On Sat, Sep 14, 2024 at 01:40:25PM +0200, Eric Dumazet wrote:
On Fri, Sep 13, 2024 at 11:39 AM Tiago Lam tiagolam@cloudflare.com wrote:
This follows the same rationale provided for the ipv4 counterpart, where it now runs a reverse socket lookup when source addresses and/or ports are changed, on sendmsg, to check whether egress traffic should be allowed to go through or not.
As with ipv4, the ipv6 sendmsg path is also extended here to support the IPV6_ORIGDSTADDR ancilliary message to be able to specify a source address/port.
Suggested-by: Jakub Sitnicki jakub@cloudflare.com Signed-off-by: Tiago Lam tiagolam@cloudflare.com
net/ipv6/datagram.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++ net/ipv6/udp.c | 8 ++++-- 2 files changed, 82 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c index fff78496803d..4214dda1c320 100644 --- a/net/ipv6/datagram.c +++ b/net/ipv6/datagram.c @@ -756,6 +756,27 @@ void ip6_datagram_recv_ctl(struct sock *sk, struct msghdr *msg, } EXPORT_SYMBOL_GPL(ip6_datagram_recv_ctl);
+static inline bool reverse_sk_lookup(struct flowi6 *fl6, struct sock *sk,
struct in6_addr *saddr, __be16 sport)+{
if (static_branch_unlikely(&bpf_sk_lookup_enabled) &&(saddr && sport) &&(ipv6_addr_cmp(&sk->sk_v6_rcv_saddr, saddr) || inet_sk(sk)->inet_sport != sport)) {struct sock *sk_egress;bpf_sk_lookup_run_v6(sock_net(sk), IPPROTO_UDP, &fl6->daddr, fl6->fl6_dport,saddr, ntohs(sport), 0, &sk_egress);if (!IS_ERR_OR_NULL(sk_egress) &&atomic64_read(&sk_egress->sk_cookie) == atomic64_read(&sk->sk_cookie))I do not understand this.
- sk_cookie is not always initialized. It is done on demand, when/if
__sock_gen_cookie() was called.
- if sk1 and sk2 share the same sk_cookie, then sk1 == sk2 ???
So why not simply testing sk_egress == sk ?
Oh, yes, you're right. I'll include this in my next revision, thanks.