Re: [PATCH] [RFC] Support for wccp version 1 and 2 in ip_gre.c
From: David S. Miller
Date: Wed Sep 15 2004 - 00:49:31 EST
On Tue, 14 Sep 2004 18:48:20 +1000
Lincoln Dale <ltd@xxxxxxxxx> wrote:
> the logic is correct, but it may make sense to call the appropriate
> netfilter hook again with the "unwrapped" GRE packet, as otherwise
> packets-inside-GRE represent a possible security hole where one can inject
> packets externally and bypass firewall rules.
This will occur when we push the packet back into the
RX path via the netif_rx() call.
Paul if you want to fix up the comment, that's fine.
But please send such a patch relative to what I put
into the tree already which is the following:
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/09/13 16:04:36-07:00 i@xxxxxxxxxx
# [IPV4]: Add wccp v1/v2 support to ip_gre.c
#
# Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
#
# net/ipv4/ip_gre.c
# 2004/09/13 16:04:06-07:00 i@xxxxxxxxxx +12 -1
# [IPV4]: Add wccp v1/v2 support to ip_gre.c
#
# include/linux/if_ether.h
# 2004/09/13 16:04:06-07:00 i@xxxxxxxxxx +2 -0
# [IPV4]: Add wccp v1/v2 support to ip_gre.c
#
diff -Nru a/include/linux/if_ether.h b/include/linux/if_ether.h
--- a/include/linux/if_ether.h 2004-09-14 22:27:39 -07:00
+++ b/include/linux/if_ether.h 2004-09-14 22:27:39 -07:00
@@ -59,6 +59,8 @@
#define ETH_P_8021Q 0x8100 /* 802.1Q VLAN Extended Header */
#define ETH_P_IPX 0x8137 /* IPX over DIX */
#define ETH_P_IPV6 0x86DD /* IPv6 over bluebook */
+#define ETH_P_WCCP 0x883E /* Web-cache coordination protocol
+ * defined in draft-wilson-wrec-wccp-v2-00.txt */
#define ETH_P_PPP_DISC 0x8863 /* PPPoE discovery messages */
#define ETH_P_PPP_SES 0x8864 /* PPPoE session messages */
#define ETH_P_MPLS_UC 0x8847 /* MPLS Unicast traffic */
diff -Nru a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
--- a/net/ipv4/ip_gre.c 2004-09-14 22:27:39 -07:00
+++ b/net/ipv4/ip_gre.c 2004-09-14 22:27:39 -07:00
@@ -603,13 +603,24 @@
if ((tunnel = ipgre_tunnel_lookup(iph->saddr, iph->daddr, key)) != NULL) {
secpath_reset(skb);
+ skb->protocol = *(u16*)(h + 2);
+ /* WCCP version 1 and 2 protocol decoding.
+ * - Change protocol to IP
+ * - When dealing with WCCPv2, Skip extra 4 bytes in GRE header
+ */
+ if (flags == 0 &&
+ skb->protocol == __constant_htons(ETH_P_WCCP)) {
+ skb->protocol = __constant_htons(ETH_P_IP);
+ if ((*(h + offset) & 0xF0) != 0x40)
+ offset += 4;
+ }
+
skb->mac.raw = skb->nh.raw;
skb->nh.raw = __pskb_pull(skb, offset);
memset(&(IPCB(skb)->opt), 0, sizeof(struct ip_options));
if (skb->ip_summed == CHECKSUM_HW)
skb->csum = csum_sub(skb->csum,
csum_partial(skb->mac.raw, skb->nh.raw-skb->mac.raw, 0));
- skb->protocol = *(u16*)(h + 2);
skb->pkt_type = PACKET_HOST;
#ifdef CONFIG_NET_IPGRE_BROADCAST
if (MULTICAST(iph->daddr)) {
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/