From: Jiri Pirko <jiri@resnulli.us>
To: ehakim@nvidia.com
Cc: sd@queasysnail.net, dsahern@kernel.org, netdev@vger.kernel.org
Subject: Re: [PATCH main v2 1/1] macsec: Fix Macsec replay protection
Date: Tue, 10 Jan 2023 17:50:17 +0100 [thread overview]
Message-ID: <Y72XSaZk2rFA0500@nanopsycho> (raw)
In-Reply-To: <20230110144901.31826-1-ehakim@nvidia.com>
But iproute2 into the subject []'s so it is clear where this patch is targeted.
Tue, Jan 10, 2023 at 03:49:01PM CET, ehakim@nvidia.com wrote:
>From: Emeel Hakim <ehakim@nvidia.com>
>
>Currently when configuring macsec with replay protection,
>replay protection and window gets a default value of -1,
>the above is leading to passing replay protection and
>replay window attributes to the kernel while replay is
>explicitly set to off, leading for an invalid argument
>error when configured with extended packet number (XPN).
>since the default window value which is 0xFFFFFFFF is
>passed to the kernel and while XPN is configured the above
>value is an invalid window value.
>
>Example:
>ip link add link eth2 macsec0 type macsec sci 1 cipher
>gcm-aes-xpn-128 replay off
>
>RTNETLINK answers: Invalid argument
>
>Fix by passing the window attribute to the kernel only if replay is on
>
>Fixes: b26fc590ce62 ("ip: add MACsec support")
>Signed-off-by: Emeel Hakim <ehakim@nvidia.com>
>---
>V1 -> V2: - Dont use boolean variable for replay protect since it will
> silently break disabling replay protection on an existing device.
> - Update commit message.
> ip/ipmacsec.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
>diff --git a/ip/ipmacsec.c b/ip/ipmacsec.c
>index 6dd73827..d96d69f1 100644
>--- a/ip/ipmacsec.c
>+++ b/ip/ipmacsec.c
>@@ -1517,7 +1517,8 @@ static int macsec_parse_opt(struct link_util *lu, int argc, char **argv,
> &cipher.icv_len, sizeof(cipher.icv_len));
>
> if (replay_protect != -1) {
>- addattr32(n, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);
>+ if (replay_protect)
>+ addattr32(n, MACSEC_BUFLEN, IFLA_MACSEC_WINDOW, window);
> addattr8(n, MACSEC_BUFLEN, IFLA_MACSEC_REPLAY_PROTECT,
> replay_protect);
> }
>--
>2.21.3
>
prev parent reply other threads:[~2023-01-10 16:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-10 14:49 [PATCH main v2 1/1] macsec: Fix Macsec replay protection ehakim
2023-01-10 16:50 ` Jiri Pirko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y72XSaZk2rFA0500@nanopsycho \
--to=jiri@resnulli.us \
--cc=dsahern@kernel.org \
--cc=ehakim@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=sd@queasysnail.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).