ICMPV6_PARAMPROB, -                                           ICMPV6_UNK_NEXTHDR, nhoff); -                       } +                       __IP6_INC_STATS(net, idev, +                               IPSTATS_MIB_INUNKNOWNPROTOS); +                       icmpv6_send(skb, ICMPV6_PARAMPROB, +                               ICMPV6_UNK_NEXTHDR, nhoff);                         kfree_skb(skb);                 } else {