This behavior is required in IPv6, and there is little need
to tolerate overlapping fragments in IPv4. This change
simplifies the code and eliminates potential DDoS attack vectors.
Suggested-by: David S. Miller
Signed-off-by: Peter Oskolkov
Signed-off-by: Eric Dumazet
Cc: Florian Westphal
-by: Peter Oskolkov
Signed-off-by: Eric Dumazet
Cc: Florian Westphal
---
include/linux/skbuff.h | 9 +-
include/net/inet_frag.h | 3 +-
net/ipv4/inet_fragment.c| 16 ++-
net/ipv4/ip_fragment.c | 182
(suggested
by Eric Dumazet): this change removes a potential attach vector.
Upcoming patches will contain similar changes for IPv6 frag queue,
as well as a comprehensive IP defrag self-test (temporarily delayed).
Peter Oskolkov (3):
ip: discard IPv4 datagrams with overlapping segments.
net
Suggested-by: Eric Dumazet
Signed-off-by: Peter Oskolkov
Signed-off-by: Eric Dumazet
Cc: Florian Westphal
---
include/linux/skbuff.h | 2 +-
net/core/skbuff.c | 6 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index
This behavior is required in IPv6, and there is little need
to tolerate overlapping fragments in IPv4. This change
simplifies the code and eliminates potential DDoS attack vectors.
Tested: ran ip_defrag selftest (not yet available uptream).
Suggested-by: David S. Miller
Signed-off-by: Peter
(suggested
by Eric Dumazet): this change removes a potential attach vector.
Upcoming patches will contain similar changes for IPv6 frag queue,
as well as a comprehensive IP defrag self-test (temporarily delayed).
Peter Oskolkov (3):
ip: discard IPv4 datagrams with overlapping segments.
net
-by: Peter Oskolkov
Signed-off-by: Eric Dumazet
Cc: Florian Westphal
---
include/linux/skbuff.h | 9 +-
include/net/inet_frag.h | 3 +-
net/ipv4/inet_fragment.c| 16 ++-
net/ipv4/ip_fragment.c | 182
Tested: see the next patch is the series.
Suggested-by: Eric Dumazet
Signed-off-by: Peter Oskolkov
Signed-off-by: Eric Dumazet
Cc: Florian Westphal
---
include/linux/skbuff.h | 2 +-
net/core/skbuff.c | 6 +-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/include
On Fri, Aug 3, 2018 at 12:33 PM Josh Hunt wrote:
>
> On Thu, Aug 2, 2018 at 4:34 PM, Peter Oskolkov wrote:
>>
>> This patchset
>> * changes IPv4 defrag behavior to match that of IPv6: overlapping
>>fragments now cause the whole IP datagram to be discarded (s
This patch introduces several helper functions/macros that will be
used in the follow-up patch. No runtime changes yet.
The new logic (fully implemented in the second patch) is as follows:
* Nodes in the rb-tree will now contain not single fragments, but lists
of consecutive fragments
This patch changes the runtime behavior of IP defrag queue:
incoming in-order fragments are added to the end of the current
list/"run" of in-order fragments at the tail.
On some workloads, UDP stream performance is substantially improved:
RX: ./udp_stream -F 10 -T 2 -l 60
TX: ./udp_stream -c -H
Ack. Thanks, Dan!
On Mon, Aug 6, 2018 at 12:17 PM Dan Carpenter wrote:
>
> We accidentally removed the parentheses here, but they are required
> because '!' has higher precedence than '&'.
>
> Fixes: fa0f527358bd ("ip: use rb trees for IP frag queue.")
> Signed-off-by: Dan Carpenter
>
> diff
d to store additional information
needed here (suggested by Eric Dumazet).
