• Jakub Sitnicki's avatar
    ipv6: Don't use ufo handling on later transformed packets · 3b805031
    Jakub Sitnicki authored
    commit f89c56ce upstream.
    
    Similar to commit c146066a ("ipv4: Don't use ufo handling on later
    transformed packets"), don't perform UFO on packets that will be IPsec
    transformed. To detect it we rely on the fact that headerlen in
    dst_entry is non-zero only for transformation bundles (xfrm_dst
    objects).
    
    Unwanted segmentation can be observed with a NETIF_F_UFO capable device,
    such as a dummy device:
    
      DEV=dum0 LEN=1493
    
      ip li add $DEV type dummy
      ip addr add fc00::1/64 dev $DEV nodad
      ip link set $DEV up
      ip xfrm policy add dir out src fc00::1 dst fc00::2 \
         tmpl src fc00::1 dst fc00::2 proto esp spi 1
      ip xfrm state add src fc00::1 dst fc00::2 \
         proto esp spi 1 enc 'aes' 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b
    
      tcpdump -n -nn -i $DEV -t &
      socat /dev/zero,readbytes=$LEN udp6:[fc00::2]:$LEN
    
    tcpdump output before:
    
      IP6 fc00::1 > fc00::2: frag (0|1448) ESP(spi=0x00000001,seq=0x1), length 1448
      IP6 fc00::1 > fc00::2: frag (1448|48)
      IP6 fc00::1 > fc00::2: ESP(spi=0x00000001,seq=0x2), length 88
    
    ... and after:
    
      IP6 fc00::1 > fc00::2: frag (0|1448) ESP(spi=0x00000001,seq=0x1), length 1448
      IP6 fc00::1 > fc00::2: frag (1448|80)
    
    Fixes: e89e9cf5 ("[IPv4/IPv6]: UFO Scatter-gather approach")
    Signed-off-by: default avatarJakub Sitnicki <jkbs@redhat.com>
    Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    [bwh: Backported to 3.16: adjust context]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    3b805031
ip6_output.c 40.7 KB