This is a resend of the v3 series originally posted on 2026-05-05, which did not receive review feedback during the previous net-next window. No changes since v3; rebased cleanly on current net-next (after the net-next-7.2 merge).
v3 archive: https://lore.kernel.org/netdev/[email protected]/ UDP encapsulation (FOU, GUE) has never worked correctly with multicast destination addresses. When a FOU-encapsulated packet arrives at a multicast address, it enters __udp4_lib_mcast_deliver() which calls consume_skb() on packets that need resubmission to the inner protocol handler, silently dropping them instead. The unicast delivery path handles this correctly by returning -ret, but the multicast path was never updated to support UDP encapsulation resubmit. This causes silent packet loss for FOU/GRETAP tunnels configured with multicast remote addresses. The loss ratio depends on the early demux cache hit rate - packets that hit early demux bypass the multicast path and work correctly, masking the issue. Reproducing the issue: ip netns add ns_a && ip netns add ns_b ip link add veth0 type veth peer name veth1 ip link set veth0 netns ns_a && ip link set veth1 netns ns_b ip -n ns_a addr add 10.0.0.1/24 dev veth0 && ip -n ns_a link set veth0 up ip -n ns_b addr add 10.0.0.2/24 dev veth1 && ip -n ns_b link set veth1 up # Multicast routes ip -n ns_a route add 239.0.0.0/8 dev veth0 ip -n ns_b route add 239.0.0.0/8 dev veth1 # Disable early demux to expose the issue (otherwise it's partially masked) ip netns exec ns_b sysctl -w net.ipv4.ip_early_demux=0 # Join multicast group on receiver ip -n ns_b addr add 239.0.0.1/32 dev veth1 autojoin # Sender: GRETAP with FOU encap ip -n ns_a link add eoudp0 type gretap \ remote 239.0.0.1 local 10.0.0.1 \ encap fou encap-sport 4797 encap-dport 4797 key 239.0.0.1 ip -n ns_a link set eoudp0 up ip -n ns_a addr add 192.168.99.1/24 dev eoudp0 # Receiver: FOU listener + GRETAP ip netns exec ns_b ip fou add port 4797 ipproto 47 ip -n ns_b link add eoudp0 type gretap \ remote 239.0.0.1 local 10.0.0.2 \ encap fou encap-sport 4797 encap-dport 4797 key 239.0.0.1 ip -n ns_b link set eoudp0 up ip -n ns_b addr add 192.168.99.2/24 dev eoudp0 # Static neigh: ARP replies can't traverse unidirectional mcast tunnel recv_mac=$(ip -n ns_b link show eoudp0 | awk '/ether/{print $2}') ip -n ns_a neigh add 192.168.99.2 lladdr $recv_mac dev eoudp0 # Test: ping through the FOU/GRETAP tunnel ip netns exec ns_a ping -c 100 192.168.99.2 # -> without this patch: 0 packets received on eoudp0 # -> with this patch: all packets received on eoudp0 AI assistance (Claude, claude-opus-4-6) was used during root cause analysis of the kernel source code (tracing the call chain from udp_queue_rcv_skb through encap_rcv to ip_protocol_deliver_rcu, comparing unicast/GSO/multicast paths) and during patch and selftest authoring. The fix approach was identified by observing that the unicast path (udp_unicast_rcv_skb) already handles encap resubmit correctly via return -ret, while the multicast path did not. Changes since v2: - Use return -ret instead of calling ip_protocol_deliver_rcu() directly, matching the unicast path and avoiding call stack growth with nested encapsulations (Kuniyuki Iwashima) - Only change the first-socket path; the clone loop is not reachable for tunnel sockets (no SO_REUSEADDR/SO_REUSEPORT) - Replace Python packet generator with ping through a properly configured FOU/GRETAP tunnel in the selftest - Add static neighbor entry in the test (ARP replies cannot traverse the unidirectional multicast tunnel) Changes since v1 (RFC): - Moved inline Python packet generator into a separate helper - Fixed author email typo in Signed-off-by Anton Danilov (2): udp: fix encapsulation packet resubmit in multicast deliver selftests: net: add FOU multicast encapsulation resubmit test net/ipv4/udp.c | 6 +- net/ipv6/udp.c | 6 +- tools/testing/selftests/net/Makefile | 1 + .../testing/selftests/net/fou_mcast_encap.sh | 112 ++++++++++++++++++ 4 files changed, 121 insertions(+), 4 deletions(-) create mode 100755 tools/testing/selftests/net/fou_mcast_encap.sh -- 2.47.3
