lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1d483071-a699-8b90-096d-196415c99dca@chinatelecom.cn>
Date:   Fri, 7 Jan 2022 16:13:04 +0800
From:   孙守鑫 <sunshouxin@...natelecom.cn>
To:     Jay Vosburgh <jay.vosburgh@...onical.com>
Cc:     vfalico@...il.com, andy@...yhouse.net, davem@...emloft.net,
        kuba@...nel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, huyd12@...natelecom.cn
Subject: Re: [PATCH v5] net: bonding: Add support for IPV6 ns/na to
 balance-alb/balance-tlb mode


Hi guys

Any comment?

thanks a lot.


在 2022/1/4 16:35, 孙守鑫 写道:
>
> Any comments will be appreciated.
>
>
> 在 2021/12/28 11:01, 孙守鑫 写道:
>>
>> 在 2021/12/28 4:36, Jay Vosburgh 写道:
>>> Sun Shouxin <sunshouxin@...natelecom.cn> wrote:
>>>
>>>> Since ipv6 neighbor solicitation and advertisement messages
>>>> isn't handled gracefully in bonding6 driver, we can see packet
>>>> drop due to inconsistency bewteen mac address in the option
>>>> message and source MAC .
>>>>
>>>> Another examples is ipv6 neighbor solicitation and advertisement
>>>> messages from VM via tap attached to host brighe, the src mac
>>>> mighe be changed through balance-alb mode, but it is not synced
>>>> with Link-layer address in the option message.
>>>>
>>>> The patch implements bond6's tx handle for ipv6 neighbor
>>>> solicitation and advertisement messages.
>>>     I'm not sure what you've changed here for v5 as there's no
>>> changelog, but I believe the observed problems to be a transmit side
>>> effect (i.e., it is induced by the balance-tlb mode balancing of
>>> outgoing traffic).  As such, the tlb side will rebalance all of the
>>> traffic every ten seconds, so any MAC ND_OPT_*_LL_ADDR option
>>> assignments in the outgoing NS/NA datagrams will only be valid for that
>>> length of time, correct?
>>
>>
>> Yes,  MAC ND_OPT_*_LL_ADDR option assignments in the outgoing NS/NA
>> datagrams will only be valid for that length of time ,and then,
>> it will be inconsistensy in the next ten seconds.
>>
>>
>>>     The topology diagram and example that you've removed from the
>>> commit log with v5 said, in part, that the issue arose because the
>>> LL_ADDR option MAC didn't match the actual source MAC.  Since tlb mode
>>> can reshuffle the flows every ten seconds, how did the proposed 
>>> solution
>>> work reliably?
>>
>>
>> In function alb_set_nd_option, we will change the LL_ADDR option Mac
>> to the source Mac. This could work in this conditon.
>>
>>
>>>
>>>     In any event, my real question is whether simply disabling tlb
>>> balancing for NS/NA datagrams will resolve the observed issues (i.e.,
>>> have bond_xmit_tlb_slave_get return NULL for IPv6 NS/NA datagrams).
>>> Doing so will cause all NS/NA traffic to egress through the active
>>> interface.  There's already a test in your logic to check for the
>>> tx_slave != bond->curr_active_slave, so presumably everything works
>>> correctly if the NS/NA goes out on the curr_active_slave.  If the "edit
>>> NS/NA datagrams" solution works even in the face of rebalance of
>>> traffic, then would simply assigning all NS/NA traffic to the
>>> curr_active_slave eliminate the problem?
>>
>>
>> Yes, assigning all Ns/Na traffic to the curr_active_slave can resolve 
>> the
>> difference between mac in the Ns/Na options with the source mac.
>> But this makes the rlb doesn't work in the alb mode,
>> one interface with bond6 will not receive any ingress packets.
>> It is mismatch Bond6 specification.
