summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGuillaume Nault <gnault@redhat.com>2022-02-10 13:24:51 +0100
committerDavid S. Miller <davem@davemloft.net>2022-02-10 15:33:33 +0000
commitdc513a405cade3e47bcda8de27c7a7bf6eeddd18 (patch)
tree3c97084ee5216f7e3306006e51f245411b4a25e3
parent4b0385bc8e6a52797602196714f9a77f62cd540d (diff)
ipv4: Reject again rules with high DSCP values
Commit 563f8e97e054 ("ipv4: Stop taking ECN bits into account in fib4-rules") replaced the validation test on frh->tos. While the new test is stricter for ECN bits, it doesn't detect the use of high order DSCP bits. This would be fine if IPv4 could properly handle them. But currently, most IPv4 lookups are done with the three high DSCP bits masked. Therefore, using these bits doesn't lead to the expected result. Let's reject such configurations again, so that nobody starts to use and make any assumption about how the stack handles the three high order DSCP bits in fib4 rules. Fixes: 563f8e97e054 ("ipv4: Stop taking ECN bits into account in fib4-rules") Signed-off-by: Guillaume Nault <gnault@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/ipv4/fib_rules.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 117c48571cf0..001fea394bde 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -231,6 +231,11 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
"Invalid dsfield (tos): ECN bits must be 0");
goto errout;
}
+ /* IPv4 currently doesn't handle high order DSCP bits correctly */
+ if (frh->tos & ~IPTOS_TOS_MASK) {
+ NL_SET_ERR_MSG(extack, "Invalid tos");
+ goto errout;
+ }
rule4->dscp = inet_dsfield_to_dscp(frh->tos);
/* split local/main if they are not already split */