Le 30/07/2020 à 07:41, Steffen Klassert a écrit :
> From: Xin Long <lucien....@gmail.com>
>
> Similar to ip6_vti, IP6IP6 and IP6IP tunnels processing can easily
> be done with .cb_handler for xfrm interface.
>
> v1->v2:
> - no change.
> v2-v3:
> - enable it only when CONFIG_INET6_XFRM_TUNNEL is defined, to fix
> the build error, reported by kbuild test robot.
>
> Signed-off-by: Xin Long <lucien....@gmail.com>
> Signed-off-by: Steffen Klassert <steffen.klass...@secunet.com>
> ---
This patch broke standard IP tunnels. With this setup:
+ ip link set ntfp2 up
+ ip addr add 10.125.0.2/24 dev ntfp2
+ ip tunnel add tun1 mode ipip ttl 64 local 10.125.0.2 remote 10.125.0.1 dev
ntfp2
+ ip addr add 192.168.0.2/32 peer 192.168.0.1/32 dev tun1
+ ip link set dev tun1 up
incoming packets are dropped:
$ cat /proc/net/xfrm_stat
...
XfrmInNoStates 31
...
Xin, can you have a look?
> net/xfrm/xfrm_interface.c | 38 ++++++++++++++++++++++++++++++++++++++
> 1 file changed, 38 insertions(+)
>
> diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
> index c407ecbc5d46..b9ef496d3d7c 100644
> --- a/net/xfrm/xfrm_interface.c
> +++ b/net/xfrm/xfrm_interface.c
> @@ -798,6 +798,26 @@ static struct xfrm6_protocol xfrmi_ipcomp6_protocol
> __read_mostly = {
> .priority = 10,
> };
>
> +#if IS_ENABLED(CONFIG_INET6_XFRM_TUNNEL)
> +static int xfrmi6_rcv_tunnel(struct sk_buff *skb)
> +{
> + const xfrm_address_t *saddr;
> + __be32 spi;
> +
> + saddr = (const xfrm_address_t *)&ipv6_hdr(skb)->saddr;
> + spi = xfrm6_tunnel_spi_lookup(dev_net(skb->dev), saddr);
> +
> + return xfrm6_rcv_spi(skb, IPPROTO_IPV6, spi, NULL);
> +}
> +
> +static struct xfrm6_tunnel xfrmi_ipv6_handler __read_mostly = {
> + .handler = xfrmi6_rcv_tunnel,
> + .cb_handler = xfrmi_rcv_cb,
> + .err_handler = xfrmi6_err,
> + .priority = -1,
> +};
> +#endif
> +
> static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
> .handler = xfrm4_rcv,
> .input_handler = xfrm_input,
> @@ -866,9 +886,23 @@ static int __init xfrmi6_init(void)
> err = xfrm6_protocol_register(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
> if (err < 0)
> goto xfrm_proto_comp_failed;
> +#if IS_ENABLED(CONFIG_INET6_XFRM_TUNNEL)
> + err = xfrm6_tunnel_register(&xfrmi_ipv6_handler, AF_INET6);
> + if (err < 0)
> + goto xfrm_tunnel_ipv6_failed;
> + err = xfrm6_tunnel_register(&xfrmi_ipv6_handler, AF_INET);
> + if (err < 0)
> + goto xfrm_tunnel_ip6ip_failed;
> +#endif
>
> return 0;
>
> +#if IS_ENABLED(CONFIG_INET6_XFRM_TUNNEL)
> +xfrm_tunnel_ip6ip_failed:
> + xfrm6_tunnel_deregister(&xfrmi_ipv6_handler, AF_INET6);
> +xfrm_tunnel_ipv6_failed:
> + xfrm6_protocol_deregister(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
> +#endif
> xfrm_proto_comp_failed:
> xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH);
> xfrm_proto_ah_failed:
> @@ -879,6 +913,10 @@ static int __init xfrmi6_init(void)
>
> static void xfrmi6_fini(void)
> {
> +#if IS_ENABLED(CONFIG_INET6_XFRM_TUNNEL)
> + xfrm6_tunnel_deregister(&xfrmi_ipv6_handler, AF_INET);
> + xfrm6_tunnel_deregister(&xfrmi_ipv6_handler, AF_INET6);
> +#endif
> xfrm6_protocol_deregister(&xfrmi_ipcomp6_protocol, IPPROTO_COMP);
> xfrm6_protocol_deregister(&xfrmi_ah6_protocol, IPPROTO_AH);
> xfrm6_protocol_deregister(&xfrmi_esp6_protocol, IPPROTO_ESP);
>