>>
>>
>>>
>>>     -J
>>>
>>>> Suggested-by: Hu Yadi <huyd12@...natelecom.cn>
>>>> Reported-by: kernel test robot <lkp@...el.com>
>>>> Signed-off-by: Sun Shouxin <sunshouxin@...natelecom.cn>
>>>> ---
>>>> drivers/net/bonding/bond_alb.c | 149 +++++++++++++++++++++++++++++++++
>>>> 1 file changed, 149 insertions(+)
>>>>
>>>> diff --git a/drivers/net/bonding/bond_alb.c 
>>>> b/drivers/net/bonding/bond_alb.c
>>>> index 533e476988f2..485e4863a365 100644
>>>> --- a/drivers/net/bonding/bond_alb.c
>>>> +++ b/drivers/net/bonding/bond_alb.c
>>>> @@ -22,6 +22,8 @@
>>>> #include <asm/byteorder.h>
>>>> #include <net/bonding.h>
>>>> #include <net/bond_alb.h>
>>>> +#include <net/ndisc.h>
>>>> +#include <net/ip6_checksum.h>
>>>>
>>>> static const u8 mac_v6_allmcast[ETH_ALEN + 2] __long_aligned = {
>>>>     0x33, 0x33, 0x00, 0x00, 0x00, 0x01
>>>> @@ -1269,6 +1271,137 @@ static int alb_set_mac_address(struct 
>>>> bonding *bond, void *addr)
>>>>     return res;
>>>> }
>>>>
>>>> +/*determine if the packet is NA or NS*/
>>>> +static bool __alb_determine_nd(struct icmp6hdr *hdr)
>>>> +{
>>>> +    if (hdr->icmp6_type == NDISC_NEIGHBOUR_ADVERTISEMENT ||
>>>> +        hdr->icmp6_type == NDISC_NEIGHBOUR_SOLICITATION) {
>>>> +        return true;
>>>> +    }
>>>> +
>>>> +    return false;
>>>> +}
>>>> +
>>>> +static void alb_change_nd_option(struct sk_buff *skb, void *data)
>>>> +{
>>>> +    struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
>>>> +    struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)msg->opt;
>>>> +    struct net_device *dev = skb->dev;
>>>> +    struct icmp6hdr *icmp6h = icmp6_hdr(skb);
>>>> +    struct ipv6hdr *ip6hdr = ipv6_hdr(skb);
>>>> +    u8 *lladdr = NULL;
>>>> +    u32 ndoptlen = skb_tail_pointer(skb) - 
>>>> (skb_transport_header(skb) +
>>>> +                offsetof(struct nd_msg, opt));
>>>> +
>>>> +    while (ndoptlen) {
>>>> +        int l;
>>>> +
>>>> +        switch (nd_opt->nd_opt_type) {
>>>> +        case ND_OPT_SOURCE_LL_ADDR:
>>>> +        case ND_OPT_TARGET_LL_ADDR:
>>>> +            lladdr = ndisc_opt_addr_data(nd_opt, dev);
>>>> +            break;
>>>> +
>>>> +        default:
>>>> +            lladdr = NULL;
>>>> +            break;
>>>> +        }
>>>> +
>>>> +        l = nd_opt->nd_opt_len << 3;
>>>> +
>>>> +        if (ndoptlen < l || l == 0)
>>>> +            return;
>>>> +
>>>> +        if (lladdr) {
>>>> +            memcpy(lladdr, data, dev->addr_len);
>>>> +            icmp6h->icmp6_cksum = 0;
>>>> +
>>>> +            icmp6h->icmp6_cksum = csum_ipv6_magic(&ip6hdr->saddr,
>>>> +                                  &ip6hdr->daddr,
>>>> +                        ntohs(ip6hdr->payload_len),
>>>> +                        IPPROTO_ICMPV6,
>>>> +                        csum_partial(icmp6h,
>>>> + ntohs(ip6hdr->payload_len), 0));
>>>> +            return;
>>>> +        }
>>>> +        ndoptlen -= l;
>>>> +        nd_opt = ((void *)nd_opt) + l;
>>>> +    }
>>>> +}
>>>> +
>>>> +static u8 *alb_get_lladdr(struct sk_buff *skb)
>>>> +{
>>>> +    struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
>>>> +    struct nd_opt_hdr *nd_opt = (struct nd_opt_hdr *)msg->opt;
>>>> +    struct net_device *dev = skb->dev;
>>>> +    u8 *lladdr = NULL;
>>>> +    u32 ndoptlen = skb_tail_pointer(skb) - 
>>>> (skb_transport_header(skb) +
>>>> +                offsetof(struct nd_msg, opt));
>>>> +
>>>> +    while (ndoptlen) {
>>>> +        int l;
>>>> +
>>>> +        switch (nd_opt->nd_opt_type) {
>>>> +        case ND_OPT_SOURCE_LL_ADDR:
