lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 19 Dec 2013 08:20:35 +0200
From:	Or Gerlitz <or.gerlitz@...il.com>
To:	Stephen Hemminger <stephen@...workplumber.org>
Cc:	Wei-Chun Chao <weichunc@...mgrid.com>, davem <davem@...emloft.net>,
	"eric.dumazet" <eric.dumazet@...il.com>,
	Alexei Starovoitov <ast@...mgrid.com>,
	netdev <netdev@...r.kernel.org>,
	"joseph.gasparakis" <joseph.gasparakis@...el.com>
Subject: Re: [PATCH net-next] ipv4: fix tunneled VM traffic over hw VXLAN/GRE
 GSO NIC

On Thu, Dec 19, 2013 at 4:05 AM, Stephen Hemminger
<stephen@...workplumber.org> wrote:
>
> On Wed, 18 Dec 2013 17:51:25 -0800
> Wei-Chun Chao <weichunc@...mgrid.com> wrote:
>
> > On Wed, Dec 18, 2013 at 4:35 PM, Stephen Hemminger
> > <stephen@...workplumber.org> wrote:
> > > On Wed, 18 Dec 2013 11:02:48 -0800
> > > Wei-Chun Chao <weichunc@...mgrid.com> wrote:
> > >
> > >> This is also seen on 'net'.
> > >>
> > >> VM to VM GSO traffic is broken if it goes through VXLAN or GRE
> > >> tunnel and the physical NIC on the host supports hardware VXLAN/GRE
> > >> GSO offload (e.g. bnx2x and next-gen mlx4).
> > >>
> > >> Two issues -
> > >> (VXLAN) VM traffic has SKB_GSO_DODGY and SKB_GSO_UDP_TUNNEL with
> > >> SKB_GSO_TCP/UDP set depending on the inner protocol. GSO header
> > >> integrity check fails in udp4_ufo_fragment if inner protocol is
> > >> TCP. Also gso_segs is calculated incorrectly using skb->len that
> > >> includes tunnel header. Fix: robust check should only be applied
> > >> to the inner packet.
> > >>
> > >> (VXLAN & GRE) Once GSO header integrity check passes, NULL segs
> > >> is returned and the original skb is sent to hardware. However the
> > >> tunnel header is already pulled. Fix: tunnel header needs to be
> > >> restored so that hardware can perform GSO properly on the original
> > >> packet.
> > >>
> > >> Signed-off-by: Wei-Chun Chao <weichunc@...mgrid.com>
> > >> ---
> > >
> > > Is there someway the tunnel could fixup the GSO bits?
> >
> > Thanks, Stephen.
> >
> > You meant handling DODGY bit (and unsetting it) before GRE and VXLAN
> > encap? I guess we can do
> >
> >     if (skb_shinfo(skb)->gso_type & SKB_GSO_DODGY) {
> >         skb_shinfo(skb)->gso_segs = DIV_ROUND_UP(skb->len, mss);
> >         skb_shinfo(skb)->gso_type &= ~(SKB_GSO_DODGY);
> >     }
> >
> >
> > in handle_offloads(vxlan.c) and gre_handle_offloads(gre.h). We will
> > save the overhead to pull and push the tunnel header later. Though
> > since skb->dev is not known at this time yet, this will be done
> > unconditionally unlike before (done only when skb_gso_ok return true).
>
> I was hoping more that generic tunnel code could just do software UFO/GSO
> for now, and when somebody has hardware that handles nested GSO they could
> provide a feature flag mechanism.


Can you elaborate what do you mean by "nested GSO"? there are few
upstream drivers that support  GSO_UDP_TUNNEL and I have submitted
mlx4 that does  that too. When running over such netdevice we very
much don't want software UFO/GSO to come into play
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