Reported-by: Willem de Bruijn
Signed-off-by: Peter Oskolkov
Cc: Eric Dumazet
Cc: Florian Westphal
---
include/net/inet_frag.h | 6
net/ipv4/ip_fragment.c | 73 +
2 file
ream -c -H -F 10 -T 5 -l 60
with this patchset applied on a 10Gbps receiver:
throughput=9524.18
throughput_units=Mbit/s
upstream (net-next):
throughput=4608.93
throughput_units=Mbit/s
Reported-by: Willem de Bruijn
Signed-off-by: Peter Oskolkov
Cc: Eric Dumazet
Cc: Florian Westphal
Added "Signed-off-by" in v2.
Peter Oskolkov (2):
ip: add helpers to process in-order fragments faster.
ip: process in-order fragments efficiently
include/net/inet_frag.h | 6 ++
net/ipv4/inet_fragment.c | 2 +-
net/ipv4/ip_fragment.c | 183 ++--
).
Tested:
root@# time ./ip_defrag.sh
ipv4 defrag
PASS
ipv4 defrag with overlaps
PASS
real1m7.679s
user0m0.628s
sys 0m2.242s
A similar test for IPv6 is to follow.
Signed-off-by: Peter Oskolkov
Reviewed-by: Willem de Bruijn
---
tools/testing/selftests/net/.gitignore | 2 +
tools
this patch, some overlaps were
"corrected", with tests not seeing expected packet drops.
Note that in one case (see "if (end&7)" conditional) the current
behavior is preserved as there are concerns that this could be
legitimate padding.
Signed-off-by: Peter Oskolkov
R
This patch adds ipv6 defragmentation tests to ip_defrag selftest,
to complement existing ipv4 tests.
Signed-off-by: Peter Oskolkov
---
tools/testing/selftests/net/ip_defrag.c | 249 +++
tools/testing/selftests/net/ip_defrag.sh | 39 ++--
2 files changed, 190 insertions
net.ipv6.ip6frag_high_thresh=900
net.ipv6.ip6frag_high_thresh = 900
# sysctl net.ipv6.ip6frag_high_thresh
net.ipv6.ip6frag_high_thresh = 4194304
Signed-off-by: Peter Oskolkov
---
net/ieee802154/6lowpan/reassembly.c | 1 -
net/ipv4/ip_fragment.c | 1 -
net/ipv6/reassembly.c
This is similar to how ipv4 now behaves:
commit 0ff89efb5246 ("ip: fail fast on IP defrag errors").
Signed-off-by: Peter Oskolkov
---
net/ipv6/reassembly.c | 11 ++-
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassemb
Thanks, David! This is for egress only, so I'll add an appropriate
check. I'll also address your other comments/concerns in a v2 version
of this patchset.
On Fri, Nov 30, 2018 at 12:08 PM David Ahern wrote:
>
> On 11/28/18 6:34 PM, Peter Oskolkov wrote:
> > On Wed, Nov 28, 2018 at 4
On Fri, Nov 30, 2018 at 3:52 PM David Ahern wrote:
>
> On 11/30/18 4:35 PM, Peter Oskolkov wrote:
> > Thanks, David! This is for egress only, so I'll add an appropriate
> > check. I'll also address your other comments/concerns in a v2 version
> > of this patchset.
On Wed, Nov 28, 2018 at 4:47 PM David Ahern wrote:
>
> On 11/28/18 5:22 PM, Peter Oskolkov wrote:
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index bd0df75dc7b6..17f3c37218e5 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> &g
Thanks, Stephen!
I don't care much about braces either. David, do you want me to send a
new patch with braces moved around?
On Tue, Dec 4, 2018 at 9:56 AM Stephen Hemminger
wrote:
>
> I like this, it makes a lot of sense since packets are almost
> always queued in order.
>
> Minor style stuff
v2: address style suggestions by Stephen Hemminger.
All changes are noop vs v1.
Peter Oskolkov (1):
net: netem: use a list in addition to rbtree
net/sched/sch_netem.c | 89 +--
1 file changed, 69 insertions(+), 20 deletions(-)
there, otherwise it is inserted into the rbtree.
