From a192287cffde87ec226991d4ef85afc69c26ac21 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 12 Jun 2024 15:45:45 +0200 Subject: [PATCH] 5.15-stable patches added patches: vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch --- queue-5.15/series | 1 + ...packets-due-to-invalid-src-addresses.patch | 62 +++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch diff --git a/queue-5.15/series b/queue-5.15/series index 812db041ef8..af0596e3d40 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -345,3 +345,4 @@ afs-don-t-cross-.backup-mountpoint-from-backup-volume.patch nilfs2-fix-use-after-free-of-timer-for-log-writer-thread.patch revert-drm-amdgpu-init-iommu-after-amdkfd-device-init.patch mptcp-fix-full-tcp-keep-alive-support.patch +vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch diff --git a/queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch b/queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch new file mode 100644 index 00000000000..e424edcc3ef --- /dev/null +++ b/queue-5.15/vxlan-fix-regression-when-dropping-packets-due-to-invalid-src-addresses.patch @@ -0,0 +1,62 @@ +From 1cd4bc987abb2823836cbb8f887026011ccddc8a Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Mon, 3 Jun 2024 10:59:26 +0200 +Subject: vxlan: Fix regression when dropping packets due to invalid src addresses + +From: Daniel Borkmann + +commit 1cd4bc987abb2823836cbb8f887026011ccddc8a upstream. + +Commit f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") +has recently been added to vxlan mainly in the context of source +address snooping/learning so that when it is enabled, an entry in the +FDB is not being created for an invalid address for the corresponding +tunnel endpoint. + +Before commit f58f45c1e5b9 vxlan was similarly behaving as geneve in +that it passed through whichever macs were set in the L2 header. It +turns out that this change in behavior breaks setups, for example, +Cilium with netkit in L3 mode for Pods as well as tunnel mode has been +passing before the change in f58f45c1e5b9 for both vxlan and geneve. +After mentioned change it is only passing for geneve as in case of +vxlan packets are dropped due to vxlan_set_mac() returning false as +source and destination macs are zero which for E/W traffic via tunnel +is totally fine. + +Fix it by only opting into the is_valid_ether_addr() check in +vxlan_set_mac() when in fact source address snooping/learning is +actually enabled in vxlan. This is done by moving the check into +vxlan_snoop(). With this change, the Cilium connectivity test suite +passes again for both tunnel flavors. + +Fixes: f58f45c1e5b9 ("vxlan: drop packets from invalid src-address") +Signed-off-by: Daniel Borkmann +Cc: David Bauer +Cc: Ido Schimmel +Cc: Nikolay Aleksandrov +Cc: Martin KaFai Lau +Reviewed-by: Ido Schimmel +Reviewed-by: Nikolay Aleksandrov +Reviewed-by: David Bauer +Signed-off-by: David S. Miller +[ Backport note: vxlan snooping/learning not supported in 6.8 or older, + so commit is simply a revert. ] +Signed-off-by: Daniel Borkmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan/vxlan_core.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/net/vxlan/vxlan_core.c ++++ b/drivers/net/vxlan/vxlan_core.c +@@ -1779,10 +1779,6 @@ static bool vxlan_set_mac(struct vxlan_d + if (ether_addr_equal(eth_hdr(skb)->h_source, vxlan->dev->dev_addr)) + return false; + +- /* Ignore packets from invalid src-address */ +- if (!is_valid_ether_addr(eth_hdr(skb)->h_source)) +- return false; +- + /* Get address from the outer IP header */ + if (vxlan_get_sk_family(vs) == AF_INET) { + saddr.sin.sin_addr.s_addr = ip_hdr(skb)->saddr; -- 2.47.3