From patchwork Wed Nov 4 18:07:53 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: William Breathitt Gray X-Patchwork-Id: 1394441 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4CRF4l45Zmz9sTL; Thu, 5 Nov 2020 05:08:06 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1kaNCR-0003MI-MO; Wed, 04 Nov 2020 18:07:59 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kaNCQ-0003M3-7S for kernel-team@lists.ubuntu.com; Wed, 04 Nov 2020 18:07:58 +0000 Received: from mail-qv1-f72.google.com ([209.85.219.72]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1kaNCP-0005XM-Tb for kernel-team@lists.ubuntu.com; Wed, 04 Nov 2020 18:07:58 +0000 Received: by mail-qv1-f72.google.com with SMTP id r11so222492qvn.1 for ; Wed, 04 Nov 2020 10:07:57 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=K/Y4fbB/3DLylrCFL+FwXtcqvtvn2AOpxoeizXzYhXQ=; b=QB+o6BY7rxLV3Jw/0EudLs7SPzGA1aHm3aL/buT+DcWNG3yjHZRkvSbOTtU95i4Lz2 VVr+7vF9qFHYvQ0vlN+GzwK8gkgVGbu+/a8Y8F1BO6DI6PlHf0UcX/vVxL/Ql/lUhO0g puWUtrCURuHj4T+4mdkyc9x9H3AwWQpii/WissnTuXjHsYACGdMpdIEwzkBTFwMoaTR8 hLdNI8562Py/y6mRrm3GLpSB9JWZq4F1xTHfh9A7wBXLWvons8ptPBQPOl0UTfsKc6m9 tLFNi2IXtKUNlMXD+v+G0lZhdCj/Qz6SUlLj3PmrmFVOidsGsP7CqrgybWISkVzhxDjc DjFA== X-Gm-Message-State: AOAM533rDPfTfbdSUrcAhZAZ8YD9y3gQbLQW7nyO9KUeLU+V5+lrZXHM dytt6PJ8kwQUfVGruyJzndnt/6pGvH2k8qvVxyt9EfiyvGmjYnScSeSDSKuf5mPX8EZceXvVivz 43izwez7xaEq3UF3h8t1DiyB3xkCFMLto0UtraOW6DA== X-Received: by 2002:ad4:4674:: with SMTP id z20mr9903050qvv.16.1604513276786; Wed, 04 Nov 2020 10:07:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJy56mlDRHO70r6G3DXQBY08Sjq2zVGrnIs5Gv3uq4h9HREx6Fww6aDpI04TmPtUm/0xeJmPsw== X-Received: by 2002:ad4:4674:: with SMTP id z20mr9903034qvv.16.1604513276547; Wed, 04 Nov 2020 10:07:56 -0800 (PST) Received: from localhost.localdomain (072-189-064-225.res.spectrum.com. [72.189.64.225]) by smtp.gmail.com with ESMTPSA id z20sm730401qtb.31.2020.11.04.10.07.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 04 Nov 2020 10:07:56 -0800 (PST) From: William Breathitt Gray To: kernel-team@lists.ubuntu.com Subject: [SRU][CVE-2020-25645][Xenial][PATCH 1/1] geneve: add transport ports in route lookup for geneve Date: Wed, 4 Nov 2020 13:07:53 -0500 Message-Id: <20201104180753.41351-2-william.gray@canonical.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20201104180753.41351-1-william.gray@canonical.com> References: <20201104180753.41351-1-william.gray@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Mark Gray This patch adds transport ports information for route lookup so that IPsec can select Geneve tunnel traffic to do encryption. This is needed for OVS/OVN IPsec with encrypted Geneve tunnels. This can be tested by configuring a host-host VPN using an IKE daemon and specifying port numbers. For example, for an Openswan-type configuration, the following parameters should be configured on both hosts and IPsec set up as-per normal: $ cat /etc/ipsec.conf conn in ... left=$IP1 right=$IP2 ... leftprotoport=udp/6081 rightprotoport=udp ... conn out ... left=$IP1 right=$IP2 ... leftprotoport=udp rightprotoport=udp/6081 ... The tunnel can then be setup using "ip" on both hosts (but changing the relevant IP addresses): $ ip link add tun type geneve id 1000 remote $IP2 $ ip addr add 192.168.0.1/24 dev tun $ ip link set tun up This can then be tested by pinging from $IP1: $ ping 192.168.0.2 Without this patch the traffic is unencrypted on the wire. Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") Signed-off-by: Qiuyu Xiao Signed-off-by: Mark Gray Reviewed-by: Greg Rose Signed-off-by: David S. Miller CVE-2020-25645 (backported from commit 34beb21594519ce64a55a498c2fe7d567bc1ca20) [ vilhelmgray: context adjustments ] Signed-off-by: William Breathitt Gray Acked-by: Thadeu Lima de Souza Cascardo --- drivers/net/geneve.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c index c9e0fa325218..d47dd1be86de 100644 --- a/drivers/net/geneve.c +++ b/drivers/net/geneve.c @@ -750,7 +750,8 @@ free_dst: static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, struct net_device *dev, struct flowi4 *fl4, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { struct geneve_dev *geneve = netdev_priv(dev); struct rtable *rt = NULL; @@ -759,6 +760,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, memset(fl4, 0, sizeof(*fl4)); fl4->flowi4_mark = skb->mark; fl4->flowi4_proto = IPPROTO_UDP; + fl4->fl4_dport = dport; + fl4->fl4_sport = sport; if (info) { fl4->daddr = info->key.u.ipv4.dst; @@ -793,7 +796,8 @@ static struct rtable *geneve_get_v4_rt(struct sk_buff *skb, static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, struct net_device *dev, struct flowi6 *fl6, - struct ip_tunnel_info *info) + struct ip_tunnel_info *info, + __be16 dport, __be16 sport) { struct geneve_dev *geneve = netdev_priv(dev); struct geneve_sock *gs6 = geneve->sock6; @@ -803,6 +807,8 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb, memset(fl6, 0, sizeof(*fl6)); fl6->flowi6_mark = skb->mark; fl6->flowi6_proto = IPPROTO_UDP; + fl6->fl6_dport = dport; + fl6->fl6_sport = sport; if (info) { fl6->daddr = info->key.u.ipv6.dst; @@ -873,13 +879,13 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, goto tx_error; } - rt = geneve_get_v4_rt(skb, dev, &fl4, info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, &fl4, info, geneve->dst_port, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); if (info) { @@ -958,13 +964,13 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, } } - dst = geneve_get_v6_dst(skb, dev, &fl6, info); + sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, &fl6, info, geneve->dst_port, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; } - sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); skb_reset_mac_header(skb); if (info) { @@ -1053,6 +1059,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) { struct ip_tunnel_info *info = skb_tunnel_info(skb); struct geneve_dev *geneve = netdev_priv(dev); + __be16 sport; struct rtable *rt; struct flowi4 fl4; #if IS_ENABLED(CONFIG_IPV6) @@ -1061,7 +1068,10 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) #endif if (ip_tunnel_info_af(info) == AF_INET) { - rt = geneve_get_v4_rt(skb, dev, &fl4, info); + sport = udp_flow_src_port(geneve->net, skb, + 1, USHRT_MAX, true); + rt = geneve_get_v4_rt(skb, dev, &fl4, info, geneve->dst_port, + sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1069,7 +1079,10 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) info->key.u.ipv4.src = fl4.saddr; #if IS_ENABLED(CONFIG_IPV6) } else if (ip_tunnel_info_af(info) == AF_INET6) { - dst = geneve_get_v6_dst(skb, dev, &fl6, info); + sport = udp_flow_src_port(geneve->net, skb, + 1, USHRT_MAX, true); + dst = geneve_get_v6_dst(skb, dev, &fl6, info, geneve->dst_port, + sport); if (IS_ERR(dst)) return PTR_ERR(dst); @@ -1080,8 +1093,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) return -EINVAL; } - info->key.tp_src = udp_flow_src_port(geneve->net, skb, - 1, USHRT_MAX, true); + info->key.tp_src = sport; info->key.tp_dst = geneve->dst_port; return 0; }