Without this patch, perf shows netem_enqueue, netem_dequeue,
and rb_* functions among the top offenders. With this patch,
only netem_enqueue is noticeable if jitter is low/absent.
Suggested-by: Eric Dumazet
Signed-off-by: Peter Oskolkov
---
net/sched
there, otherwise it is inserted into the rbtree.
Without this patch, perf shows netem_enqueue, netem_dequeue,
and rb_* functions among the top offenders. With this patch,
only netem_enqueue is noticeable if jitter is low/absent.
Suggested-by: Eric Dumazet
Signed-off-by: Peter Oskolkov
---
net/sched
Peter Oskolkov wrote:
> > On Fri, Nov 30, 2018 at 3:52 PM David Ahern wrote:
> >>
> >> On 11/30/18 4:35 PM, Peter Oskolkov wrote:
> >>> Thanks, David! This is for egress only, so I'll add an appropriate
> >>> check. I'll also address your other co
On Tue, Dec 4, 2018 at 11:11 AM Peter Oskolkov wrote:
>
> Thanks, Stephen!
>
> I don't care much about braces either. David, do you want me to send a
> new patch with braces moved around?
Sent a v2 with style fixes, just in case.
>
> On Tue, Dec 4, 2018 at 9:56 AM Steph
eep state
> waiting to acquire the net_mutex.
>
> The bug was observed in the IPv6 netfilter code by Per Sundstrom.
> I thank him for his analysis of the problem. The parts of this patch
> that apply to IPv4 and IPv6 fragment reassembly are preemptive measures.
>
> Signed-off-by:
FWIW, I find the patch really useful - I applied it to my local dev
repo (with minor changes) and use skb_dump() a lot now. It would be
great if it makes its way into net-next in some form.
On Fri, Nov 30, 2018 at 12:15 PM Saeed Mahameed wrote:
>
> On Thu, 2018-11-22 at 17:45 -0800, Cong Wang
This patch adds a sample/selftest that covers BPF_LWT_ENCAP_IP option
added in the first patch in the series.
Signed-off-by: Peter Oskolkov
---
tools/testing/selftests/bpf/Makefile | 5 +-
.../testing/selftests/bpf/test_lwt_ip_encap.c | 65 ++
.../selftests/bpf
in the series.
Signed-off-by: Peter Oskolkov
---
include/net/lwtunnel.h | 2 ++
include/uapi/linux/bpf.h | 7 -
net/core/filter.c| 58
3 files changed, 66 insertions(+), 1 deletion(-)
diff --git a/include/net/lwtunnel.h b/include/net
On Thu, Sep 13, 2018 at 9:11 PM David Ahern wrote:
>
> On 9/13/18 1:38 PM, Peter Oskolkov wrote:
>
> > diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> > index 3eed045c65a5..a3902f805305 100644
> > --- a/net/ipv6/route.c
> > +++ b/net/ipv6/route.c
&g
bc1 ("net/ipv6: Move dst flags to booleans in fib entries")
Cc: David Ahern
Acked-by: Wei Wang
Signed-off-by: Peter Oskolkov
---
net/ipv6/route.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 3eed045c65a5..480a79f47c52 100644
--- a/net/ipv6/
On Mon, Sep 17, 2018 at 9:59 AM David Ahern wrote:
>
> On 9/17/18 9:11 AM, Peter Oskolkov wrote:
> > On Thu, Sep 13, 2018 at 9:11 PM David Ahern wrote:
> >>
> >> On 9/13/18 1:38 PM, Peter Oskolkov wrote:
> >>
> >>> diff --git a/net/ipv6/
bc1 ("net/ipv6: Move dst flags to booleans in fib entries")
Cc: David Ahern
Acked-by: Wei Wang
Signed-off-by: Peter Oskolkov
---
net/ipv6/route.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 3eed045c65a5..a3902f805305 100
37 matches
Mail list logo
