lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZvOx95zrrKonjTPn@fedora>
Date: Wed, 25 Sep 2024 06:47:19 +0000
From: Hangbin Liu <liuhangbin@...il.com>
To: Paolo Abeni <pabeni@...hat.com>,
	Steffen Klassert <steffen.klassert@...unet.com>,
	Sabrina Dubroca <sd@...asysnail.net>
Cc: netdev@...r.kernel.org, Jay Vosburgh <jv@...sburgh.net>,
	Andy Gospodarek <andy@...yhouse.net>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Jarod Wilson <jarod@...hat.com>,
	Nikolay Aleksandrov <razor@...ckwall.org>,
	Simon Horman <horms@...nel.org>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] Bonding: update bond device XFRM features based on
 current active slave

On Tue, Sep 24, 2024 at 03:17:25PM +0200, Paolo Abeni wrote:
> 
> 
> On 9/18/24 10:35, Hangbin Liu wrote:
> > XFRM offload is supported in active-backup mode. However, if the current
> > active slave does not support it, we should disable it on bond device.
> > Otherwise, ESP traffic may fail due to the downlink not supporting the
> > feature.
> 
> Why would the excessive features exposed by the bond device will be a
> problem? later dev_queue_xmit() on the lower device should take care of
> needed xfrm offload in validate_xmit_xfrm(), no?

I'm not very sure. In validate_xmit_xfrm() it looks the lower dev won't
check again if the upper dev has validated.

        /* This skb was already validated on the upper/virtual dev */
        if ((x->xso.dev != dev) && (x->xso.real_dev == dev))
                return skb;

Hi Sabrina, Steffen, if the upper dev validate failed, what would happen?
Just drop the skb or go via software path?

> 
> Let segmentation happening as late as possible is usually a win.

Yes, indeed.

Thanks
Hangbin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