Skip to content

Commit 6aedd14

Browse files
Julian Anastasovummakynes
Julian Anastasov
authored and
ummakynes
committed
ipvs: strip gre tunnel headers from icmp errors
Recognize GRE tunnels in received ICMP errors and properly strip the tunnel headers. Signed-off-by: Julian Anastasov <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent ad49d86 commit 6aedd14

File tree

1 file changed

+42
-4
lines changed

1 file changed

+42
-4
lines changed

net/netfilter/ipvs/ip_vs_core.c

Lines changed: 42 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,7 @@
3535
#include <net/udp.h>
3636
#include <net/icmp.h> /* for icmp_send */
3737
#include <net/gue.h>
38+
#include <net/gre.h>
3839
#include <net/route.h>
3940
#include <net/ip6_checksum.h>
4041
#include <net/netns/generic.h> /* net_generic() */
@@ -1610,6 +1611,38 @@ static int ipvs_udp_decap(struct netns_ipvs *ipvs, struct sk_buff *skb,
16101611
return 0;
16111612
}
16121613

1614+
/* Check the GRE tunnel and return its header length */
1615+
static int ipvs_gre_decap(struct netns_ipvs *ipvs, struct sk_buff *skb,
1616+
unsigned int offset, __u16 af,
1617+
const union nf_inet_addr *daddr, __u8 *proto)
1618+
{
1619+
struct gre_base_hdr _greh, *greh;
1620+
struct ip_vs_dest *dest;
1621+
1622+
greh = skb_header_pointer(skb, offset, sizeof(_greh), &_greh);
1623+
if (!greh)
1624+
goto unk;
1625+
dest = ip_vs_find_tunnel(ipvs, af, daddr, 0);
1626+
if (!dest)
1627+
goto unk;
1628+
if (dest->tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GRE) {
1629+
__be16 type;
1630+
1631+
/* Only support version 0 and C (csum) */
1632+
if ((greh->flags & ~GRE_CSUM) != 0)
1633+
goto unk;
1634+
type = greh->protocol;
1635+
/* Later we can support also IPPROTO_IPV6 */
1636+
if (type != htons(ETH_P_IP))
1637+
goto unk;
1638+
*proto = IPPROTO_IPIP;
1639+
return gre_calc_hlen(gre_flags_to_tnl_flags(greh->flags));
1640+
}
1641+
1642+
unk:
1643+
return 0;
1644+
}
1645+
16131646
/*
16141647
* Handle ICMP messages in the outside-to-inside direction (incoming).
16151648
* Find any that might be relevant, check against existing connections,
@@ -1689,7 +1722,8 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
16891722
if (cih == NULL)
16901723
return NF_ACCEPT; /* The packet looks wrong, ignore */
16911724
ipip = true;
1692-
} else if (cih->protocol == IPPROTO_UDP && /* Can be UDP encap */
1725+
} else if ((cih->protocol == IPPROTO_UDP || /* Can be UDP encap */
1726+
cih->protocol == IPPROTO_GRE) && /* Can be GRE encap */
16931727
/* Error for our tunnel must arrive at LOCAL_IN */
16941728
(skb_rtable(skb)->rt_flags & RTCF_LOCAL)) {
16951729
__u8 iproto;
@@ -1699,10 +1733,14 @@ ip_vs_in_icmp(struct netns_ipvs *ipvs, struct sk_buff *skb, int *related,
16991733
if (unlikely(cih->frag_off & htons(IP_OFFSET)))
17001734
return NF_ACCEPT;
17011735
offset2 = offset + cih->ihl * 4;
1702-
ulen = ipvs_udp_decap(ipvs, skb, offset2, AF_INET, raddr,
1703-
&iproto);
1736+
if (cih->protocol == IPPROTO_UDP)
1737+
ulen = ipvs_udp_decap(ipvs, skb, offset2, AF_INET,
1738+
raddr, &iproto);
1739+
else
1740+
ulen = ipvs_gre_decap(ipvs, skb, offset2, AF_INET,
1741+
raddr, &iproto);
17041742
if (ulen > 0) {
1705-
/* Skip IP and UDP tunnel headers */
1743+
/* Skip IP and UDP/GRE tunnel headers */
17061744
offset = offset2 + ulen;
17071745
/* Now we should be at the original IP header */
17081746
cih = skb_header_pointer(skb, offset, sizeof(_ciph),

0 commit comments

Comments
 (0)