From patchwork Sun May 9 08:27:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pavel Machek X-Patchwork-Id: 433012 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 966BAC433B4 for ; Sun, 9 May 2021 08:27:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 72646613BB for ; Sun, 9 May 2021 08:27:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229593AbhEII3A (ORCPT ); Sun, 9 May 2021 04:29:00 -0400 Received: from jabberwock.ucw.cz ([46.255.230.98]:57854 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229605AbhEII27 (ORCPT ); Sun, 9 May 2021 04:28:59 -0400 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 2AC441C0B77; Sun, 9 May 2021 10:27:56 +0200 (CEST) Date: Sun, 9 May 2021 10:27:55 +0200 From: Pavel Machek To: stable@vger.kernel.org, mark.d.gray@redhat.com, wens@csie.org, Qiuyu Xiao , Greg Rose , "David S. Miller" Subject: [PATCH 4.4] geneve: add transport ports in route lookup for geneve Message-ID: <20210509082755.GB25504@amd> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Mark Gray [ Upstream commit 34beb21594519ce64a55a498c2fe7d567bc1ca20 ] This patch adds transport ports information for route lookup so that IPsec can select Geneve tunnel traffic to do encryption. This is needed for OVS/OVN IPsec with encrypted Geneve tunnels. This can be tested by configuring a host-host VPN using an IKE daemon and specifying port numbers. For example, for an Openswan-type configuration, the following parameters should be configured on both hosts and IPsec set up as-per normal: $ cat /etc/ipsec.conf conn in ... left=$IP1 right=$IP2 ... leftprotoport=udp/6081 rightprotoport=udp ... conn out ... left=$IP1 right=$IP2 ... leftprotoport=udp rightprotoport=udp/6081 ... The tunnel can then be setup using "ip" on both hosts (but changing the relevant IP addresses): $ ip link add tun type geneve id 1000 remote $IP2 $ ip addr add 192.168.0.1/24 dev tun $ ip link set tun up This can then be tested by pinging from $IP1: $ ping 192.168.0.2 Without this patch the traffic is unencrypted on the wire. Fixes: 2d07dc79fe04 ("geneve: add initial netdev driver for GENEVE tunnels") Signed-off-by: Qiuyu Xiao Signed-off-by: Mark Gray Reviewed-by: Greg Rose Signed-off-by: David S. Miller [backport to 4.4 for CVE-2020-25645] Signed-off-by: Pavel Machek (CIP) --- drivers/net/geneve.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c index ee38299f9c57..aa00d71705c6 100644 --- a/drivers/net/geneve.c +++ b/drivers/net/geneve.c @@ -842,7 +842,7 @@ static netdev_tx_t geneve_xmit_skb(struct sk_buff *skb, struct net_device *dev, sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); rt = geneve_get_v4_rt(skb, dev, &fl4, info, - geneve->dst_port, sport); + info->key.tp_dst, sport); if (IS_ERR(rt)) { err = PTR_ERR(rt); goto tx_error; @@ -925,7 +925,7 @@ static netdev_tx_t geneve6_xmit_skb(struct sk_buff *skb, struct net_device *dev, sport = udp_flow_src_port(geneve->net, skb, 1, USHRT_MAX, true); dst = geneve_get_v6_dst(skb, dev, &fl6, info, - geneve->dst_port, sport); + info->key.tp_dst, sport); if (IS_ERR(dst)) { err = PTR_ERR(dst); goto tx_error; @@ -1026,7 +1026,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) 1, USHRT_MAX, true); rt = geneve_get_v4_rt(skb, dev, &fl4, info, - geneve->dst_port, sport); + info->key.tp_dst, sport); if (IS_ERR(rt)) return PTR_ERR(rt); @@ -1038,7 +1038,7 @@ static int geneve_fill_metadata_dst(struct net_device *dev, struct sk_buff *skb) 1, USHRT_MAX, true); dst = geneve_get_v6_dst(skb, dev, &fl6, info, - geneve->dst_port, sport); + info->key.tp_dst, sport); if (IS_ERR(dst)) return PTR_ERR(dst);