| Message ID | 20240322114624.160306-1-atenart@kernel.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | gro: various fixes related to UDP tunnels | expand |
On Fri, 22 Mar 2024 12:46:19 +0100 Antoine Tenart wrote: > We found issues when a UDP tunnel endpoint is in a different netns than > where UDP GRO happens. This kind of setup is actually quite diverse, > from having one leg of the tunnel on a remove host, to having a tunnel > between netns (eg. being bridged in another one or on the host). In our > case that UDP tunnel was geneve. I think this series makes net/udpgro_fwd.sh selftest fail.
Quoting Jakub Kicinski (2024-03-22 23:55:50) > On Fri, 22 Mar 2024 12:46:19 +0100 Antoine Tenart wrote: > > We found issues when a UDP tunnel endpoint is in a different netns than > > where UDP GRO happens. This kind of setup is actually quite diverse, > > from having one leg of the tunnel on a remove host, to having a tunnel > > between netns (eg. being bridged in another one or on the host). In our > > case that UDP tunnel was geneve. > > I think this series makes net/udpgro_fwd.sh selftest fail. Thanks! Sorry for not checking this earlier... What happens is the vxlan tunnel tests expect GRO to happen at the veth level which is exactly the issues this series is fixing. The below diff should fix the tests. I think it's good to keep them to ensure GRO is actually not happening while packets are in an UDP tunnel; I also removed the "UDP tunnel fwd perf" test as it's not providing any useful data now IMO. diff --git a/tools/testing/selftests/net/udpgro_fwd.sh b/tools/testing/selftests/net/udpgro_fwd.sh index 380cb15e942e..83ed987cff34 100755 --- a/tools/testing/selftests/net/udpgro_fwd.sh +++ b/tools/testing/selftests/net/udpgro_fwd.sh @@ -244,7 +244,7 @@ for family in 4 6; do create_vxlan_pair ip netns exec $NS_DST ethtool -K veth$DST generic-receive-offload on ip netns exec $NS_DST ethtool -K veth$DST rx-gro-list on - run_test "GRO frag list over UDP tunnel" $OL_NET$DST 1 1 + run_test "GRO frag list over UDP tunnel" $OL_NET$DST 10 10 cleanup # use NAT to circumvent GRO FWD check @@ -258,13 +258,7 @@ for family in 4 6; do # load arp cache before running the test to reduce the amount of # stray traffic on top of the UDP tunnel ip netns exec $NS_SRC $PING -q -c 1 $OL_NET$DST_NAT >/dev/null - run_test "GRO fwd over UDP tunnel" $OL_NET$DST_NAT 1 1 $OL_NET$DST - cleanup - - create_vxlan_pair - run_bench "UDP tunnel fwd perf" $OL_NET$DST - ip netns exec $NS_DST ethtool -K veth$DST rx-udp-gro-forwarding on - run_bench "UDP tunnel GRO fwd perf" $OL_NET$DST + run_test "GRO fwd over UDP tunnel" $OL_NET$DST_NAT 10 10 $OL_NET$DST cleanup done
Hello, We found issues when a UDP tunnel endpoint is in a different netns than where UDP GRO happens. This kind of setup is actually quite diverse, from having one leg of the tunnel on a remove host, to having a tunnel between netns (eg. being bridged in another one or on the host). In our case that UDP tunnel was geneve. UDP tunnel packets should not be GROed at the UDP level. The fundamental issue here is such packet can't be detected in a foolproof way: we can't know by looking at a packet alone and the current logic of looking up UDP sockets is fragile (socket could be in another netns, packet could be modified in between, etc). Because there is no way to make the GRO code to correctly handle those packets in all cases, this series aims at two things: making the net stack to correctly behave (as in, no crash and no invalid packet) when such thing happens, and in some cases to prevent this "early GRO" from happening. First three patches fix issues when an "UDP tunneled" packet is being GROed too early by rx-udp-gro-forwarding or rx-gro-list. Last patch is preventing locally generated UDP tunnel packets from being GROed. This turns out to be more complex than this patch alone as it relies on skb->encapsulation which is currently untrusty in some cases (see iptunnel_handle_offloads); but that should fix things in practice and is acceptable for a fix. Future work is required to improve things (prevent all locally generated UDP tunnel packets from being GROed), such as fixing the misuse of skb->encapsulation in drivers; but that would be net-next material. Thanks! Antoine Since v2: - Fixed a build issue with IPv6=m in patch 1 (Jakub Kicinski feedback). - Fixed typo in patch 1 (Nikolay Aleksandrov feedback). - Added Reviewed-by tag on patch 2 (Willem de Bruijn feeback). - Added back conversion to CHECKSUM_UNNECESSARY but only from non CHECKSUM_PARTIAL in patch 3 (Paolo Abeni & Willem de Bruijn feeback). - Reworded patch 3 commit msg. Since v1: - Fixed a build issue with IPv6 disabled in patch 1. - Reworked commit log in patch 2 (Willem de Bruijn feedback). - Added Reviewed-by tags on patches 1 & 4 (Willem de Bruijn feeback). Antoine Tenart (4): udp: do not accept non-tunnel GSO skbs landing in a tunnel gro: fix ownership transfer udp: do not transition UDP GRO fraglist partial checksums to unnecessary udp: prevent local UDP tunnel packets from being GROed include/linux/udp.h | 28 ++++++++++++++++++++++++++++ net/core/gro.c | 3 ++- net/ipv4/udp.c | 7 +++++++ net/ipv4/udp_offload.c | 23 +++++++++++++---------- net/ipv6/udp.c | 2 +- net/ipv6/udp_offload.c | 8 +------- 6 files changed, 52 insertions(+), 19 deletions(-)