lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 11 Aug 2016 22:41:32 +0300
From:	Shmulik Ladkani <shmulik.ladkani@...il.com>
To:	David Miller <davem@...emloft.net>
Cc:	wenxu@...oud.cn, kuznet@....inr.ac.ru, jmorris@...ei.org,
	kaber@...sh.net, yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org,
	wenx05124561@....com, hannes@...essinduktion.org
Subject: Re: [PATCH] net: ip_finish_output_gso: If skb_gso_network_seglen
 exceeds MTU, allow segmentation for gre tunneled skbs

On Wed, 10 Aug 2016 17:35:11 -0700 (PDT) David Miller <davem@...emloft.net> wrote:
> > commit b8247f095edd ("net: ip_finish_output_gso: If skb_gso_network_seglen
> > exceeds MTU, allow segmentation for local udp tunneled skbs")
> > 
> > Given:
> >      - tap0 and ovs-gre
> >      - ovs-gre stacked on eth0, eth0 having the small mtu
> > 
> > After encapsulation these skbs have skb_gso_network_seglen that exceed
> > eth0's ip_skb_dst_mtu. So the finnal each segment would be larger than
> > eth0 mtu. These packets maybe dropped.
> > 
> > It has the same problem if tap0 bridge with ipgre or gretap device. So
> > the IPSKB_FRAG_SEGS flags should also be set in gre tunneled skbs.
> > 
> > Signed-off-by: wenxu <wenxu@...oud.cn>  
> 
> I am rather certain that this test is intentionally restricted to
> UDP tunnel endpoints, because GRE and other tunnel types are PMTU safe.
> 
> Hannes and Shmulik?

It was restricted to UDP tun encaps per Hannes' suggestion, in order to
scope the change, as Hannes hinted gre and ipip are pmtu-safe, see [1].

Glancing at ip_tunnel_xmit() --> tnl_update_pmtu(), they do seem to
handle PMTU, but - if I understand correctly - only in the !skb_is_gso
case.
(since 68c3316311 "v4 GRE: Add TCP segmentation offload for GRE")

This is probably due the same hidden assumption that 'gso_size' will be
suitable for the egress mtu even after encapsulation, which does not
hold true in some usecases as described in [2].

Therefore it might be that b8247f095edd needs to be augmented for
non-udp tunnels as well.

Hannes?

[1] http://www.spinics.net/lists/netdev/msg386447.html
[2] http://www.spinics.net/lists/netdev/msg385776.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