target/linux/generic/backport-5.4/080-wireguard-0096-wireguard-receive-use-tunnel-helpers-for-decapsulati.patch - T108 - Gitiles

 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
 Date: Wed, 29 Apr 2020 14:59:22 -0600
 Subject: [PATCH] wireguard: receive: use tunnel helpers for decapsulating ECN
  markings
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit

 commit eebabcb26ea1e3295704477c6cd4e772c96a9559 upstream.

 WireGuard currently only propagates ECN markings on tunnel decap according
 to the old RFC3168 specification. However, the spec has since been updated
 in RFC6040 to recommend slightly different decapsulation semantics. This
 was implemented in the kernel as a set of common helpers for ECN
 decapsulation, so let's just switch over WireGuard to using those, so it
 can benefit from this enhancement and any future tweaks. We do not drop
 packets with invalid ECN marking combinations, because WireGuard is
 frequently used to work around broken ISPs, which could be doing that.

 Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
 Reported-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
 Cc: Dave Taht <dave.taht@gmail.com>
 Cc: Rodney W. Grimes <ietf@gndrsh.dnsmgr.net>
 Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 ---
  drivers/net/wireguard/receive.c | 6 ++----
  1 file changed, 2 insertions(+), 4 deletions(-)

 --- a/drivers/net/wireguard/receive.c
 +++ b/drivers/net/wireguard/receive.c
 @@ -393,13 +393,11 @@ static void wg_packet_consume_data_done(
  		len = ntohs(ip_hdr(skb)->tot_len);
  		if (unlikely(len < sizeof(struct iphdr)))
  			goto dishonest_packet_size;
 -		if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
 -			IP_ECN_set_ce(ip_hdr(skb));
 +		INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);
  	} else if (skb->protocol == htons(ETH_P_IPV6)) {
  		len = ntohs(ipv6_hdr(skb)->payload_len) +
  		      sizeof(struct ipv6hdr);
 -		if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
 -			IP6_ECN_set_ce(skb, ipv6_hdr(skb));
 +		INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));
  	} else {
  		goto dishonest_packet_type;
  	}
	From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
	From: =?UTF-8?q?Toke=20H=C3=B8iland-J=C3=B8rgensen?= <toke@redhat.com>
	Date: Wed, 29 Apr 2020 14:59:22 -0600
	Subject: [PATCH] wireguard: receive: use tunnel helpers for decapsulating ECN
	markings
	MIME-Version: 1.0
	Content-Type: text/plain; charset=UTF-8
	Content-Transfer-Encoding: 8bit

	commit eebabcb26ea1e3295704477c6cd4e772c96a9559 upstream.

	WireGuard currently only propagates ECN markings on tunnel decap according
	to the old RFC3168 specification. However, the spec has since been updated
	in RFC6040 to recommend slightly different decapsulation semantics. This
	was implemented in the kernel as a set of common helpers for ECN
	decapsulation, so let's just switch over WireGuard to using those, so it
	can benefit from this enhancement and any future tweaks. We do not drop
	packets with invalid ECN marking combinations, because WireGuard is
	frequently used to work around broken ISPs, which could be doing that.

	Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
	Reported-by: Olivier Tilmans <olivier.tilmans@nokia-bell-labs.com>
	Cc: Dave Taht <dave.taht@gmail.com>
	Cc: Rodney W. Grimes <ietf@gndrsh.dnsmgr.net>
	Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
	Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
	---
	drivers/net/wireguard/receive.c \| 6 ++----
	1 file changed, 2 insertions(+), 4 deletions(-)

	--- a/drivers/net/wireguard/receive.c
	+++ b/drivers/net/wireguard/receive.c
	@@ -393,13 +393,11 @@ static void wg_packet_consume_data_done(
	len = ntohs(ip_hdr(skb)->tot_len);
	if (unlikely(len < sizeof(struct iphdr)))
	goto dishonest_packet_size;
	- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
	- IP_ECN_set_ce(ip_hdr(skb));
	+ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ip_hdr(skb)->tos);
	} else if (skb->protocol == htons(ETH_P_IPV6)) {
	len = ntohs(ipv6_hdr(skb)->payload_len) +
	sizeof(struct ipv6hdr);
	- if (INET_ECN_is_ce(PACKET_CB(skb)->ds))
	- IP6_ECN_set_ce(skb, ipv6_hdr(skb));
	+ INET_ECN_decapsulate(skb, PACKET_CB(skb)->ds, ipv6_get_dsfield(ipv6_hdr(skb)));
	} else {
	goto dishonest_packet_type;
	}