From: Steffen Klassert <steffen.klassert@secunet.com>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org
Subject: Re: Problematic commits in the ipsec tree
Date: Fri, 23 Aug 2013 10:58:07 +0200 [thread overview]
Message-ID: <20130823085807.GH26773@secunet.com> (raw)
In-Reply-To: <20130822135342.GC30722@order.stressinduktion.org>
On Thu, Aug 22, 2013 at 03:53:42PM +0200, Hannes Frederic Sowa wrote:
> On Thu, Aug 22, 2013 at 12:47:24PM +0200, Steffen Klassert wrote:
> > Hannes,
> >
> > I have two problematic commits from you in the ipsec tree. The first one is:
> >
> > commit 0ea9d5e3e (xfrm: introduce helper for safe determination of mtu)
> >
> > This breakes pmtu discovery for IPv4 because now we use the device mtu
> > instead of the reduced IPsec mtu in xfrm4_tunnel_check_size() if a IPv4
> > socket is at the skb.
>
> I am currently testing this following patch. It should restore old behavior
> for ipv4 sockets.
>
> diff --git a/include/net/xfrm.h b/include/net/xfrm.h
> index ac5b025..65d3529 100644
> --- a/include/net/xfrm.h
> +++ b/include/net/xfrm.h
> @@ -1730,8 +1730,6 @@ static inline int xfrm_skb_dst_mtu(struct sk_buff *skb)
>
> if (sk && skb->protocol == htons(ETH_P_IPV6))
> return ip6_skb_dst_mtu(skb);
> - else if (sk && skb->protocol == htons(ETH_P_IP))
> - return ip_skb_dst_mtu(skb);
> return dst_mtu(skb_dst(skb));
> }
This looks still fragile. xfrm_skb_dst_mtu() is called from
__xfrm6_output() and from xfrm4_tunnel_check_size().
We will have the same bug again as soon as somebody thinks that
it is save to call it from xfrm6_tunnel_check_size() too. So I
think it is better not to call it from xfrm4_tunnel_check_size().
Also, why do we need xfrm_skb_dst_mtu() at all? When it is called
from __xfrm6_output(), we know that this is IPv6. So we can call
ip6_skb_dst_mtu() directly as it was before your change.
next prev parent reply other threads:[~2013-08-23 8:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-22 10:47 Problematic commits in the ipsec tree Steffen Klassert
2013-08-22 11:21 ` Hannes Frederic Sowa
2013-08-22 13:53 ` Hannes Frederic Sowa
2013-08-23 8:58 ` Steffen Klassert [this message]
2013-08-23 11:03 ` Hannes Frederic Sowa
2013-08-23 11:34 ` Hannes Frederic Sowa
2013-08-23 12:49 ` Hannes Frederic Sowa
2013-08-26 9:41 ` Steffen Klassert
2013-08-26 10:46 ` Hannes Frederic Sowa
2013-08-22 19:53 ` [PATCH ipsec 1/2] xfrm: revert ipv4 mtu determination to dst_mtu Hannes Frederic Sowa
2013-08-22 19:54 ` [PATCH ipsec 2/2] ipv6: set skb->protocol on tcp, raw and ip6_append_data genereated skbs Hannes Frederic Sowa
2013-08-22 23:59 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130823085807.GH26773@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.