[PATCH net-next] openvswitch: Pass on secpath details for internal port rx.

[PATCH net-next] openvswitch: Pass on secpath details for internal port rx.

[Aaron Conole]

Clearing the secpath for internal ports will cause packet drops when
ipsec offload or early SW ipsec decrypt are used.  Systems that rely
on these will not be able to actually pass traffic via openvswitch.

There is still an open issue for a flow miss packet - this is because
we drop the extensions during upcall and there is no facility to
restore such data (and it is non-trivial to add such functionality
to the upcall interface).  That means that when a flow miss occurs,
there will still be packet drops.  With this patch, when a flow is
found then traffic which has an associated xfrm extension will
properly flow.

Signed-off-by: Aaron Conole <aconole@redhat.com>
---
 net/openvswitch/vport-internal_dev.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c
index 5858d65ea1a9..2412d7813d24 100644
--- a/net/openvswitch/vport-internal_dev.c
+++ b/net/openvswitch/vport-internal_dev.c
@@ -195,7 +195,6 @@ static int internal_dev_recv(struct sk_buff *skb)
 
 	skb_dst_drop(skb);
 	nf_reset_ct(skb);
-	secpath_reset(skb);
 
 	skb->pkt_type = PACKET_HOST;
 	skb->protocol = eth_type_trans(skb, netdev);
-- 
2.46.2

Re: [PATCH net-next] openvswitch: Pass on secpath details for internal port rx.

[Eelco Chaudron]

On 1 Nov 2024, at 21:47, Aaron Conole wrote:

> Clearing the secpath for internal ports will cause packet drops when
> ipsec offload or early SW ipsec decrypt are used.  Systems that rely
> on these will not be able to actually pass traffic via openvswitch.
>
> There is still an open issue for a flow miss packet - this is because
> we drop the extensions during upcall and there is no facility to
> restore such data (and it is non-trivial to add such functionality
> to the upcall interface).  That means that when a flow miss occurs,
> there will still be packet drops.  With this patch, when a flow is
> found then traffic which has an associated xfrm extension will
> properly flow.
>
> Signed-off-by: Aaron Conole <aconole@redhat.com>

Thanks for debugging and fixing this. The change looks good to me.

Acked-by: Eelco Chaudron <echaudro@redhat.com>

Re: [PATCH net-next] openvswitch: Pass on secpath details for internal port rx.

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Fri,  1 Nov 2024 16:47:32 -0400 you wrote:
> Clearing the secpath for internal ports will cause packet drops when
> ipsec offload or early SW ipsec decrypt are used.  Systems that rely
> on these will not be able to actually pass traffic via openvswitch.
> 
> There is still an open issue for a flow miss packet - this is because
> we drop the extensions during upcall and there is no facility to
> restore such data (and it is non-trivial to add such functionality
> to the upcall interface).  That means that when a flow miss occurs,
> there will still be packet drops.  With this patch, when a flow is
> found then traffic which has an associated xfrm extension will
> properly flow.
> 
> [...]

Here is the summary with links:
  - [net-next] openvswitch: Pass on secpath details for internal port rx.
    https://git.kernel.org/netdev/net-next/c/7d1c2d517f50

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html