Re: [RFC PATCH 2/3] ipv6: Run a reverse sk_lookup on sendmsg.

14 Sep 2024

On Fri, Sep 13, 2024 at 10:39:20AM +0100, Tiago Lam wrote:
...
This follows the same rationale provided for the ipv4 counterpart, where
it now runs a reverse socket lookup when source addresses and/or ports
are changed, on sendmsg, to check whether egress traffic should be
allowed to go through or not.
As with ipv4, the ipv6 sendmsg path is also extended here to support the
IPV6_ORIGDSTADDR ancilliary message to be able to specify a source
Hi Tiago Lam,
Some minor nits from my side.
ancilliary -> ancillary
Likewise in patch 3/3.
Flagged by checkpatch.pl --codespell
...
address/port.
Suggested-by: Jakub Sitnicki jakub@cloudflare.com
Signed-off-by: Tiago Lam tiagolam@cloudflare.com

net/ipv6/datagram.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 net/ipv6/udp.c      |  8 ++++--
 2 files changed, 82 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index fff78496803d..4214dda1c320 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -756,6 +756,27 @@ void ip6_datagram_recv_ctl(struct sock *sk, struct msghdr *msg,
 }
 EXPORT_SYMBOL_GPL(ip6_datagram_recv_ctl);
 
+static inline bool reverse_sk_lookup(struct flowi6 *fl6, struct sock *sk,

		     struct in6_addr *saddr, __be16 sport)



+{

if (static_branch_unlikely(&bpf_sk_lookup_enabled) &&
   (saddr && sport) &&


   (ipv6_addr_cmp(&sk->sk_v6_rcv_saddr, saddr) || inet_sk(sk)->inet_sport != sport)) {



Please consider, where it can trivially be achieved, limiting Networking
code to 80 columns wide.
Checkpatch can be run with a flag to check for this.
...

struct sock *sk_egress;



bpf_sk_lookup_run_v6(sock_net(sk), IPPROTO_UDP, &fl6->daddr, fl6->fl6_dport,


		     saddr, ntohs(sport), 0, &sk_egress);


if (!IS_ERR_OR_NULL(sk_egress) &&


    atomic64_read(&sk_egress->sk_cookie) == atomic64_read(&sk->sk_cookie))


	return true;



net_info_ratelimited("No reverse socket lookup match for local addr %pI6:%d remote addr %pI6:%d\n",


		     &saddr, ntohs(sport), &fl6->daddr, ntohs(fl6->fl6_dport));


}

return false;

+}



int ip6_datagram_send_ctl(struct net *net, struct sock *sk,
   		  struct msghdr *msg, struct flowi6 *fl6,
   		  struct ipcm6_cookie *ipc6)
...

    

2025

2024

2023

2022

2021

2020

2019

2018

2017

Re: [RFC PATCH 2/3] ipv6: Run a reverse sk_lookup on sendmsg.