lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 16 Jan 2020 18:01:32 +0900
From:   Toshiaki Makita <>
To:     Hanlin Shi <>,
        "" <>
Cc:     Cheng-Chun William Tu <>
Subject: Re: Veth pair swallow packets for XDP_TX operation

Hi Hanlin,

On 2020/01/16 7:35, Hanlin Shi wrote:
> Hi community,
> I’m prototyping an XDP program, and the hit issues with XDP_TX operation on veth device. The following code snippet is working as expected on 4.15.0-54-generic, but is NOT working on 4.20.17-042017-lowlatency (I got the kernel here:
> Here’s my setup: I created a veth pair (namely veth1 and veth2), and put them in two namespaces (namely ns1 and ns2). I assigned address on veth1 and on veth2, set the device as the default interface in its namespace respectively (e.g. in ns1, do “ip r set default dev veth1”). Then in ns1, I ping, and tcpdump on veth1’s RX for ICMP.
> Before loading any XDP program on veth2, I can see ICMP replies on veth1 interface. I load a program which do “XDP_TX” for all packets on veth2. I expect to see the same ICMP packet being returned, but I saw nothing.
> I added some debugging message in the XDP program so I’m sure that the packet is processed on veth2, but on veth1, even with promisc mode on, I cannot see any ICMP packets or even ARP packets. In my understanding, 4.15 is using generic XDP mode where 4.20 is using native XDP mode for veth, so I guess there’s something wrong with veth native XDP and need some helps on fixing the issue.

You need to load a dummy program to receive packets from peer XDP_TX when using native veth XDP.

The dummy program is something like this:
int xdp_pass(struct xdp_md *ctx) {
	return XDP_PASS;
And load this program on "veth1".

For more information please refer to this slides.

Also there is a working example here.

Toshiaki Makita

> Please let me know if you need help on reproducing the issue.
> Thanks,
> Hanlin
> PS: here’s the src code for the XDP program:
> #include <stddef.h>
> #include <string.h>
> #include <linux/if_vlan.h>
> #include <stdbool.h>
> #include <bpf/bpf_endian.h>
> #include <linux/if_ether.h>
> #include <linux/ip.h>
> #include <linux/tcp.h>
> #include <linux/udp.h>
> #include <linux/in.h>#define DEBUG
> #include "bpf_helpers.h"
> SEC("xdp")
> int loadbal(struct xdp_md *ctx) {
>    bpf_printk("got packet, direct return\n");
>    return XDP_TX;
> }char _license[] SEC("license") = "GPL";
> "bpf_helpers.h" can be found here:

Powered by blists - more mailing lists