[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <cover.1733235367.git.petrm@nvidia.com>
Date: Tue, 3 Dec 2024 15:30:26 +0100
From: Petr Machata <petrm@...dia.com>
To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>, <netdev@...r.kernel.org>
CC: Simon Horman <horms@...nel.org>, Ido Schimmel <idosch@...dia.com>, "Petr
Machata" <petrm@...dia.com>, <mlxsw@...dia.com>
Subject: [PATCH net-next v1 00/11] vxlan: Support user-defined reserved bits
Currently the VXLAN header validation works by vxlan_rcv() going feature
by feature, each feature clearing the bits that it consumes. If anything
is left unparsed at the end, the packet is rejected.
Unfortunately there are machines out there that send VXLAN packets with
reserved bits set, even if they are configured to not use the
corresponding features. One such report is here[1], and we have heard
similar complaints from our customers as well.
This patchset adds an attribute that makes it configurable which bits
the user wishes to tolerate and which they consider reserved. This was
recommended in [1] as well.
A knob like that inevitably allows users to set as reserved bits that
are in fact required for the features enabled by the netdevice, such as
GPE. This is detected, and such configurations are rejected.
In patches #1..#7, the reserved bits validation code is gradually moved
away from the unparsed approach described above, to one where a given
set of valid bits is precomputed and then the packet is validated
against that.
In patch #8, this precomputed set is made configurable through a new
attribute IFLA_VXLAN_RESERVED_BITS.
Patches #9 and #10 massage the testsuite a bit, so that patch #11 can
introduce a selftest for the resreved bits feature.
The corresponding iproute2 support is available in [2].
[1] https://lore.kernel.org/netdev/db8b9e19-ad75-44d3-bfb2-46590d426ff5@proxmox.com/
[2] https://github.com/pmachata/iproute2/commits/vxlan_reserved_bits/
v1 (vs. RFC):
- No changes.
Petr Machata (11):
vxlan: In vxlan_rcv(), access flags through the vxlan netdevice
vxlan: vxlan_rcv() callees: Move clearing of unparsed flags out
vxlan: vxlan_rcv() callees: Drop the unparsed argument
vxlan: vxlan_rcv(): Extract vxlan_hdr(skb) to a named variable
vxlan: Track reserved bits explicitly as part of the configuration
vxlan: Bump error counters for header mismatches
vxlan: vxlan_rcv(): Drop unparsed
vxlan: Add an attribute to make VXLAN header validation configurable
selftests: net: lib: Rename ip_link_master() to ip_link_set_master()
selftests: net: lib: Add several autodefer helpers
selftests: forwarding: Add a selftest for the new reserved_bits UAPI
drivers/net/vxlan/vxlan_core.c | 150 +++++---
include/net/vxlan.h | 1 +
include/uapi/linux/if_link.h | 1 +
tools/testing/selftests/net/fdb_notify.sh | 6 +-
tools/testing/selftests/net/forwarding/lib.sh | 7 -
.../net/forwarding/vxlan_reserved.sh | 352 ++++++++++++++++++
tools/testing/selftests/net/lib.sh | 41 +-
7 files changed, 496 insertions(+), 62 deletions(-)
create mode 100755 tools/testing/selftests/net/forwarding/vxlan_reserved.sh
--
2.47.0
Powered by blists - more mailing lists