lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <ZvQOZALIQWOcPRAn@fedora>
Date: Wed, 25 Sep 2024 13:21:40 +0000
From: Hangbin Liu <liuhangbin@...il.com>
To: Paolo Abeni <pabeni@...hat.com>,
	Steffen Klassert <steffen.klassert@...unet.com>,
	Sabrina Dubroca <sd@...asysnail.net>
Cc: netdev@...r.kernel.org, Jay Vosburgh <jv@...sburgh.net>,
	Andy Gospodarek <andy@...yhouse.net>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Jarod Wilson <jarod@...hat.com>,
	Nikolay Aleksandrov <razor@...ckwall.org>,
	Simon Horman <horms@...nel.org>, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] Bonding: update bond device XFRM features based on
 current active slave

On Wed, Sep 25, 2024 at 06:47:27AM +0000, Hangbin Liu wrote:
> On Tue, Sep 24, 2024 at 03:17:25PM +0200, Paolo Abeni wrote:
> > 
> > 
> > On 9/18/24 10:35, Hangbin Liu wrote:
> > > XFRM offload is supported in active-backup mode. However, if the current
> > > active slave does not support it, we should disable it on bond device.
> > > Otherwise, ESP traffic may fail due to the downlink not supporting the
> > > feature.
> > 
> > Why would the excessive features exposed by the bond device will be a
> > problem? later dev_queue_xmit() on the lower device should take care of
> > needed xfrm offload in validate_xmit_xfrm(), no?
> 
> I'm not very sure. In validate_xmit_xfrm() it looks the lower dev won't
> check again if the upper dev has validated.
> 
>         /* This skb was already validated on the upper/virtual dev */
>         if ((x->xso.dev != dev) && (x->xso.real_dev == dev))
>                 return skb;
> 
> Hi Sabrina, Steffen, if the upper dev validate failed, what would happen?
> Just drop the skb or go via software path?

Hmm, I saw a similar commit 28581b9c2c94 ("bond: Disable TLS features
indication"). I will check the history and see if we can do like this.

Thanks
Hangbin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