mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-30 10:39:04 +00:00
51 lines
2.2 KiB
Diff
51 lines
2.2 KiB
Diff
|
From 274c356580ec1b077ad10212c59a05b6e0b90d97 Mon Sep 17 00:00:00 2001
|
||
|
From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
|
||
|
Date: Wed, 29 Apr 2020 14:59:22 -0600
|
||
|
Subject: [PATCH 097/124] wireguard: receive: use tunnel helpers for
|
||
|
decapsulating ECN markings
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
commit eebabcb26ea1e3295704477c6cd4e772c96a9559 upstream.
|
||
|
|
||
|
WireGuard currently only propagates ECN markings on tunnel decap according
|
||
|
to the old RFC3168 specification. However, the spec has since been updated
|
||
|
in RFC6040 to recommend slightly different decapsulation semantics. This
|
||
|
was implemented in the kernel as a set of common helpers for ECN
|
||
|
decapsulation, so let's just switch over WireGuard to using those, so it
|
||
|
can benefit from this enhancement and any future tweaks. We do not drop
|
||
|
packets with invalid ECN marking combinations, because WireGuard is
|
||
|
frequently used to work around broken ISPs, which could be doing that.
|
||
|
|
||
|
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
|
||
|
Reported-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
|
||
|
Cc: Dave Taht <dave.taht@gmail.com>
|
||
|
Cc: Rodney W. Grimes <ietf@gndrsh.dnsmgr.net>
|
||
|
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
|
||
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
||
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
|
||
|
---
|
||
|
drivers/net/wireguard/receive.c | 6 ++----
|
||
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
||
|
|
||
|
--- a/drivers/net/wireguard/receive.c
|
||
|
+++ b/drivers/net/wireguard/receive.c
|
||
|
@@ -393,13 +393,11 @@ static void wg_packet_consume_data_done(
|
||
|
len = ntohs(ip_hdr(skb)->tot_len);
|
||
|
if (unlikely(len < sizeof(struct iphdr)))
|
||
|
goto dishonest_packet_size;
|
||
|
- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
|
||
|
- IP_ECN_set_ce(ip_hdr(skb));
|
||
|
+ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);
|
||
|
} else if (skb->protocol == htons(ETH_P_IPV6)) {
|
||
|
len = ntohs(ipv6_hdr(skb)->payload_len) +
|
||
|
sizeof(struct ipv6hdr);
|
||
|
- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
|
||
|
- IP6_ECN_set_ce(skb, ipv6_hdr(skb));
|
||
|
+ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));
|
||
|
} else {
|
||
|
goto dishonest_packet_type;
|
||
|
}
|