Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9b42c1f1 authored by Steffen Klassert's avatar Steffen Klassert
Browse files

xfrm: Extend the output_mark to support input direction and masking. 



We already support setting an output mark at the xfrm_state,
unfortunately this does not support the input direction and
masking the marks that will be applied to the skb. This change
adds support applying a masked value in both directions.

The existing XFRMA_OUTPUT_MARK number is reused for this purpose
and as it is now bi-directional, it is renamed to XFRMA_SET_MARK.

An additional XFRMA_SET_MARK_MASK attribute is added for setting the
mask. If the attribute mask not provided, it is set to 0xffffffff,
keeping the XFRMA_OUTPUT_MARK existing 'full mask' semantics.

Co-developed-by: default avatarTobias Brunner <tobias@strongswan.org>
Co-developed-by: default avatarEyal Birger <eyal.birger@gmail.com>
Co-developed-by: default avatarLorenzo Colitti <lorenzo@google.com>
Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: default avatarTobias Brunner <tobias@strongswan.org>
Signed-off-by: default avatarEyal Birger <eyal.birger@gmail.com>
Signed-off-by: default avatarLorenzo Colitti <lorenzo@google.com>
parent dd55c4ea

include/net/xfrm.h

+8 −1
Original line number Diff line number Diff line
@@ -166,7 +166,7 @@ struct xfrm_state { 
		int		header_len;

		int		trailer_len;

		u32		extra_flags;

		u32		output_mark;

		struct xfrm_mark	smark;

	} props;



	struct xfrm_lifetime_cfg lft;
@@ -2012,6 +2012,13 @@ static inline int xfrm_mark_put(struct sk_buff *skb, const struct xfrm_mark *m) 
	return ret;

}



static inline __u32 xfrm_smark_get(__u32 mark, struct xfrm_state *x)

{

	struct xfrm_mark *m = &x->props.smark;



	return (m->v & m->m) | (mark & ~m->m);

}



static inline int xfrm_tunnel_check(struct sk_buff *skb, struct xfrm_state *x,

				    unsigned int family)

{

include/uapi/linux/xfrm.h

+3 −1
Original line number Diff line number Diff line
@@ -305,9 +305,11 @@ enum xfrm_attr_type_t { 
	XFRMA_ADDRESS_FILTER,	/* struct xfrm_address_filter */

	XFRMA_PAD,

	XFRMA_OFFLOAD_DEV,	/* struct xfrm_state_offload */

	XFRMA_OUTPUT_MARK,	/* __u32 */

	XFRMA_SET_MARK,		/* __u32 */

	XFRMA_SET_MARK_MASK,	/* __u32 */

	__XFRMA_MAX



#define XFRMA_OUTPUT_MARK XFRMA_SET_MARK	/* Compatibility */

#define XFRMA_MAX (__XFRMA_MAX - 1)

};

net/xfrm/xfrm_device.c

+2 −1
Original line number Diff line number Diff line
@@ -162,7 +162,8 @@ int xfrm_dev_state_add(struct net *net, struct xfrm_state *x, 
		}



		dst = __xfrm_dst_lookup(net, 0, 0, saddr, daddr,

					x->props.family, x->props.output_mark);

					x->props.family,

					xfrm_smark_get(0, x));

		if (IS_ERR(dst))

			return 0;

net/xfrm/xfrm_input.c

+2 −0
Original line number Diff line number Diff line
@@ -339,6 +339,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) 
			goto drop;

		}



		skb->mark = xfrm_smark_get(skb->mark, x);



		skb->sp->xvec[skb->sp->len++] = x;



lock:

net/xfrm/xfrm_output.c

+1 −2
Original line number Diff line number Diff line
@@ -66,8 +66,7 @@ static int xfrm_output_one(struct sk_buff *skb, int err) 
			goto error_nolock;

		}



		if (x->props.output_mark)

			skb->mark = x->props.output_mark;

		skb->mark = xfrm_smark_get(skb->mark, x);



		err = x->outer_mode->output(x, skb);

		if (err) {