From: Stephen Hemminger <stephen@networkplumber.org>
To: netdev@vger.kernel.org
Subject: Fw: [Bug 216557] New: tcp connection not working over ip_vti interface
Date: Fri, 7 Oct 2022 14:17:51 -0700 [thread overview]
Message-ID: <20221007141751.1336e50b@hermes.local> (raw)
Begin forwarded message:
Date: Fri, 07 Oct 2022 20:51:12 +0000
From: bugzilla-daemon@kernel.org
To: stephen@networkplumber.org
Subject: [Bug 216557] New: tcp connection not working over ip_vti interface
https://bugzilla.kernel.org/show_bug.cgi?id=216557
Bug ID: 216557
Summary: tcp connection not working over ip_vti interface
Product: Networking
Version: 2.5
Kernel Version: 5.15.53
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: high
Priority: P1
Component: IPV4
Assignee: stephen@networkplumber.org
Reporter: monil191989@gmail.com
Regression: No
TCP protocol is not working, when ipsec tunnel has been setup and ip_vti tunnel
is used for route based ipsec.
After the below changes merged with latest kernel. xfrm4_policy_check in
tcp_v4_rcv drops all packets except first syn packet under XfrmInTmplMismatch
when local destined packets are received over ip_vti tunnel.
author Eyal Birger <eyal.birger@gmail.com> 2022-05-13 23:34:02 +0300
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-05-25
09:57:30 +0200
commit 952c2464963895271c31698970e7ec1ad6f0fe45 (patch)
tree 9e8300c45a0eb5a9555eae017f8ae561f3e8bc51 /include/net/xfrm.h
parent 36d8cca5b46fe41b59f8011553495ede3b693703 (diff)
download linux-952c2464963895271c31698970e7ec1ad6f0fe45.tar.gz
xfrm: fix "disable_policy" flag use when arriving from different devices
setup:
1) create road warrior ipsec tunnel with local ip x.x.x.x remote ip y.y.y.y.
2) create vti interface using ip tunnel add vti_test local x.x.x.x remote
y.y.y.y mode vti
3) echo 1 > /proc/sys/net/ipv4/conf/vti_test/disable_policy
4) Add default route over vti_test.
5) ping remote ip, ping works.
6) ssh remote ip, ssh dont work. check tcp connection not working.
Root cause:
-> with above mentioned commit, now xfrm4_policy_check depends on skb's
IPSKB_NOPOLICY flag which need to be set per skb and it only gets set in
ip_route_input_noref .
-> before above change, xfrm4_policy_check was using DST_NOPOLICY which was
checked against dst set in skb.
-> ip_rcv_finish_core calls ip_route_input_noref only if dst is not valid in
skb.
-> By default in kernel sysctl_ip_early_demux = 1, which means when skb with
syn is received, tcp stack will set DST from skb to sk and in subsequent
packets it will copy dst from sk to skb and skip calling ip_route_input_nore
inside ip_rcv_finish_core.
-> so for all the subsequent received packets, IPSKB_NOPOLICY will not get set
and they will get drop.
workaround:
only work-aroud is to disable early tcp demux.
echo 0 > /proc/sys/net/ipv4/ip_early_demux
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are the assignee for the bug.
next reply other threads:[~2022-10-07 21:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-07 21:17 Stephen Hemminger [this message]
2022-10-11 9:03 ` Fw: [Bug 216557] New: tcp connection not working over ip_vti interface #forregzbot Thorsten Leemhuis
2022-11-15 9:58 ` Thorsten Leemhuis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221007141751.1336e50b@hermes.local \
--to=stephen@networkplumber.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).