* [PATCH net] macvlan: filter out xfrm feature flags
@ 2018-03-06 22:57 Shannon Nelson
2018-03-08 17:33 ` David Miller
0 siblings, 1 reply; 3+ messages in thread
From: Shannon Nelson @ 2018-03-06 22:57 UTC (permalink / raw)
To: davem, netdev, steffen.klassert
Adding a macvlan device on top of a lowerdev that supports
the xfrm offloads fails.
# ip link add link ens1f0 mv0 type macvlan
RTNETLINK answers: Operation not permitted
Tracing down the failure shows that the macvlan device inherits
the NETIF_F_HW_ESP and NETIF_F_HW_ESP_TX_CSUM feature flags from
the lowerdev, but doesn't actually support xfrm so doesn't have
the dev->xfrmdev_ops API filled in. When the request is made
to add the new macvlan device, the various feature flags are
checked by the feature subsystems, and the xfrm_api_check()
fails the check since the dev->xfrmdev_ops are not set up.
The macvlan creation succeeds when we filter out those flags
in macvlan_fix_features().
This isn't broken for vlans because they use a separate features
connection (vlan_features) for inheriting features. This is
fine, but I don't think trying to add something like this to
every driver for every new upperdev is a good idea - I think
the upperdev should try to protect itself.
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Shannon Nelson <shannon.nelson@oracle.com>
---
drivers/net/macvlan.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 8fc02d9..76b8fb5 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -844,6 +844,10 @@ static struct lock_class_key macvlan_netdev_addr_lock_key;
NETIF_F_TSO_ECN | NETIF_F_TSO6 | NETIF_F_GRO | NETIF_F_RXCSUM | \
NETIF_F_HW_VLAN_CTAG_FILTER | NETIF_F_HW_VLAN_STAG_FILTER)
+#define MACVLAN_NON_FEATURES \
+ (NETIF_F_HW_ESP | NETIF_F_HW_ESP_TX_CSUM | NETIF_F_GSO_ESP | \
+ NETIF_F_NETNS_LOCAL)
+
#define MACVLAN_STATE_MASK \
((1<<__LINK_STATE_NOCARRIER) | (1<<__LINK_STATE_DORMANT))
@@ -1036,7 +1040,7 @@ static netdev_features_t macvlan_fix_features(struct net_device *dev,
lowerdev_features &= (features | ~NETIF_F_LRO);
features = netdev_increment_features(lowerdev_features, features, mask);
features |= ALWAYS_ON_FEATURES;
- features &= ~NETIF_F_NETNS_LOCAL;
+ features &= ~MACVLAN_NON_FEATURES;
return features;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net] macvlan: filter out xfrm feature flags
2018-03-06 22:57 [PATCH net] macvlan: filter out xfrm feature flags Shannon Nelson
@ 2018-03-08 17:33 ` David Miller
2018-03-08 23:34 ` Shannon Nelson
0 siblings, 1 reply; 3+ messages in thread
From: David Miller @ 2018-03-08 17:33 UTC (permalink / raw)
To: shannon.nelson; +Cc: netdev, steffen.klassert
From: Shannon Nelson <shannon.nelson@oracle.com>
Date: Tue, 6 Mar 2018 14:57:08 -0800
> This isn't broken for vlans because they use a separate features
> connection (vlan_features) for inheriting features. This is
> fine, but I don't think trying to add something like this to
> every driver for every new upperdev is a good idea - I think
> the upperdev should try to protect itself.
I think this fix is correct.
But for how many upperdevs are we going to duplicate code like this,
and how many subtle differences and in fact bugs will result from all
of that duplication?
I think we really need something common for these upperdev drivers
to use. Maybe just a macro defining feature bits to trim in this
situation.
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] macvlan: filter out xfrm feature flags
2018-03-08 17:33 ` David Miller
@ 2018-03-08 23:34 ` Shannon Nelson
0 siblings, 0 replies; 3+ messages in thread
From: Shannon Nelson @ 2018-03-08 23:34 UTC (permalink / raw)
To: David Miller; +Cc: netdev, steffen.klassert
On 3/8/2018 9:33 AM, David Miller wrote:
> From: Shannon Nelson <shannon.nelson@oracle.com>
> Date: Tue, 6 Mar 2018 14:57:08 -0800
>
>> This isn't broken for vlans because they use a separate features
>> connection (vlan_features) for inheriting features. This is
>> fine, but I don't think trying to add something like this to
>> every driver for every new upperdev is a good idea - I think
>> the upperdev should try to protect itself.
>
> I think this fix is correct.
>
> But for how many upperdevs are we going to duplicate code like this,
> and how many subtle differences and in fact bugs will result from all
> of that duplication?
>
> I think we really need something common for these upperdev drivers
> to use. Maybe just a macro defining feature bits to trim in this
> situation.
>
> Thanks.
Thanks, Dave. Yes, this could use something a little more generic,
something that would catch any future "dangerous" bits.
I'm not sure we can come up with a generic mask to be used by everyone,
as each upper and lower dev has their own feature support levels. But
we might come up with a better example for others to follow.
Rather than calling out specific non-supported bits, we can probably
just build a mask from bits that we already know are supported,
something like this:
features &= (ALWAYS_ON_FEATURES | MACVLAN_FEATURES);
which would take care of NETIF_F_NETNS_LOCAL, the ESP flags, and
anything else that wasn't already specifically called for. I'll repost
with this and see what folks think.
sln
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-03-08 23:34 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-06 22:57 [PATCH net] macvlan: filter out xfrm feature flags Shannon Nelson
2018-03-08 17:33 ` David Miller
2018-03-08 23:34 ` Shannon Nelson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.