Re: [PATCH net-next v2 4/6] vxlan: check valid combinations of address scopes
On 4/16/17, 8:03 AM, Matthias Schiffer wrote:
> On 04/14/2017 07:36 PM, Stephen Hemminger wrote:
>> On Fri, 14 Apr 2017 18:44:44 +0200
>> Matthias Schiffer wrote:
>>
>>> diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
>>> index 07f89b037681..95a71546e8f2 100644
>>> --- a/drivers/net/vxlan.c
>>> +++ b/drivers/net/vxlan.c
>>> @@ -2881,11 +2881,39 @@ static int vxlan_config_validate(struct net
>>> *src_net, struct vxlan_config *conf,
>>> if (conf->saddr.sa.sa_family != conf->remote_ip.sa.sa_family)
>>> return -EINVAL;
>>>
>>> + if (vxlan_addr_multicast(&conf->saddr))
>>> + return -EINVAL;
>>> +
>>> if (conf->saddr.sa.sa_family == AF_INET6) {
>>> if (!IS_ENABLED(CONFIG_IPV6))
>>> return -EPFNOSUPPORT;
>>> use_ipv6 = true;
>>> conf->flags |= VXLAN_F_IPV6;
>>> +
>>> + if (!(conf->flags & VXLAN_F_COLLECT_METADATA)) {
>>> + int local_type =
>>> + ipv6_addr_type(&conf->saddr.sin6.sin6_addr);
>>> + int remote_type =
>>> + ipv6_addr_type(&conf->remote_ip.sin6.sin6_addr);
>>> +
>>> + if (local_type & IPV6_ADDR_LINKLOCAL) {
>>> + if (!(remote_type & IPV6_ADDR_LINKLOCAL) &&
>>> + (remote_type != IPV6_ADDR_ANY)) {
>>> + pr_info("invalid combination of address
>>> scopes\n");
>> It is always helpful to include device if possible in error message.
>> netdev_notice(old->dev, " invalid
>> combination of address scopes\n");
> That makes sense, I'll change it in v3.
I think it should just return -EINVAL here since this is in response to a
netlink call from user-space.
I dont think we should print anything but like stephen says use the extended
ack mechanism to propagate more information
about the error.
>
>> Also vxlan is good candidate for extended netlink error reporting.
> Can you point me to a piece of code that does this? Unless you insist, I
> wouldn't do it in this patchset, but I might implement the extended error
> reporting later.
>
For rtnetlink users (vxlan is one of them) this is still in the works... see
patch "net: rtnetlink: plumb extended ack to doit function"
Re: [PATCH net-next v2 4/6] vxlan: check valid combinations of address scopes
On 04/14/2017 07:36 PM, Stephen Hemminger wrote:
> On Fri, 14 Apr 2017 18:44:44 +0200
> Matthias Schiffer wrote:
>
>> diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
>> index 07f89b037681..95a71546e8f2 100644
>> --- a/drivers/net/vxlan.c
>> +++ b/drivers/net/vxlan.c
>> @@ -2881,11 +2881,39 @@ static int vxlan_config_validate(struct net
>> *src_net, struct vxlan_config *conf,
>> if (conf->saddr.sa.sa_family != conf->remote_ip.sa.sa_family)
>> return -EINVAL;
>>
>> +if (vxlan_addr_multicast(&conf->saddr))
>> +return -EINVAL;
>> +
>> if (conf->saddr.sa.sa_family == AF_INET6) {
>> if (!IS_ENABLED(CONFIG_IPV6))
>> return -EPFNOSUPPORT;
>> use_ipv6 = true;
>> conf->flags |= VXLAN_F_IPV6;
>> +
>> +if (!(conf->flags & VXLAN_F_COLLECT_METADATA)) {
>> +int local_type =
>> +ipv6_addr_type(&conf->saddr.sin6.sin6_addr);
>> +int remote_type =
>> +ipv6_addr_type(&conf->remote_ip.sin6.sin6_addr);
>> +
>> +if (local_type & IPV6_ADDR_LINKLOCAL) {
>> +if (!(remote_type & IPV6_ADDR_LINKLOCAL) &&
>> +(remote_type != IPV6_ADDR_ANY)) {
>> +pr_info("invalid combination of address
>> scopes\n");
>
> It is always helpful to include device if possible in error message.
