possibly fix clat ingress nat64 drop
Due to try_make_writable's implementation:
// try to make the 1st 'len' header bytes r/w via DPA
void try_make_writable(struct __sk_buff* skb, int len) {
if (len > skb->len) len = skb->len;
if (skb->data_end - skb->data < len) bpf_skb_pull_data(skb, len);
}
This *should* normally result in nothing actually being done.
This is because the 'len' we request should trivially be <= skb->len
(by virtue of how we construct the packet / get here),
and because skb->data_end - skb->data < len was previously
(to this patch) already checked below in line 251
(and thus the packet would have been dropped if it was false).
However, there's a tentative theory that we could somehow end up
with the entire payload in the non-linear portion of the packet,
and thus need to move it into the linear header portion where
we actually have direct packet access to it.
Note also that we already called this in line 71, so it should
be safe to add another call without causing bpf verifier unhappiness...
Test: TreeHugger
Bug: 298879031
Signed-off-by: Maciej Żenczykowski <maze@google.com
Change-Id: If3531c3cf6932ac3f1d384a43d28326d17544aa3
diff --git a/bpf_progs/clatd.c b/bpf_progs/clatd.c
index a104084..8f0ff84 100644
--- a/bpf_progs/clatd.c
+++ b/bpf_progs/clatd.c
@@ -240,6 +240,8 @@
return TC_ACT_SHOT;
}
+ try_make_writable(skb, l2_header_size + sizeof(struct iphdr));
+
// bpf_skb_change_proto() invalidates all pointers - reload them.
data = (void*)(long)skb->data;
data_end = (void*)(long)skb->data_end;