Re: Looking for a lost patch
On Thu, May 21, 2015 at 05:25:24PM -0400, David Miller wrote: From: Steffen Klassert steffen.klass...@secunet.com Date: Wed, 20 May 2015 08:32:23 +0200 On Tue, May 19, 2015 at 11:32:15AM -0700, Alexander Duyck wrote: On 05/19/2015 12:57 AM, Steffen Klassert wrote: The MTU should be 1500. All the IPsec overhead is handled by PMTU discovery, just like in the case we use IPsec without vti tunnels. The IPv6 side of vti does it like that. The problem is the PMTU isn't communicated to things that make use of the tunnel. For example if I do a ping -s 2000 x.x.x.x across an IPv6 VTI interface it will fail currently as it assumes the MTU is 1500 and so it is fragmenting the ping packet at sizes that won't be communicated across the underlying interface. Well, the problem is that the local socket is still attached on the skb. The socket gets an error notification if the packet is too big, but ping does not care much about these error notifications. One option to get such applications to work is to orphan the skb in the vti xmit function. Then the packet is not assumed to be local, so PMTU discovery is triggered on that route. Something like this should work for IPv6: When a packet traverses software layered devices, we should not orphan the socket. In fact, we have taken great pains to make sure this works so that the socket memory accounting is done correctly on the original top-level socket. I have not considered this as an official patch :) It was more to demonstrate that PMTU discovery with IPsec tunnels can work, so we don't need to reduce the MTU of the tunnel device. We currently check if a socket is attached to a skb and do socket error notification in this case, otherwise we do PMTU discovery if the packet is too big. Looks like this socket check is not sufficient if the packet is already transmitted through a tunnel device. I wonder if we have something to know that a packet was already transmitted through a tunnel device. We could switch from socket notification to PMTU discovery in this case. -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Looking for a lost patch
From: Steffen Klassert steffen.klass...@secunet.com Date: Wed, 27 May 2015 10:35:16 +0200 We currently check if a socket is attached to a skb and do socket error notification in this case, otherwise we do PMTU discovery if the packet is too big. Looks like this socket check is not sufficient if the packet is already transmitted through a tunnel device. I wonder if we have something to know that a packet was already transmitted through a tunnel device. We could switch from socket notification to PMTU discovery in this case. Generally speaking, we should not be orphaning the socket as it traverses through tunnels. In fact we have taken great pains to avoid doing this. See, for example, commits: 7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab aad88724c9d54acb1a9737cb6069d8470fa85f74 b0270e91014dabfceaf37f5b40ad51bbf21a1302 Therefore what we always should do is retain the original socket ownership on the SKB, and layers that implement tunneling using sockets should pass the socket pointer through their output path(s) and never use skb-sk for this. -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Looking for a lost patch
On Wed, May 27, 2015 at 11:46:03AM -0400, David Miller wrote: From: Steffen Klassert steffen.klass...@secunet.com Date: Wed, 27 May 2015 10:35:16 +0200 We currently check if a socket is attached to a skb and do socket error notification in this case, otherwise we do PMTU discovery if the packet is too big. Looks like this socket check is not sufficient if the packet is already transmitted through a tunnel device. I wonder if we have something to know that a packet was already transmitted through a tunnel device. We could switch from socket notification to PMTU discovery in this case. Generally speaking, we should not be orphaning the socket as it traverses through tunnels. In fact we have taken great pains to avoid doing this. Yes, I'm aware of this. I don't want to orphan the socket, all I wanted to do is to change the way we notify about MTU changes. I.e. use icmpv6_send() instead of xfrm_local_error() if the packet traversed a tunnel, that's why I wondered whether we can know this. -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Looking for a lost patch
From: Steffen Klassert steffen.klass...@secunet.com Date: Wed, 20 May 2015 08:32:23 +0200 On Tue, May 19, 2015 at 11:32:15AM -0700, Alexander Duyck wrote: On 05/19/2015 12:57 AM, Steffen Klassert wrote: The MTU should be 1500. All the IPsec overhead is handled by PMTU discovery, just like in the case we use IPsec without vti tunnels. The IPv6 side of vti does it like that. The problem is the PMTU isn't communicated to things that make use of the tunnel. For example if I do a ping -s 2000 x.x.x.x across an IPv6 VTI interface it will fail currently as it assumes the MTU is 1500 and so it is fragmenting the ping packet at sizes that won't be communicated across the underlying interface. Well, the problem is that the local socket is still attached on the skb. The socket gets an error notification if the packet is too big, but ping does not care much about these error notifications. One option to get such applications to work is to orphan the skb in the vti xmit function. Then the packet is not assumed to be local, so PMTU discovery is triggered on that route. Something like this should work for IPv6: When a packet traverses software layered devices, we should not orphan the socket. In fact, we have taken great pains to make sure this works so that the socket memory accounting is done correctly on the original top-level socket. -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Looking for a lost patch
On 05/19/2015 11:32 PM, Steffen Klassert wrote: On Tue, May 19, 2015 at 11:32:15AM -0700, Alexander Duyck wrote: On 05/19/2015 12:57 AM, Steffen Klassert wrote: The MTU should be 1500. All the IPsec overhead is handled by PMTU discovery, just like in the case we use IPsec without vti tunnels. The IPv6 side of vti does it like that. The problem is the PMTU isn't communicated to things that make use of the tunnel. For example if I do a ping -s 2000 x.x.x.x across an IPv6 VTI interface it will fail currently as it assumes the MTU is 1500 and so it is fragmenting the ping packet at sizes that won't be communicated across the underlying interface. Well, the problem is that the local socket is still attached on the skb. The socket gets an error notification if the packet is too big, but ping does not care much about these error notifications. One option to get such applications to work is to orphan the skb in the vti xmit function. Then the packet is not assumed to be local, so PMTU discovery is triggered on that route. Something like this should work for IPv6: diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c index ed9d681..cd50bc1 100644 --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -459,6 +459,7 @@ vti6_xmit(struct sk_buff *skb, struct net_device *dev, struct flowi *fl) goto tx_err_dst_release; } + skb_orphan(skb); skb_scrub_packet(skb, !net_eq(t-net, dev_net(dev))); skb_dst_set(skb, dst); skb-dev = skb_dst(skb)-dev; This works, sort-of. I have to ping from both ends before I can start to send traffic. I am going to do some digging. It seems like there should be some way to get the PMTU fed back into the PMTU for the VTI interface. If we can do that it would save a ton of pain. - Alex -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html