> netdev_notice(old->dev, " invalid
> combination of address scopes\n");
That makes sense, I'll change it in v3.
> Also vxlan is good candidate for extended netlink error reporting.
Can you point me to a piece of code that does this? Unless you insist, I
wouldn't do it in this patchset, but I might implement the extended error
reporting later.
Matthias
signature.asc
Description: OpenPGP digital signature
Re: [PATCH net-next v2 4/6] vxlan: check valid combinations of address scopes
On 04/14/2017 07:27 PM, Sergei Shtylyov wrote:
> On 04/14/2017 07:44 PM, Matthias Schiffer wrote:
>
>> * Multicast addresses are never valid as local address
>> * Link-local IPv6 unicast addresses may only be used as remote when the
>> local address is link-local as well
>> * Don't allow link-local IPv6 local/remote addresses without interface
>>
>> We also store in the flags field if link-local addresses are used for the
>> follow-up patches that actually make VXLAN over link-local IPv6 work.
>>
>> Signed-off-by: Matthias Schiffer
>> ---
>>
>> v2: was "vxlan: don't allow link-local IPv6 local/remote addresses without
>> interface" before. v2 does a lot more checks and adds the
>> VXLAN_F_IPV6_LINKLOCAL flag.
>>
>> drivers/net/vxlan.c | 35 +++
>> include/net/vxlan.h | 2 ++
>> 2 files changed, 37 insertions(+)
>>
>> diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
>> index 07f89b037681..95a71546e8f2 100644
>> --- a/drivers/net/vxlan.c
>> +++ b/drivers/net/vxlan.c
>> @@ -2881,11 +2881,39 @@ static int vxlan_config_validate(struct net
>> *src_net, struct vxlan_config *conf,
>> if (conf->saddr.sa.sa_family != conf->remote_ip.sa.sa_family)
>> return -EINVAL;
>>
>> +if (vxlan_addr_multicast(&conf->saddr))
>> +return -EINVAL;
>> +
>> if (conf->saddr.sa.sa_family == AF_INET6) {
>> if (!IS_ENABLED(CONFIG_IPV6))
>> return -EPFNOSUPPORT;
>> use_ipv6 = true;
>> conf->flags |= VXLAN_F_IPV6;
>> +
>> +if (!(conf->flags & VXLAN_F_COLLECT_METADATA)) {
>> +int local_type =
>> +ipv6_addr_type(&conf->saddr.sin6.sin6_addr);
>> +int remote_type =
>> +ipv6_addr_type(&conf->remote_ip.sin6.sin6_addr);
>> +
>> +if (local_type & IPV6_ADDR_LINKLOCAL) {
>> +if (!(remote_type & IPV6_ADDR_LINKLOCAL) &&
>> +(remote_type != IPV6_ADDR_ANY)) {
>> +pr_info("invalid combination of address scopes\n");
>
>Maybe pr_err()?
Hmm, I mostly followed the style of the existing code, which uses pr_info
for such messages. Also, these messages can be triggered by userspace, as
they're diagnostics for the newlink/changelink operations; I'm not
convinced that their importance justifies pr_err().
Generally, it seems unusual to me to use the kernel log for configuration
diagnostics at all; just removing the messages would be another option.
Stephen also mentioned "extended netlink error reporting", but I guess that
can be done in another patchset.
