| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Aug 2014 08:44:31 +0200 From: Jiri Pirko <jiri@...nulli.us> To: Vladislav Yasevich <vyasevic@...hat.com> Cc: netdev@...r.kernel.org, Patrick McHardy <kaber@...sh.net>, Nithin Nayak Sujir <nsujir@...adcom.com>, Michael Chan <mchan@...adcom.com> Subject: Re: [PATCH v2 net] net: Always untag vlan-tagged traffic on input. Fri, Aug 08, 2014 at 08:42:13PM CEST, vyasevic@...hat.com wrote: >Currently the functionality to untag traffic on input resides >as part of the vlan module and is build only when VLAN support >is enabled in the kernel. When VLAN is disabled, the function >vlan_untag() turns into a stub and doesn't really untag the >packets. This seems to create an interesting interaction >between VMs supporting checksum offloading and some network drivers. > >There are some drivers that do not allow the user to change >tx-vlan-offload feature of the driver. These drivers also seem >to assume that any VLAN-tagged traffic they transmit will >have the vlan information in the vlan_tci and not in the vlan >header already in the skb. When transmitting skbs that already >have tagged data with partial checksum set, the checksum doesn't >appear to be updated correctly by the card thus resulting in a >failure to establish TCP connections. > >The following is a packet trace taken on the receiver where a >sender is a VM with a VLAN configued. The host VM is running on >doest not have VLAN support and the outging interface on the >host is tg3: >10:12:43.503055 52:54:00:ae:42:3f > 28:d2:44:7d:c2:de, ethertype 802.1Q >(0x8100), length 78: vlan 100, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 27243, >offset 0, flags [DF], proto TCP (6), length 60) > 10.0.100.1.58545 > 10.0.100.10.ircu-2: Flags [S], cksum 0xdc39 (incorrect >-> 0x48d9), seq 1069378582, win 29200, options [mss 1460,sackOK,TS val >4294837885 ecr 0,nop,wscale 7], length 0 >10:12:44.505556 52:54:00:ae:42:3f > 28:d2:44:7d:c2:de, ethertype 802.1Q >(0x8100), length 78: vlan 100, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 27244, >offset 0, flags [DF], proto TCP (6), length 60) > 10.0.100.1.58545 > 10.0.100.10.ircu-2: Flags [S], cksum 0xdc39 (incorrect >-> 0x44ee), seq 1069378582, win 29200, options [mss 1460,sackOK,TS val >4294838888 ecr 0,nop,wscale 7], length 0 > >This connection finally times out. > >I've only access to the TG3 hardware in this configuration thus have >only tested this with TG3 driver. There are a lot of other drivers >that do not permit user changes to vlan acceleration features, and >I don't know if they all suffere from a similar issue. > >The patch attempt to fix this another way. It moves the vlan header >stipping code out of the vlan module and always builds it into the >kernel network core. This way, even if vlan is not supported on >a virtualizatoin host, the virtual machines running on top of such >host will still work with VLANs enabled. > >CC: Patrick McHardy <kaber@...sh.net> >CC: Nithin Nayak Sujir <nsujir@...adcom.com> >CC: Michael Chan <mchan@...adcom.com> >CC: Jiri Pirko <jiri@...nulli.us> >Signed-off-by: Vladislav Yasevich <vyasevic@...hat.com> Acked-by: Jiri Pirko <jiri@...nulli.us> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists