Hi,
this series is intended to avoid false-positives which match
truncated packets against flower classifiers which match on:
* zero L4 ports or;
* zero ICMP code or type
This requires updating the flow dissector to return an error in such cases
and updating flower to not match on the result of a failed dissection.
In the case of UDP this results in a behavioural change to users of
flow_keys_dissector_keys[] and flow_keys_dissector_symmetric_keys[] -
dissection will fail on truncated packets where the IP protocol of the
packets indicates ports should be present (according to skb_flow_get_ports()).
The last patch of the series builds on the above to allow users to specify
a policy for how to handle packets whose dissection fails.
I will separately provide RFC patches to iproute2 to allow exercising the
last patch.
Changes between RFCv1 and RFCv2
* Rename new attribute in last path TCA_FLOWER_META_TRUNCATED
after discussion with Jamal.
* Update changelog for "flow dissector" patches to make it clearer what
the before and after behaviours are.
Simon Horman (4):
flow dissector: return error on port dissection under-run
flow dissector: return error on icmp dissection under-run
net/sched: cls_flower: do not match if dissection fails
net/sched: cls_flower: allow control of tree traversal on packet parse
errors
include/linux/skbuff.h | 11 +++--
include/uapi/linux/pkt_cls.h | 2 +
net/core/flow_dissector.c | 105 ++++++++++++++++++++++++-------------------
net/sched/cls_flower.c | 46 ++++++++++++++-----
4 files changed, 106 insertions(+), 58 deletions(-)
--
2.1.4
