From: Taehee Yoo <ap420073@gmail.com>
To: intel-wired-lan@osuosl.org
Subject: [Intel-wired-lan] [PATCH net 6/8] bonding: disallow setting nested bonding + ipsec offload
Date: Sat, 3 Jul 2021 15:37:48 +0900 [thread overview]
Message-ID: <27082299-0436-2f95-11b9-9ba7077f165e@gmail.com> (raw)
In-Reply-To: <14149.1625260463@famine>
Hi Jay,
Thank you for your review!
On 7/3/21 6:14 AM, Jay Vosburgh wrote:
> Taehee Yoo <ap420073@gmail.com> wrote:
>
>> bonding interface can be nested and it supports ipsec offload.
>> So, it allows setting the nested bonding + ipsec scenario.
>> But code does not support this scenario.
>> So, it should be disallowed.
>>
>> interface graph:
>> bond2
>> |
>> bond1
>> |
>> eth0
>>
>> The nested bonding + ipsec offload may not a real usecase.
>> So, disallowing this is fine.
>
> Is a stack like "bond1 -> VLAN.XX -> bond2 -> eth0" also a
> problem? I don't believe the change below will detect this
> configuration.
>
Except bonding, all kind of virtual interfaces(vlan, team, etc) doesn't
support ipsec offload.
It means these interfaces' xfrmdev_ops pointer is null.
So, configuration always will be failed at the following line.
if (!slave->dev->xfrmdev_ops ||
!slave->dev->xfrmdev_ops->xdo_dev_state_add ||
Only checking the real interface's type is enough.
So, bond1 can't set up ipsec offload but bond2 can set up ipsec offload.
Thanks a lot!
Taehee
> -J
>
>> Fixes: 18cb261afd7b ("bonding: support hardware encryption offload
to slaves")
>> Signed-off-by: Taehee Yoo <ap420073@gmail.com>
>> ---
>> drivers/net/bonding/bond_main.c | 15 +++++++++------
>> 1 file changed, 9 insertions(+), 6 deletions(-)
>>
>> diff --git a/drivers/net/bonding/bond_main.c
b/drivers/net/bonding/bond_main.c
>> index 7659e1fab19e..f268e67cb2f0 100644
>> --- a/drivers/net/bonding/bond_main.c
>> +++ b/drivers/net/bonding/bond_main.c
>> @@ -419,8 +419,9 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
>> xs->xso.real_dev = slave->dev;
>> bond->xs = xs;
>>
>> - if (!(slave->dev->xfrmdev_ops
>> - && slave->dev->xfrmdev_ops->xdo_dev_state_add)) {
>> + if (!slave->dev->xfrmdev_ops ||
>> + !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
>> + netif_is_bond_master(slave->dev)) {
>> slave_warn(bond_dev, slave->dev, "Slave does not support ipsec
offload\n");
>> rcu_read_unlock();
>> return -EINVAL;
>> @@ -453,8 +454,9 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
>>
>> xs->xso.real_dev = slave->dev;
>>
>> - if (!(slave->dev->xfrmdev_ops
>> - && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) {
>> + if (!slave->dev->xfrmdev_ops ||
>> + !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
>> + netif_is_bond_master(slave->dev)) {
>> slave_warn(bond_dev, slave->dev, "%s: no slave
xdo_dev_state_delete\n", __func__);
>> goto out;
>> }
>> @@ -479,8 +481,9 @@ static bool bond_ipsec_offload_ok(struct sk_buff
*skb, struct xfrm_state *xs)
>> if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
>> return true;
>>
>> - if (!(slave_dev->xfrmdev_ops
>> - && slave_dev->xfrmdev_ops->xdo_dev_offload_ok)) {
>> + if (!slave_dev->xfrmdev_ops ||
>> + !slave_dev->xfrmdev_ops->xdo_dev_offload_ok ||
>> + netif_is_bond_master(slave_dev)) {
>> slave_warn(bond_dev, slave_dev, "%s: no slave
xdo_dev_offload_ok\n", __func__);
>> return false;
>> }
>> --
>> 2.17.1
>>
>
> ---
> -Jay Vosburgh, jay.vosburgh at canonical.com
>
next prev parent reply other threads:[~2021-07-03 6:37 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-02 14:26 [Intel-wired-lan] [PATCH net 0/8] net: fix bonding ipsec offload problems Taehee Yoo
2021-07-02 14:26 ` [Intel-wired-lan] [PATCH net 1/8] bonding: fix suspicious RCU usage in bond_ipsec_add_sa() Taehee Yoo
2021-07-02 14:26 ` [Intel-wired-lan] [PATCH net 2/8] bonding: fix null dereference " Taehee Yoo
2021-07-02 14:26 ` [Intel-wired-lan] [PATCH net 3/8] net: netdevsim: use xso.real_dev instead of xso.dev in callback functions of struct xfrmdev_ops Taehee Yoo
2021-07-02 14:26 ` [Intel-wired-lan] [PATCH net 4/8] ixgbevf: " Taehee Yoo
2021-07-02 14:26 ` [Intel-wired-lan] [PATCH net 5/8] bonding: fix suspicious RCU usage in bond_ipsec_del_sa() Taehee Yoo
2021-07-02 14:26 ` [Intel-wired-lan] [PATCH net 6/8] bonding: disallow setting nested bonding + ipsec offload Taehee Yoo
2021-07-02 21:14 ` Jay Vosburgh
2021-07-03 6:37 ` Taehee Yoo [this message]
2021-07-02 21:26 ` Jay Vosburgh
2021-07-03 6:46 ` Taehee Yoo
2021-07-02 14:26 ` [Intel-wired-lan] [PATCH net 7/8] bonding: Add struct bond_ipesc to manage SA Taehee Yoo
2021-07-02 14:26 ` [Intel-wired-lan] [PATCH net 8/8] bonding: fix suspicious RCU usage in bond_ipsec_offload_ok() Taehee Yoo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=27082299-0436-2f95-11b9-9ba7077f165e@gmail.com \
--to=ap420073@gmail.com \
--cc=intel-wired-lan@osuosl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox