Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: policy: fix handling of ICMPv6 packet with extension headers #24797

Merged
merged 1 commit into from
Apr 11, 2023
Merged

bpf: policy: fix handling of ICMPv6 packet with extension headers #24797

merged 1 commit into from
Apr 11, 2023

Conversation

julianwiedmann
Copy link
Member

After walking the IPv6 extension headers, ipv6_hdrlen() returns the L4 proto type in nexthdr parameter. If we pass in a pointer to the IPv6 header's nexthdr field, then the actual packet content is changed and subsequent processing of the packet is broken (because we treat the first IPv6 extension header as an ICMPv6 header).

So even if we don't care about the L4 proto type (because we already know that it's ICMPv6), we still need to provide some stack space to store the nexthdr.

This only becomes relevant when ENABLE_ICMP_RULE is set, which is currently controlled by a hidden agent flag.

Fixes: d49311c ("policy: Add bpf ICMP policy support with the "ENABLE_ICMP_POLICY" flag")

@julianwiedmann
bpf: policy: fix handling of ICMPv6 packet with extension headers
1473c49 
After walking the IPv6 extension headers, ipv6_hdrlen() returns the L4
proto type in `nexthdr` parameter. If we pass in a pointer to the IPv6
header's nexthdr field, then the actual packet content is changed and
subsequent processing of the packet is broken (because we treat the first
IPv6 extension header as an ICMPv6 header).

So even if we don't care about the L4 proto type (because we already know
that it's ICMPv6), we still need to provide some stack space to store the
`nexthdr`.

This only becomes relevant when ENABLE_ICMP_RULE is set, which is
currently controlled by a hidden agent flag.

Fixes: d49311c ("policy: Add bpf ICMP policy support with the "ENABLE_ICMP_POLICY" flag")
Signed-off-by: Julian Wiedmann <jwi@isovalent.com>
@julianwiedmann julianwiedmann added kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. feature/ipv6 Relates to IPv6 protocol support labels Apr 10, 2023
@julianwiedmann julianwiedmann requested a review from a team as a code owner April 10, 2023 15:44
@julianwiedmann
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 11, 2023
@julianwiedmann julianwiedmann merged commit a269948 into cilium:master Apr 11, 2023
43 checks passed
@julianwiedmann julianwiedmann deleted the 1.14-bpf-policy-icmpv6 branch April 11, 2023 14:26
@pchaigno
Copy link
Member

This only becomes relevant when ENABLE_ICMP_RULE is set, which is currently controlled by a hidden agent flag.

Note that flag is enabled by default.

@julianwiedmann
Copy link
Member Author

This only becomes relevant when ENABLE_ICMP_RULE is set, which is currently controlled by a hidden agent flag.

Note that flag is enabled by default.

ha, completely missed that (and doesn't make sense at all to me 😺). Thanks!
Then we should backport this thing ...

@julianwiedmann julianwiedmann added needs-backport/1.11 needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Apr 11, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.13.2 Apr 11, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.12.9 Apr 11, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.11.16 Apr 11, 2023
@pchaigno
Copy link
Member

and doesn't make sense at all to me smiley_cat

It's a new beta feature, so we want to be able to disable it in user environments if there's a regression affecting more than just the ICMP policies. Long term, we want it to be always enabled, like other network policy features (e.g., deny policies).

Also worth noting that this feature wasn't enabled until recently (unsure which exact version) because it was affected by a complexity issue before then.

@pchaigno pchaigno mentioned this pull request Apr 11, 2023
Merged
8 tasks
@pchaigno pchaigno added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Apr 11, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.13 in 1.13.2 Apr 11, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.13 in 1.13.2 Apr 11, 2023
@pchaigno pchaigno mentioned this pull request Apr 11, 2023
Merged
5 tasks
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from master to Backport pending to v1.12 in 1.12.9 Apr 11, 2023
@pchaigno
Copy link
Member

Removing from v1.11 backports given it conflicts and ICMP policies were disabled there.

@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Needs backport from master in 1.11.16 Apr 11, 2023
@gandro gandro added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Apr 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.2 Apr 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.2 Apr 12, 2023
@gandro gandro added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Apr 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.9 Apr 12, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.9 Apr 12, 2023
@michi-covalent michi-covalent mentioned this pull request Apr 14, 2023
Merged
@gentoo-root gentoo-root mentioned this pull request Apr 14, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aspsk aspsk aspsk approved these changes

Assignees
No one assigned
Labels
backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. feature/ipv6 Relates to IPv6 protocol support kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
No open projects
1.12.9
Backport done to v1.12
1.13.2
Backport done to v1.13
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@julianwiedmann @pchaigno @aspsk @gandro