target/linux/generic/backport-5.4/080-wireguard-0096-wireguard-receive-use-tunnel-helpers-for-decapsulati.patch

   1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
   2 From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
   3 Date: Wed, 29 Apr 2020 14:59:22 -0600
   4 Subject: [PATCH] wireguard: receive: use tunnel helpers for decapsulating ECN
   5  markings
   6 MIME-Version: 1.0
   7 Content-Type: text/plain; charset=UTF-8
   8 Content-Transfer-Encoding: 8bit
   9
  10 commit eebabcb26ea1e3295704477c6cd4e772c96a9559 upstream.
  11
  12 WireGuard currently only propagates ECN markings on tunnel decap according
  13 to the old RFC3168 specification. However, the spec has since been updated
  14 in RFC6040 to recommend slightly different decapsulation semantics. This
  15 was implemented in the kernel as a set of common helpers for ECN
  16 decapsulation, so let's just switch over WireGuard to using those, so it
  17 can benefit from this enhancement and any future tweaks. We do not drop
  18 packets with invalid ECN marking combinations, because WireGuard is
  19 frequently used to work around broken ISPs, which could be doing that.
  20
  21 Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
  22 Reported-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
  23 Cc: Dave Taht <dave.taht@gmail.com>
  24 Cc: Rodney W. Grimes <ietf@gndrsh.dnsmgr.net>
  25 Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
  26 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
  27 Signed-off-by: David S. Miller <davem@davemloft.net>
  28 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
  29 ---
  30  drivers/net/wireguard/receive.c | 6 ++----
  31  1 file changed, 2 insertions(+), 4 deletions(-)
  32
  33 --- a/drivers/net/wireguard/receive.c
  34 +++ b/drivers/net/wireguard/receive.c
  35 @@ -393,13 +393,11 @@ static void wg_packet_consume_data_done(
  36                 len = ntohs(ip_hdr(skb)->tot_len);
  37                 if (unlikely(len < sizeof(struct iphdr)))
  38                         goto dishonest_packet_size;
  39 -               if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
  40 -                       IP_ECN_set_ce(ip_hdr(skb));
  41 +               INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);
  42         } else if (skb->protocol == htons(ETH_P_IPV6)) {
  43                 len = ntohs(ipv6_hdr(skb)->payload_len) +
  44                       sizeof(struct ipv6hdr);
  45 -               if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
  46 -                       IP6_ECN_set_ce(skb, ipv6_hdr(skb));
  47 +               INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));
  48         } else {
  49                 goto dishonest_packet_type;
  50         }