| Message ID | 20241101204732.183840-1-aconole@redhat.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev,net-next] openvswitch: Pass on secpath details for internal port rx. | expand |
On 1 Nov 2024, at 21:47, Aaron Conole wrote: > Clearing the secpath for internal ports will cause packet drops when > ipsec offload or early SW ipsec decrypt are used. Systems that rely > on these will not be able to actually pass traffic via openvswitch. > > There is still an open issue for a flow miss packet - this is because > we drop the extensions during upcall and there is no facility to > restore such data (and it is non-trivial to add such functionality > to the upcall interface). That means that when a flow miss occurs, > there will still be packet drops. With this patch, when a flow is > found then traffic which has an associated xfrm extension will > properly flow. > > Signed-off-by: Aaron Conole <aconole@redhat.com> Thanks for debugging and fixing this. The change looks good to me. Acked-by: Eelco Chaudron <echaudro@redhat.com>
Hello: This patch was applied to netdev/net-next.git (main) by Jakub Kicinski <kuba@kernel.org>: On Fri, 1 Nov 2024 16:47:32 -0400 you wrote: > Clearing the secpath for internal ports will cause packet drops when > ipsec offload or early SW ipsec decrypt are used. Systems that rely > on these will not be able to actually pass traffic via openvswitch. > > There is still an open issue for a flow miss packet - this is because > we drop the extensions during upcall and there is no facility to > restore such data (and it is non-trivial to add such functionality > to the upcall interface). That means that when a flow miss occurs, > there will still be packet drops. With this patch, when a flow is > found then traffic which has an associated xfrm extension will > properly flow. > > [...] Here is the summary with links: - [net-next] openvswitch: Pass on secpath details for internal port rx. https://git.kernel.org/netdev/net-next/c/7d1c2d517f50 You are awesome, thank you!
diff --git a/net/openvswitch/vport-internal_dev.c b/net/openvswitch/vport-internal_dev.c index 5858d65ea1a9..2412d7813d24 100644 --- a/net/openvswitch/vport-internal_dev.c +++ b/net/openvswitch/vport-internal_dev.c @@ -195,7 +195,6 @@ static int internal_dev_recv(struct sk_buff *skb) skb_dst_drop(skb); nf_reset_ct(skb); - secpath_reset(skb); skb->pkt_type = PACKET_HOST; skb->protocol = eth_type_trans(skb, netdev);
Clearing the secpath for internal ports will cause packet drops when ipsec offload or early SW ipsec decrypt are used. Systems that rely on these will not be able to actually pass traffic via openvswitch. There is still an open issue for a flow miss packet - this is because we drop the extensions during upcall and there is no facility to restore such data (and it is non-trivial to add such functionality to the upcall interface). That means that when a flow miss occurs, there will still be packet drops. With this patch, when a flow is found then traffic which has an associated xfrm extension will properly flow. Signed-off-by: Aaron Conole <aconole@redhat.com> --- net/openvswitch/vport-internal_dev.c | 1 - 1 file changed, 1 deletion(-)