>>>> +        case ND_OPT_TARGET_LL_ADDR:
>>>> +            lladdr = ndisc_opt_addr_data(nd_opt, dev);
>>>> +            break;
>>>> +
>>>> +        default:
>>>> +            break;
>>>> +        }
>>>> +
>>>> +        l = nd_opt->nd_opt_len << 3;
>>>> +
>>>> +        if (ndoptlen < l || l == 0)
>>>> +            return NULL;
>>>> +
>>>> +        if (lladdr)
>>>> +            return lladdr;
>>>> +
>>>> +        ndoptlen -= l;
>>>> +        nd_opt = ((void *)nd_opt) + l;
>>>> +    }
>>>> +
>>>> +    return lladdr;
>>>> +}
>>>> +
>>>> +static void alb_set_nd_option(struct sk_buff *skb, struct bonding 
>>>> *bond,
>>>> +                  struct slave *tx_slave)
>>>> +{
>>>> +    struct ipv6hdr *ip6hdr;
>>>> +    struct icmp6hdr *hdr;
>>>> +
>>>> +    if (skb->protocol == htons(ETH_P_IPV6)) {
>>>> +        if (tx_slave && tx_slave !=
>>>> +            rcu_access_pointer(bond->curr_active_slave)) {
>>>> +            ip6hdr = ipv6_hdr(skb);
>>>> +            if (ip6hdr->nexthdr == IPPROTO_ICMPV6) {
>>>> +                hdr = icmp6_hdr(skb);
>>>> +                if (__alb_determine_nd(hdr))
>>>> +                    alb_change_nd_option(skb, 
>>>> tx_slave->dev->dev_addr);
>>>> +            }
>>>> +        }
>>>> +    }
>>>> +}
>>>> +
>>>> +static bool alb_determine_nd(struct sk_buff *skb, struct bonding 
>>>> *bond)
>>>> +{
>>>> +    struct ipv6hdr *ip6hdr;
>>>> +    struct icmp6hdr *hdr;
>>>> +
>>>> +    if (skb->protocol == htons(ETH_P_IPV6)) {
>>>> +        ip6hdr = ipv6_hdr(skb);
>>>> +        if (ip6hdr->nexthdr == IPPROTO_ICMPV6) {
>>>> +            hdr = icmp6_hdr(skb);
>>>> +            if (__alb_determine_nd(hdr))
>>>> +                return true;
>>>> +        }
>>>> +    }
>>>> +
>>>> +    return false;
>>>> +}
>>>> +
>>>> /************************ exported alb functions 
>>>> ************************/
>>>>
>>>> int bond_alb_initialize(struct bonding *bond, int rlb_enabled)
>>>> @@ -1350,6 +1483,9 @@ struct slave *bond_xmit_tlb_slave_get(struct 
>>>> bonding *bond,
>>>>         switch (skb->protocol) {
>>>>         case htons(ETH_P_IP):
>>>>         case htons(ETH_P_IPV6):
>>>> +            if (alb_determine_nd(skb, bond))
>>>> +                break;
>>>> +
>>>>             hash_index = bond_xmit_hash(bond, skb);
>>>>             if (bond->params.tlb_dynamic_lb) {
>>>>                 tx_slave = tlb_choose_channel(bond,
>>>> @@ -1446,6 +1582,18 @@ struct slave *bond_xmit_alb_slave_get(struct 
>>>> bonding *bond,
>>>>             break;
>>>>         }
>>>>
>>>> +        if (alb_determine_nd(skb, bond)) {
>>>> +            u8 *lladdr;
>>>> +
>>>> +            lladdr = alb_get_lladdr(skb);
>>>> +            if (lladdr) {
>>>> +                if (!bond_slave_has_mac_rx(bond, lladdr)) {
>>>> +                    do_tx_balance = false;
>>>> +                    break;
>>>> +                }
>>>> +            }
>>>> +        }
>>>> +
>>>>         hash_start = (char *)&ip6hdr->daddr;
>>>>         hash_size = sizeof(ip6hdr->daddr);
>>>>         break;
>>>> @@ -1489,6 +1637,7 @@ netdev_tx_t bond_alb_xmit(struct sk_buff 
>>>> *skb, struct net_device *bond_dev)
>>>>     struct slave *tx_slave = NULL;
>>>>
>>>>     tx_slave = bond_xmit_alb_slave_get(bond, skb);
>>>> +    alb_set_nd_option(skb, bond, tx_slave);
>>>>     return bond_do_alb_xmit(skb, bond, tx_slave);
>>>> }
>>>>
>>>>
>>>> base-commit: 7a29b11da9651ef6a970e2f6bfd276f053aeb06a
>>>> -- 
>>>> 2.27.0
>>>>
>>> ---
>>>     -Jay Vosburgh, jay.vosburgh@...onical.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