From: Steffen Klassert <steffen.klassert@secunet.com>
To: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Cc: herbert@gondor.apana.org.au, davem@davemloft.net,
netdev@vger.kernel.org, dbaluta@ixiacom.com
Subject: Re: [RFC PATCH ipsec] xfrm: use the right dev to fill xdst
Date: Fri, 5 Apr 2013 11:46:29 +0200 [thread overview]
Message-ID: <20130405094629.GV21448@secunet.com> (raw)
In-Reply-To: <1365088362-4318-1-git-send-email-nicolas.dichtel@6wind.com>
On Thu, Apr 04, 2013 at 05:12:42PM +0200, Nicolas Dichtel wrote:
> Commit bc8e4b954e46 (xfrm6: ensure to use the same dev when building a bundle)
> broke IPsec for IPv4 over IPv6 tunnels (because dev points to an IPv4 only
> interface, hence in6_dev_get(dev) returns NULL.
Can you give some informations on how to reproduce this? I'm running
interfamily tunnels on our testing environment and it seems to
work fine.
>
> After looking again into commit 25ee3286dcbc ([IPSEC]: Merge common code into
> xfrm_bundle_create), it seems that previously we were using dev from the route,
> for both IPv4 and IPv6.
I think this was the right way. We need to attach the dev from the
corresponding route to the xdst.
>
> In fact, xfrm_fill_dst() is called during a loop on chained dst, but dev points
> always to the same device.
The way we do it now can be problematic for tunnel in tunnel scenarios too.
We assign the dev from the first tunnel route to all the bundle entries,
this looks really wrong.
I think your patch is correct, but I want understand the breaking
scenario first.
Thanks!
next prev parent reply other threads:[~2013-04-05 9:46 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-04 15:12 [RFC PATCH ipsec] xfrm: use the right dev to fill xdst Nicolas Dichtel
2013-04-05 9:46 ` Steffen Klassert [this message]
2013-04-05 12:59 ` Daniel Baluta
2013-04-08 11:42 ` Steffen Klassert
2013-04-09 12:47 ` Steffen Klassert
2013-04-09 17:21 ` David Miller
2013-04-09 17:31 ` Daniel Baluta
2013-04-09 17:33 ` David Miller
2013-04-09 18:18 ` Daniel Baluta
2013-04-10 11:29 ` Steffen Klassert
2013-04-10 11:39 ` Daniel Baluta
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130405094629.GV21448@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=dbaluta@ixiacom.com \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).