From: Petr Machata <petrm@nvidia.com>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
<netdev@vger.kernel.org>
Cc: Simon Horman <horms@kernel.org>, Ido Schimmel <idosch@nvidia.com>,
"Petr Machata" <petrm@nvidia.com>, <mlxsw@nvidia.com>
Subject: [RFC PATCH net-next 00/11] vxlan: Support user-defined reserved bits
Date: Mon, 18 Nov 2024 17:43:06 +0100 [thread overview]
Message-ID: <cover.1731941465.git.petrm@nvidia.com> (raw)
Currently the VXLAN header validation works by vxlan_rcv() going feature
by feature, each feature clearing the bits that it consumes. If anything
is left unparsed at the end, the packet is rejected.
Unfortunately there are machines out there that send VXLAN packets with
reserved bits set, even if they are configured to not use the
corresponding features. One such report is here[1], and we have heard
similar complaints from our customers as well.
This patchset adds an attribute that makes it configurable which bits
the user wishes to tolerate and which they consider reserved. This was
recommended in [1] as well.
A knob like that inevitably allows users to set as reserved bits that
are in fact required for the features enabled by the netdevice, such as
GPE. This is detected, and such configurations are rejected.
In patches #1..#7, the reserved bits validation code is gradually moved
away from the unparsed approach described above, to one where a given
set of valid bits is precomputed and then the packet is validated
against that.
In patch #8, this precomputed set is made configurable through a new
attribute IFLA_VXLAN_RESERVED_BITS.
Patches #9 and #10 massage the testsuite a bit, so that patch #11 can
introduce a selftest for the resreved bits feature.
The corresponding iproute2 support is available in [2].
[1] https://lore.kernel.org/netdev/db8b9e19-ad75-44d3-bfb2-46590d426ff5@proxmox.com/
[2] https://github.com/pmachata/iproute2/commits/vxlan_reserved_bits/
Petr Machata (11):
vxlan: In vxlan_rcv(), access flags through the vxlan netdevice
vxlan: vxlan_rcv() callees: Move clearing of unparsed flags out
vxlan: vxlan_rcv() callees: Drop the unparsed argument
vxlan: vxlan_rcv(): Extract vxlan_hdr(skb) to a named variable
vxlan: Track reserved bits explicitly as part of the configuration
vxlan: Bump error counters for header mismatches
vxlan: vxlan_rcv(): Drop unparsed
vxlan: Add an attribute to make VXLAN header validation configurable
selftests: net: lib: Rename ip_link_master() to ip_link_set_master()
selftests: net: lib: Add several autodefer helpers
selftests: forwarding: Add a selftest for the new reserved_bits UAPI
drivers/net/vxlan/vxlan_core.c | 150 +++++---
include/net/vxlan.h | 1 +
include/uapi/linux/if_link.h | 1 +
tools/testing/selftests/net/fdb_notify.sh | 6 +-
tools/testing/selftests/net/forwarding/lib.sh | 7 -
.../net/forwarding/vxlan_reserved.sh | 352 ++++++++++++++++++
tools/testing/selftests/net/lib.sh | 41 +-
7 files changed, 496 insertions(+), 62 deletions(-)
create mode 100755 tools/testing/selftests/net/forwarding/vxlan_reserved.sh
--
2.47.0
next reply other threads:[~2024-11-18 16:01 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-18 16:43 Petr Machata [this message]
2024-11-18 16:43 ` [RFC PATCH net-next 01/11] vxlan: In vxlan_rcv(), access flags through the vxlan netdevice Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 02/11] vxlan: vxlan_rcv() callees: Move clearing of unparsed flags out Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 03/11] vxlan: vxlan_rcv() callees: Drop the unparsed argument Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 04/11] vxlan: vxlan_rcv(): Extract vxlan_hdr(skb) to a named variable Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 05/11] vxlan: Track reserved bits explicitly as part of the configuration Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 06/11] vxlan: Bump error counters for header mismatches Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 07/11] vxlan: vxlan_rcv(): Drop unparsed Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 08/11] vxlan: Add an attribute to make VXLAN header validation configurable Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 09/11] selftests: net: lib: Rename ip_link_master() to ip_link_set_master() Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 10/11] selftests: net: lib: Add several autodefer helpers Petr Machata
2024-11-18 16:43 ` [RFC PATCH net-next 11/11] selftests: forwarding: Add a selftest for the new reserved_bits UAPI Petr Machata
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1731941465.git.petrm@nvidia.com \
--to=petrm@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=kuba@kernel.org \
--cc=mlxsw@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).