From: Steffen Klassert <steffen.klassert@secunet.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Don Bowman <db@donbowman.ca>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: ipsec doesn't route TCP with 4.11 kernel
Date: Thu, 27 Apr 2017 10:42:38 +0200 [thread overview]
Message-ID: <20170427084238.GX2649@secunet.com> (raw)
In-Reply-To: <CAM_iQpWT5tF5+LpoTP98JNJ=440jEkxHFkn8=jtAsZgondN49A@mail.gmail.com>
On Wed, Apr 26, 2017 at 10:01:34PM -0700, Cong Wang wrote:
> (Cc'ing netdev and IPSec maintainers)
>
> On Tue, Apr 25, 2017 at 6:08 PM, Don Bowman <db@donbowman.ca> wrote:
> > I'm not sure how to describe this.
> >
> > 4.11rc2 worked, after that, no.
We had some recent IPsec GRO changes, this could influence TCP.
But these changes were introduced before rc2. If I read this correct,
the regression was introduced between rc2 and rc3, right?
> >
> > My ipsec tunnel comes up ok.
When talking about IPsec, I guess you use ESP, right?
> > ICMP works. UDP works. But TCP, the
> > sender [which is the ipsec client] does not reach the destination.
> >
> > Its not a routing rule issue (since ICMP/UDP work).
> > Its not a traffic selector just selecting TCP (I think) since ipsec
> > status shows just a subnet, no protocol.
> >
> > Using tcpdump:
> > # iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j
> > NFLOG --nflog-group 5
> > # iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j
> > NFLOG --nflog-group 5
> > # tcpdump -s 0 -n -i nflog:5
> >
> > I see that it thinks it is sending the TCP packet, but the server end
> > does not receive.
> >
> > Does anyone have any suggestion to try?
If it is a GRO issue, then it is on the receive side, could you do
tcpdump on the receiving interface to see what you get there?
What shows /proc/net/xfrm_stat?
Can you do 'ip -s x s' to see if the SAs are used?
Do you have INET_ESP_OFFLOAD enabled?
next prev parent reply other threads:[~2017-04-27 8:56 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-26 1:08 ipsec doesn't route TCP with 4.11 kernel Don Bowman
2017-04-26 19:06 ` Joseph Salisbury
2017-04-27 22:29 ` Don Bowman
2017-05-01 13:53 ` Joseph Salisbury
2017-04-27 5:01 ` Cong Wang
2017-04-27 8:42 ` Steffen Klassert [this message]
2017-04-27 22:15 ` Don Bowman
[not found] ` <CADJev7_=YEHmijGweqZvdATMQVuzwywEbBKweYvPurJfTEQRjQ@mail.gmail.com>
2017-04-28 7:13 ` Steffen Klassert
2017-04-28 16:46 ` Eric Dumazet
2017-05-03 8:21 ` Steffen Klassert
2017-04-30 0:39 ` Don Bowman
2017-05-03 8:14 ` Steffen Klassert
2017-05-16 19:05 ` Don Bowman
2017-05-19 10:03 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170427084238.GX2649@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=db@donbowman.ca \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.