300cc01cc3808dfacf51000f101ca6e3537fd062
[openwrt/openwrt.git] /
1 From 274c356580ec1b077ad10212c59a05b6e0b90d97 Mon Sep 17 00:00:00 2001
2 From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
3 Date: Wed, 29 Apr 2020 14:59:22 -0600
4 Subject: [PATCH 097/124] wireguard: receive: use tunnel helpers for
5 decapsulating ECN markings
6 MIME-Version: 1.0
7 Content-Type: text/plain; charset=UTF-8
8 Content-Transfer-Encoding: 8bit
9
10 commit eebabcb26ea1e3295704477c6cd4e772c96a9559 upstream.
11
12 WireGuard currently only propagates ECN markings on tunnel decap according
13 to the old RFC3168 specification. However, the spec has since been updated
14 in RFC6040 to recommend slightly different decapsulation semantics. This
15 was implemented in the kernel as a set of common helpers for ECN
16 decapsulation, so let's just switch over WireGuard to using those, so it
17 can benefit from this enhancement and any future tweaks. We do not drop
18 packets with invalid ECN marking combinations, because WireGuard is
19 frequently used to work around broken ISPs, which could be doing that.
20
21 Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
22 Reported-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
23 Cc: Dave Taht <dave.taht@gmail.com>
24 Cc: Rodney W. Grimes <ietf@gndrsh.dnsmgr.net>
25 Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
26 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
27 Signed-off-by: David S. Miller <davem@davemloft.net>
28 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
29 ---
30 drivers/net/wireguard/receive.c | 6 ++----
31 1 file changed, 2 insertions(+), 4 deletions(-)
32
33 --- a/drivers/net/wireguard/receive.c
34 +++ b/drivers/net/wireguard/receive.c
35 @@ -393,13 +393,11 @@ static void wg_packet_consume_data_done(
36 len = ntohs(ip_hdr(skb)->tot_len);
37 if (unlikely(len < sizeof(struct iphdr)))
38 goto dishonest_packet_size;
39 - if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
40 - IP_ECN_set_ce(ip_hdr(skb));
41 + INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);
42 } else if (skb->protocol == htons(ETH_P_IPV6)) {
43 len = ntohs(ipv6_hdr(skb)->payload_len) +
44 sizeof(struct ipv6hdr);
45 - if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
46 - IP6_ECN_set_ce(skb, ipv6_hdr(skb));
47 + INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));
48 } else {
49 goto dishonest_packet_type;
50 }