Matthias
signature.asc
Description: OpenPGP digital signature
Re: [PATCH net-next v2 4/6] vxlan: check valid combinations of address scopes
On Fri, 14 Apr 2017 18:44:44 +0200
Matthias Schiffer wrote:
> diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
> index 07f89b037681..95a71546e8f2 100644
> --- a/drivers/net/vxlan.c
> +++ b/drivers/net/vxlan.c
> @@ -2881,11 +2881,39 @@ static int vxlan_config_validate(struct net *src_net,
> struct vxlan_config *conf,
> if (conf->saddr.sa.sa_family != conf->remote_ip.sa.sa_family)
> return -EINVAL;
>
> + if (vxlan_addr_multicast(&conf->saddr))
> + return -EINVAL;
> +
> if (conf->saddr.sa.sa_family == AF_INET6) {
> if (!IS_ENABLED(CONFIG_IPV6))
> return -EPFNOSUPPORT;
> use_ipv6 = true;
> conf->flags |= VXLAN_F_IPV6;
> +
> + if (!(conf->flags & VXLAN_F_COLLECT_METADATA)) {
> + int local_type =
> + ipv6_addr_type(&conf->saddr.sin6.sin6_addr);
> + int remote_type =
> + ipv6_addr_type(&conf->remote_ip.sin6.sin6_addr);
> +
> + if (local_type & IPV6_ADDR_LINKLOCAL) {
> + if (!(remote_type & IPV6_ADDR_LINKLOCAL) &&
> + (remote_type != IPV6_ADDR_ANY)) {
> + pr_info("invalid combination of address
> scopes\n");
It is always helpful to include device if possible in error message.
netdev_notice(old->dev, " invalid
combination of address scopes\n");
Also vxlan is good candidate for extended netlink error reporting.
Re: [PATCH net-next v2 4/6] vxlan: check valid combinations of address scopes
On 04/14/2017 07:44 PM, Matthias Schiffer wrote:
* Multicast addresses are never valid as local address
* Link-local IPv6 unicast addresses may only be used as remote when the
local address is link-local as well
* Don't allow link-local IPv6 local/remote addresses without interface
We also store in the flags field if link-local addresses are used for the
follow-up patches that actually make VXLAN over link-local IPv6 work.
Signed-off-by: Matthias Schiffer
---
v2: was "vxlan: don't allow link-local IPv6 local/remote addresses without
interface" before. v2 does a lot more checks and adds the
VXLAN_F_IPV6_LINKLOCAL flag.
drivers/net/vxlan.c | 35 +++
include/net/vxlan.h | 2 ++
2 files changed, 37 insertions(+)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 07f89b037681..95a71546e8f2 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2881,11 +2881,39 @@ static int vxlan_config_validate(struct net *src_net,
struct vxlan_config *conf,
if (conf->saddr.sa.sa_family != conf->remote_ip.sa.sa_family)
return -EINVAL;
+ if (vxlan_addr_multicast(&conf->saddr))
+ return -EINVAL;
+
if (conf->saddr.sa.sa_family == AF_INET6) {
if (!IS_ENABLED(CONFIG_IPV6))
return -EPFNOSUPPORT;
use_ipv6 = true;
conf->flags |= VXLAN_F_IPV6;
+
+ if (!(conf->flags & VXLAN_F_COLLECT_METADATA)) {
+ int local_type =
+ ipv6_addr_type(&conf->saddr.sin6.sin6_addr);
+ int remote_type =
+ ipv6_addr_type(&conf->remote_ip.sin6.sin6_addr);
+
+ if (local_type & IPV6_ADDR_LINKLOCAL) {
+ if (!(remote_type & IPV6_ADDR_LINKLOCAL) &&
+ (remote_type != IPV6_ADDR_ANY)) {
+ pr_info("invalid combination of address
scopes\n");
Maybe pr_err()?
+ return -EINVAL;
+ }
+
+ conf->flags |= VXLAN_F_IPV6_LINKLOCAL;
+ } else {
+ if (remote_type ==
+ (IPV6_ADDR_UNICAST | IPV6_ADDR_LINKLOCAL)) {
+ pr_info("invalid combination of address
scopes\n");
Here as well...
+ return -EINVAL;
+ }
+
+ conf->flags &= ~VXLAN_F_IPV6_LINKLOCAL;
+ }
+ }
}
if (conf->label && !use_ipv6) {
[...]
MBR, Sergei
[PATCH net-next v2 4/6] vxlan: check valid combinations of address scopes
* Multicast addresses are never valid as local address
* Link-local IPv6 unicast addresses may only be used as remote when the
local address is link-local as well
* Don't allow link-local IPv6 local/remote addresses without interface
We also store in the flags field if link-local addresses are used for the
follow-up patches that actually make VXLAN over link-local IPv6 work.
Signed-off-by: Matthias Schiffer
---
v2: was "vxlan: don't allow link-local IPv6 local/remote addresses without
interface" before. v2 does a lot more checks and adds the
VXLAN_F_IPV6_LINKLOCAL flag.
drivers/net/vxlan.c | 35 +++
include/net/vxlan.h | 2 ++
2 files changed, 37 insertions(+)
diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 07f89b037681..95a71546e8f2 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -2881,11 +2881,39 @@ static int vxlan_config_validate(struct net *src_net,
struct vxlan_config *conf,
if (conf->saddr.sa.sa_family != conf->remote_ip.sa.sa_family)
return -EINVAL;
+ if (vxlan_addr_multicast(&conf->saddr))
+ return -EINVAL;
+
if (conf->saddr.sa.sa_family == AF_INET6) {
if (!IS_ENABLED(CONFIG_IPV6))
return -EPFNOSUPPORT;
use_ipv6 = true;
conf->flags |= VXLAN_F_IPV6;
+
+ if (!(conf->flags & VXLAN_F_COLLECT_METADATA)) {
+ int local_type =
+ ipv6_addr_type(&conf->saddr.sin6.sin6_addr);
+ int remote_type =
+ ipv6_addr_type(&conf->remote_ip.sin6.sin6_addr);
+
+ if (local_type & IPV6_ADDR_LINKLOCAL) {
+ if (!(remote_type & IPV6_ADDR_LINKLOCAL) &&
+ (remote_type != IPV6_ADDR_ANY)) {
+ pr_info("invalid combination of address
scopes\n");
+ return -EINVAL;
+ }
+
+ conf->flags |= VXLAN_F_IPV6_LINKLOCAL;
+ } else {
+ if (remote_type ==
+ (IPV6_ADDR_UNICAST | IPV6_ADDR_LINKLOCAL)) {
+ pr_info("invalid combination of address
scopes\n");
+ return -EINVAL;
+ }
+
+ conf->flags &= ~VXLAN_F_IPV6_LINKLOCAL;
+ }
+ }
}
if (conf->label && !use_ipv6) {
@@ -2920,6 +2948,13 @@ static int vxlan_config_validate(struct net *src_net,
struct vxlan_config *conf,
return -EINVAL;
}
+#if IS_ENABLED(CONFIG_IPV6)
+ if (conf->flags & VXLAN_F_IPV6_LINKLOCAL) {
+ pr_info("link-local local/remote addresses require
interface to be specified\n");
+ return -EINVAL;
+ }
+#endif
+
*lower = NULL;
}
diff --git a/include/net/vxlan.h b/include/net/vxlan.h
index 479bb75789ea..b816a0a6686e 100644
--- a/include/net/vxlan.h
+++ b/include/net/vxlan.h
@@ -258,6 +258,7 @@ struct vxlan_dev {
#define VXLAN_F_REMCSUM_NOPARTIAL 0x1000
#define VXLAN_F_COLLECT_METADATA 0x2000
#define VXLAN_F_GPE0x4000
+#define VXLAN_F_IPV6_LINKLOCAL 0x8000
/* Flags that are used in the receive path. These flags must match in
* order for a socket to be shareable
@@ -272,6 +273,7 @@ struct vxlan_dev {
/* Flags that can be set together with VXLAN_F_GPE. */
#define VXLAN_F_ALLOWED_GPE(VXLAN_F_GPE | \
VXLAN_F_IPV6 | \
+VXLAN_F_IPV6_LINKLOCAL | \
VXLAN_F_UDP_ZERO_CSUM_TX | \
VXLAN_F_UDP_ZERO_CSUM6_TX |\
VXLAN_F_UDP_ZERO_CSUM6_RX |\
--
2.12.2
