flow_dissector: fix TTL and TOS dissection on IPv4 fragments
[ Upstream commit d2126838050ccd1dadf310ffb78b2204f3b032b9 ]
the following command:
# tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \
$tcflags dst_ip 192.0.2.2 ip_ttl 63 action drop
doesn't drop all IPv4 packets that match the configured TTL / destination
address. In particular, if "fragment offset" or "more fragments" have non
zero value in the IPv4 header, setting of FLOW_DISSECTOR_KEY_IP is simply
ignored. Fix this dissecting IPv4 TTL and TOS before fragment info; while
at it, add a selftest for tc flower's match on 'ip_ttl' that verifies the
correct behavior.
Fixes: 518d8a2e9b
("net/flow_dissector: add support for dissection of misc ip header fields")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:

committed by
Greg Kroah-Hartman

parent
8fe47a3394
commit
e3ccad57ac
@@ -1050,6 +1050,9 @@ proto_again:
|
||||
key_control->addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
|
||||
}
|
||||
|
||||
__skb_flow_dissect_ipv4(skb, flow_dissector,
|
||||
target_container, data, iph);
|
||||
|
||||
if (ip_is_fragment(iph)) {
|
||||
key_control->flags |= FLOW_DIS_IS_FRAGMENT;
|
||||
|
||||
@@ -1066,9 +1069,6 @@ proto_again:
|
||||
}
|
||||
}
|
||||
|
||||
__skb_flow_dissect_ipv4(skb, flow_dissector,
|
||||
target_container, data, iph);
|
||||
|
||||
break;
|
||||
}
|
||||
case htons(ETH_P_IPV6): {
|
||||
|
Reference in New Issue
Block a user