提交 1da44f9c 编写于 作者: T Tom Herbert 提交者: David S. Miller

ipv6: Change "final" protocol processing for encapsulation

When performing foo-over-UDP, UDP packets are processed by the
encapsulation handler which returns another protocol to process.
This may result in processing two (or more) protocols in the
loop that are marked as INET6_PROTO_FINAL. The actions taken
for hitting a final protocol, in particular the skb_postpull_rcsum
can only be performed once.

This patch set adds a check of a final protocol has been seen. The
rules are:
  - If the final protocol has not been seen any protocol is processed
    (final and non-final). In the case of a final protocol, the final
    actions are taken (like the skb_postpull_rcsum)
  - If a final protocol has been seen (e.g. an encapsulating UDP
    header) then no further non-final protocols are allowed
    (e.g. extension headers). For more final protocols the
    final actions are not taken (e.g. skb_postpull_rcsum).
Signed-off-by: NTom Herbert <tom@herbertland.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 4c64242a
...@@ -223,6 +223,7 @@ static int ip6_input_finish(struct net *net, struct sock *sk, struct sk_buff *sk ...@@ -223,6 +223,7 @@ static int ip6_input_finish(struct net *net, struct sock *sk, struct sk_buff *sk
unsigned int nhoff; unsigned int nhoff;
int nexthdr; int nexthdr;
bool raw; bool raw;
bool have_final = false;
/* /*
* Parse extension headers * Parse extension headers
...@@ -242,9 +243,21 @@ static int ip6_input_finish(struct net *net, struct sock *sk, struct sk_buff *sk ...@@ -242,9 +243,21 @@ static int ip6_input_finish(struct net *net, struct sock *sk, struct sk_buff *sk
if (ipprot) { if (ipprot) {
int ret; int ret;
if (ipprot->flags & INET6_PROTO_FINAL) { if (have_final) {
if (!(ipprot->flags & INET6_PROTO_FINAL)) {
/* Once we've seen a final protocol don't
* allow encapsulation on any non-final
* ones. This allows foo in UDP encapsulation
* to work.
*/
goto discard;
}
} else if (ipprot->flags & INET6_PROTO_FINAL) {
const struct ipv6hdr *hdr; const struct ipv6hdr *hdr;
/* Only do this once for first final protocol */
have_final = true;
/* Free reference early: we don't need it any more, /* Free reference early: we don't need it any more,
and it may hold ip_conntrack module loaded and it may hold ip_conntrack module loaded
indefinitely. */ indefinitely. */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册