From: Jay Vosburgh <jay.vosburgh@canonical.com>
To: Taehee Yoo <ap420073@gmail.com>
Cc: davem@davemloft.net, kuba@kernel.org, vfalico@gmail.com,
andy@greyhouse.net, jesse.brandeburg@intel.com,
anthony.l.nguyen@intel.com, jarod@redhat.com,
netdev@vger.kernel.org, intel-wired-lan@lists.osuosl.org
Subject: Re: [PATCH net 6/8] bonding: disallow setting nested bonding + ipsec offload
Date: Fri, 02 Jul 2021 14:14:23 -0700 [thread overview]
Message-ID: <14149.1625260463@famine> (raw)
In-Reply-To: <20210702142648.7677-7-ap420073@gmail.com>
Taehee Yoo <ap420073@gmail.com> wrote:
>bonding interface can be nested and it supports ipsec offload.
>So, it allows setting the nested bonding + ipsec scenario.
>But code does not support this scenario.
>So, it should be disallowed.
>
>interface graph:
>bond2
> |
>bond1
> |
>eth0
>
>The nested bonding + ipsec offload may not a real usecase.
>So, disallowing this is fine.
Is a stack like "bond1 -> VLAN.XX -> bond2 -> eth0" also a
problem? I don't believe the change below will detect this
configuration.
-J
>Fixes: 18cb261afd7b ("bonding: support hardware encryption offload to slaves")
>Signed-off-by: Taehee Yoo <ap420073@gmail.com>
>---
> drivers/net/bonding/bond_main.c | 15 +++++++++------
> 1 file changed, 9 insertions(+), 6 deletions(-)
>
>diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
>index 7659e1fab19e..f268e67cb2f0 100644
>--- a/drivers/net/bonding/bond_main.c
>+++ b/drivers/net/bonding/bond_main.c
>@@ -419,8 +419,9 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
> xs->xso.real_dev = slave->dev;
> bond->xs = xs;
>
>- if (!(slave->dev->xfrmdev_ops
>- && slave->dev->xfrmdev_ops->xdo_dev_state_add)) {
>+ if (!slave->dev->xfrmdev_ops ||
>+ !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
>+ netif_is_bond_master(slave->dev)) {
> slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n");
> rcu_read_unlock();
> return -EINVAL;
>@@ -453,8 +454,9 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
>
> xs->xso.real_dev = slave->dev;
>
>- if (!(slave->dev->xfrmdev_ops
>- && slave->dev->xfrmdev_ops->xdo_dev_state_delete)) {
>+ if (!slave->dev->xfrmdev_ops ||
>+ !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
>+ netif_is_bond_master(slave->dev)) {
> slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__);
> goto out;
> }
>@@ -479,8 +481,9 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
> if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
> return true;
>
>- if (!(slave_dev->xfrmdev_ops
>- && slave_dev->xfrmdev_ops->xdo_dev_offload_ok)) {
>+ if (!slave_dev->xfrmdev_ops ||
>+ !slave_dev->xfrmdev_ops->xdo_dev_offload_ok ||
>+ netif_is_bond_master(slave_dev)) {
> slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__);
> return false;
> }
>--
>2.17.1
>
---
-Jay Vosburgh, jay.vosburgh@canonical.com
next prev parent reply other threads:[~2021-07-02 21:14 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-02 14:26 [PATCH net 0/8] net: fix bonding ipsec offload problems Taehee Yoo
2021-07-02 14:26 ` [PATCH net 1/8] bonding: fix suspicious RCU usage in bond_ipsec_add_sa() Taehee Yoo
2021-07-02 14:26 ` [PATCH net 2/8] bonding: fix null dereference " Taehee Yoo
2021-07-02 14:26 ` [PATCH net 3/8] net: netdevsim: use xso.real_dev instead of xso.dev in callback functions of struct xfrmdev_ops Taehee Yoo
2021-07-02 14:26 ` [PATCH net 4/8] ixgbevf: " Taehee Yoo
2021-07-02 14:26 ` [PATCH net 5/8] bonding: fix suspicious RCU usage in bond_ipsec_del_sa() Taehee Yoo
2021-07-02 14:26 ` [PATCH net 6/8] bonding: disallow setting nested bonding + ipsec offload Taehee Yoo
2021-07-02 21:14 ` Jay Vosburgh [this message]
2021-07-03 6:37 ` Taehee Yoo
2021-07-02 21:26 ` Jay Vosburgh
2021-07-03 6:46 ` Taehee Yoo
2021-07-02 14:26 ` [PATCH net 7/8] bonding: Add struct bond_ipesc to manage SA Taehee Yoo
2021-07-02 14:26 ` [PATCH net 8/8] bonding: fix suspicious RCU usage in bond_ipsec_offload_ok() Taehee Yoo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=14149.1625260463@famine \
--to=jay.vosburgh@canonical.com \
--cc=andy@greyhouse.net \
--cc=anthony.l.nguyen@intel.com \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jarod@redhat.com \
--cc=jesse.brandeburg@intel.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=vfalico@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).