From: Greg Kroah-Hartman Date: Wed, 12 Jun 2024 13:45:26 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.19.316~124 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7ca60437e916fa6c0a028e5d2f1efd5a358cda3b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch --- diff --git a/queue-5.4/series b/queue-5.4/series index f38043fc7b8..69d098e4e96 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -167,3 +167,4 @@ mmc-core-do-not-force-a-retune-before-rpmb-switch.patch io_uring-fail-nop-if-non-zero-op-flags-is-passed-in.patch afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch +vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch diff --git a/queue-5.4/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch b/queue-5.4/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch new file mode 100644 index 00000000000..e7dba7ab26f --- /dev/null +++ b/queue-5.4/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch @@ -0,0 +1,62 @@ +From 1cd4bc987abb2823836cbb8f887026011ccddc8a Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Mon, 3 Jun 2024 10:59:26 +0200 +Subject: vxlan: Fix regression when dropping packets due to invalid src addresses + +From: Daniel Borkmann + +commit 1cd4bc987abb2823836cbb8f887026011ccddc8a upstream. + +Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") +has recently been added to vxlan mainly in the context of source +address snooping/learning so that when it is enabled, an entry in the +FDB is not being created for an invalid address for the corresponding +tunnel endpoint. + +Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in +that it passed through whichever macs were set in the L2 header. It +turns out that this change in behavior breaks setups, for example, +Cilium with netkit in L3 mode for Pods as well as tunnel mode has been +passing before the change in f58f45c1e5b9 for both vxlan and geneve. +After mentioned change it is only passing for geneve as in case of +vxlan packets are dropped due to vxlan_set_mac() returning false as +source and destination macs are zero which for E/W traffic via tunnel +is totally fine. + +Fix it by only opting into the is_valid_ether_addr() check in +vxlan_set_mac() when in fact source address snooping/learning is +actually enabled in vxlan. This is done by moving the check into +vxlan_snoop(). With this change, the Cilium connectivity test suite +passes again for both tunnel flavors. + +Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") +Signed-off-by: Daniel Borkmann +Cc: David Bauer +Cc: Ido Schimmel +Cc: Nikolay Aleksandrov +Cc: Martin KaFai Lau +Reviewed-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Reviewed-by: David Bauer +Signed-off-by: David S. Miller +[ Backport note: vxlan snooping/learning not supported in 6.8 or older, + so commit is simply a revert. ] +Signed-off-by: Daniel Borkmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1605,10 +1605,6 @@ static bool vxlan_set_mac(struct vxlan_d + if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)) + return false; + +- /* Ignore packets from invalid src-address */ +- if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) +- return false; +- + /* Get address from the outer IP header */ + if (vxlan_get_sk_family(vs) == AF_INET) { + saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr;