Commit ca78801a authored by Peter Oskolkov's avatar Peter Oskolkov Committed by Alexei Starovoitov
Browse files

bpf: handle GSO in bpf_lwt_push_encap 



This patch adds handling of GSO packets in bpf_lwt_push_ip_encap()
(called from bpf_lwt_push_encap):

* IPIP, GRE, and UDP encapsulation types are deduced by looking
  into iphdr->protocol or ipv6hdr->next_header;
* SCTP GSO packets are not supported (as bpf_skb_proto_4_to_6
  and similar do);
* UDP_L4 GSO packets are also not supported (although they are
  not blocked in bpf_skb_proto_4_to_6 and similar), as
  skb_decrease_gso_size() will break it;
* SKB_GSO_DODGY bit is set.

Note: it may be possible to support SCTP and UDP_L4 gso packets;
      but as these cases seem to be not well handled by other
      tunneling/encapping code paths, the solution should
      be generic enough to apply to all tunneling/encapping code.

v8 changes:
   - make sure that if GRE or UDP encap is detected, there is
     enough of pushed bytes to cover both IP[v6] + GRE|UDP headers;
   - do not reject double-encapped packets;
   - whitelist TCP GSO packets rather than block SCTP GSO and
     UDP GSO.

Signed-off-by: default avatarPeter Oskolkov <posk@google.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 52f27877

net/core/lwt_bpf.c

+65 −2
Original line number Original line Diff line number Diff line
@@ -16,6 +16,7 @@ 
#include <linux/types.h>

#include <linux/types.h>

#include <linux/bpf.h>

#include <linux/bpf.h>

#include <net/lwtunnel.h>

#include <net/lwtunnel.h>

#include <net/gre.h>





struct bpf_lwt_prog {

struct bpf_lwt_prog {

	struct bpf_prog *prog;

	struct bpf_prog *prog;
@@ -390,10 +391,72 @@ static const struct lwtunnel_encap_ops bpf_encap_ops = { 
	.owner		= THIS_MODULE,

	.owner		= THIS_MODULE,

};

};





static int handle_gso_type(struct sk_buff *skb, unsigned int gso_type,

			   int encap_len)

{

	struct skb_shared_info *shinfo = skb_shinfo(skb);



	gso_type |= SKB_GSO_DODGY;

	shinfo->gso_type |= gso_type;

	skb_decrease_gso_size(shinfo, encap_len);

	shinfo->gso_segs = 0;

	return 0;

}



static int handle_gso_encap(struct sk_buff *skb, bool ipv4, int encap_len)

static int handle_gso_encap(struct sk_buff *skb, bool ipv4, int encap_len)

{

{

	/* Handling of GSO-enabled packets is added in the next patch. */

	int next_hdr_offset;

	return -EOPNOTSUPP;

	void *next_hdr;

	__u8 protocol;



	/* SCTP and UDP_L4 gso need more nuanced handling than what

	 * handle_gso_type() does above: skb_decrease_gso_size() is not enough.

	 * So at the moment only TCP GSO packets are let through.

	 */

	if (!(skb_shinfo(skb)->gso_type & (SKB_GSO_TCPV4 | SKB_GSO_TCPV6)))

		return -ENOTSUPP;



	if (ipv4) {

		protocol = ip_hdr(skb)->protocol;

		next_hdr_offset = sizeof(struct iphdr);

		next_hdr = skb_network_header(skb) + next_hdr_offset;

	} else {

		protocol = ipv6_hdr(skb)->nexthdr;

		next_hdr_offset = sizeof(struct ipv6hdr);

		next_hdr = skb_network_header(skb) + next_hdr_offset;

	}



	switch (protocol) {

	case IPPROTO_GRE:

		next_hdr_offset += sizeof(struct gre_base_hdr);

		if (next_hdr_offset > encap_len)

			return -EINVAL;



		if (((struct gre_base_hdr *)next_hdr)->flags & GRE_CSUM)

			return handle_gso_type(skb, SKB_GSO_GRE_CSUM,

					       encap_len);

		return handle_gso_type(skb, SKB_GSO_GRE, encap_len);



	case IPPROTO_UDP:

		next_hdr_offset += sizeof(struct udphdr);

		if (next_hdr_offset > encap_len)

			return -EINVAL;



		if (((struct udphdr *)next_hdr)->check)

			return handle_gso_type(skb, SKB_GSO_UDP_TUNNEL_CSUM,

					       encap_len);

		return handle_gso_type(skb, SKB_GSO_UDP_TUNNEL, encap_len);



	case IPPROTO_IP:

	case IPPROTO_IPV6:

		if (ipv4)

			return handle_gso_type(skb, SKB_GSO_IPXIP4, encap_len);

		else

			return handle_gso_type(skb, SKB_GSO_IPXIP6, encap_len);



	default:

		return -EPROTONOSUPPORT;

	}

}

}





int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len, bool ingress)

int bpf_lwt_push_ip_encap(struct sk_buff *skb, void *hdr, u32 len, bool ingress)

CRA Git | Maintained and supported by SUSTech CRA and CCSE