diff mbox series

sit: allow encapsulated IPv6 traffic to be delivered locally

Message ID 20220107123842.211335-1-ignat@cloudflare.com (mailing list archive)
State Accepted
Delegated to: Netdev Maintainers
Headers show
Series sit: allow encapsulated IPv6 traffic to be delivered locally | expand

Checks

Context Check Description
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 1 maintainers not CCed: kuba@kernel.org
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Ignat Korchagin Jan. 7, 2022, 12:38 p.m. UTC
While experimenting with FOU encapsulation Amir noticed that encapsulated IPv6
traffic fails to be delivered, if the peer IP address is configured locally.

It can be easily verified by creating a sit interface like below:

$ sudo ip link add name fou_test type sit remote 127.0.0.1 encap fou encap-sport auto encap-dport 1111
$ sudo ip link set fou_test up

and sending some IPv4 and IPv6 traffic to it

$ ping -I fou_test -c 1 1.1.1.1
$ ping6 -I fou_test -c 1 fe80::d0b0:dfff:fe4c:fcbc

"tcpdump -i any udp dst port 1111" will confirm that only the first IPv4 ping
was encapsulated and attempted to be delivered.

This seems like a limitation: for example, in a cloud environment the "peer"
service may be arbitrarily scheduled on any server within the cluster, where all
nodes are trying to send encapsulated traffic. And the unlucky node will not be
able to. Moreover, delivering encapsulated IPv4 traffic locally is allowed.

But I may not have all the context about this restriction and this code predates
the observable git history.

Reported-by: Amir Razmjou <arazmjou@cloudflare.com>
Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
---
 net/ipv6/sit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

David Ahern Jan. 12, 2022, 7:59 p.m. UTC | #1
On 1/7/22 5:38 AM, Ignat Korchagin wrote:
> While experimenting with FOU encapsulation Amir noticed that encapsulated IPv6
> traffic fails to be delivered, if the peer IP address is configured locally.
> 
> It can be easily verified by creating a sit interface like below:
> 
> $ sudo ip link add name fou_test type sit remote 127.0.0.1 encap fou encap-sport auto encap-dport 1111
> $ sudo ip link set fou_test up
> 
> and sending some IPv4 and IPv6 traffic to it
> 
> $ ping -I fou_test -c 1 1.1.1.1
> $ ping6 -I fou_test -c 1 fe80::d0b0:dfff:fe4c:fcbc
> 
> "tcpdump -i any udp dst port 1111" will confirm that only the first IPv4 ping
> was encapsulated and attempted to be delivered.
> 
> This seems like a limitation: for example, in a cloud environment the "peer"
> service may be arbitrarily scheduled on any server within the cluster, where all
> nodes are trying to send encapsulated traffic. And the unlucky node will not be
> able to. Moreover, delivering encapsulated IPv4 traffic locally is allowed.
> 
> But I may not have all the context about this restriction and this code predates
> the observable git history.
> 
> Reported-by: Amir Razmjou <arazmjou@cloudflare.com>
> Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
> ---
>  net/ipv6/sit.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
> index 8a3618a30632..72968d4188b9 100644
> --- a/net/ipv6/sit.c
> +++ b/net/ipv6/sit.c
> @@ -956,7 +956,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
>  		dst_cache_set_ip4(&tunnel->dst_cache, &rt->dst, fl4.saddr);
>  	}
>  
> -	if (rt->rt_type != RTN_UNICAST) {
> +	if (rt->rt_type != RTN_UNICAST && rt->rt_type != RTN_LOCAL) {
>  		ip_rt_put(rt);
>  		dev->stats.tx_carrier_errors++;
>  		goto tx_error_icmp;

Reviewed-by: David Ahern <dsahern@kernel.org>
Jakub Kicinski Jan. 12, 2022, 11:23 p.m. UTC | #2
On Wed, 12 Jan 2022 12:59:37 -0700 David Ahern wrote:
> On 1/7/22 5:38 AM, Ignat Korchagin wrote:
> > While experimenting with FOU encapsulation Amir noticed that encapsulated IPv6
> > traffic fails to be delivered, if the peer IP address is configured locally.
> > 
> > It can be easily verified by creating a sit interface like below:
> > 
> > $ sudo ip link add name fou_test type sit remote 127.0.0.1 encap fou encap-sport auto encap-dport 1111
> > $ sudo ip link set fou_test up
> > 
> > and sending some IPv4 and IPv6 traffic to it
> > 
> > $ ping -I fou_test -c 1 1.1.1.1
> > $ ping6 -I fou_test -c 1 fe80::d0b0:dfff:fe4c:fcbc
> > 
> > "tcpdump -i any udp dst port 1111" will confirm that only the first IPv4 ping
> > was encapsulated and attempted to be delivered.
> > 
> > This seems like a limitation: for example, in a cloud environment the "peer"
> > service may be arbitrarily scheduled on any server within the cluster, where all
> > nodes are trying to send encapsulated traffic. And the unlucky node will not be
> > able to. Moreover, delivering encapsulated IPv4 traffic locally is allowed.
> > 
> > But I may not have all the context about this restriction and this code predates
> > the observable git history.
> > 
> > Reported-by: Amir Razmjou <arazmjou@cloudflare.com>
> > Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
> 
> Reviewed-by: David Ahern <dsahern@kernel.org>

Applied, thanks!
diff mbox series

Patch

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 8a3618a30632..72968d4188b9 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -956,7 +956,7 @@  static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
 		dst_cache_set_ip4(&tunnel->dst_cache, &rt->dst, fl4.saddr);
 	}
 
-	if (rt->rt_type != RTN_UNICAST) {
+	if (rt->rt_type != RTN_UNICAST && rt->rt_type != RTN_LOCAL) {
 		ip_rt_put(rt);
 		dev->stats.tx_carrier_errors++;
 		goto tx_error_icmp;