linux < 4.8: x-netns vti is broken

Bug #1744078 reported by Julien Meunier on 2018-01-18
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Joseph Salisbury
Xenial
Medium
Joseph Salisbury

Bug Description

The following upstream patch is missing:

11d7a0bb95ea xfrm: Only add l3mdev oif to dst lookups
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=11d7a0bb95ea

There are several ways to reproduce this problem. Here an example:

# Prepare netns
ip netns add test
ip netns exec test sysctl -q -w net.ipv4.conf.all.forwarding=1
ip netns exec test ip link set lo up
ip netns exec test ip addr add 172.16.1.1/24 dev lo

# Create VTI iface and move it in netns test
ip addr add 1.1.1.1/32 dev lo
ip link add name vti_test type vti local 1.1.1.1 remote 2.2.2.2 key 0x1
ip link set dev vti_test netns test

# Configure IPsec
ip xfrm state add src 1.1.1.1 dst 2.2.2.2 proto esp spi 1 mode tunnel enc 'cbc(aes)' '0x11111111111111111111111111111111' auth-trunc 'hmac(sha1)' '0x2222222222222222222222222222222222222222' 96 flag align4 mark 0x1
ip xfrm state add src 2.2.2.2 dst 1.1.1.1 proto esp spi 2 mode tunnel enc 'cbc(aes)' '0x33333333333333333333333333333333' auth-trunc 'hmac(sha1)' '0x4444444444444444444444444444444444444444' 96 flag align4 mark 0x1
ip xfrm policy add dir out tmpl src 1.1.1.1 dst 2.2.2.2 proto esp mode tunnel mark 0x1
ip xfrm policy add dir in tmpl src 2.2.2.2 dst 1.1.1.1 proto esp mode tunnel mark 0x1

# Configure SVTI
ip netns exec test ip link set dev vti_test up

# Add route
ip netns exec test ip route add 172.16.2.0/24 dev vti_test

# Run a tcpdump on the output interface (given by "ip route get 2.2.2.2")
tcpdump -nei eth0 &

# Ping from the netns
ip netns exec test ping 172.16.2.1 -I 172.16.1.1 -c 4

------

On 4.4.0-109-generic:
(ping) From 172.16.1.1 icmp_seq=1 Destination Host Unreachable
(tcpdump) no IPsec packet

=> Problem

On 4.8.0-58-generic:
(ping): no error raised
(tcpdump) 15:09:45.109776 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype IPv4 (0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x2), length 132
(tcpdump) 15:10:05.422243 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype IPv4 (0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x3), length 132

=> No problem

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in linux (Ubuntu):
status: New → Confirmed
Changed in linux (Ubuntu):
importance: Undecided → Medium
Changed in linux (Ubuntu Xenial):
status: New → Triaged
Changed in linux (Ubuntu):
status: Confirmed → Triaged
tags: added: kernel-da-key xenial
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux (Ubuntu):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Xenial):
assignee: nobody → Joseph Salisbury (jsalisbury)
status: Triaged → In Progress
Changed in linux (Ubuntu):
status: Triaged → In Progress
Joseph Salisbury (jsalisbury) wrote :

I built a test kernel with commit 11d7a0bb95ea. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1744078

Can you test this kernel and see if it resolves this bug?

Note, to test this kernel, you need to install both the linux-image and linux-image-extra .deb packages.

Thanks in advance!

Julien Meunier (julien-meunier) wrote :

It resolves the problem ! Thanks !

> uname -a
Linux ubuntu1604 4.4.0-109-generic #132~lp1744078 SMP Mon Jan 22 16:08:56 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

... config ...

(ping): no error raised
(tcpdump) 10:24:52.885081 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype IPv4 (0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x1), length 132
(tcpdump) 10:24:53.892653 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype IPv4 (0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x2), length 132

=> OK

Julien Meunier (julien-meunier) wrote :

Hi,

What is the status of this bug ? Regarding the patches, are they integrated ?

Thanks in advance.

Joseph Salisbury (jsalisbury) wrote :

Just replied to the SRU request in comment #4, asking for a second ACK.

Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Stefan Bader (smb) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Julien Meunier (julien-meunier) wrote :

I have tested on Kernel 4.4.0-117-generic #141-Ubuntu, x-netns vti is working properly.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (56.9 KiB)

This bug was fixed in the package linux - 4.4.0-119.143

---------------
linux (4.4.0-119.143) xenial; urgency=medium

  * linux: 4.4.0-119.143 -proposed tracker (LP: #1760327)

  * Dell XPS 13 9360 bluetooth scan can not detect any device (LP: #1759821)
    - Revert "Bluetooth: btusb: fix QCA Rome suspend/resume"

linux (4.4.0-118.142) xenial; urgency=medium

  * linux: 4.4.0-118.142 -proposed tracker (LP: #1759607)

  * Kernel panic with AWS 4.4.0-1053 / 4.4.0-1015 (Trusty) (LP: #1758869)
    - x86/microcode/AMD: Do not load when running on a hypervisor

  * CVE-2018-8043
    - net: phy: mdio-bcm-unimac: fix potential NULL dereference in
      unimac_mdio_probe()

linux (4.4.0-117.141) xenial; urgency=medium

  * linux: 4.4.0-117.141 -proposed tracker (LP: #1755208)

  * Xenial update to 4.4.114 stable release (LP: #1754592)
    - x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels
    - usbip: prevent vhci_hcd driver from leaking a socket pointer address
    - usbip: Fix implicit fallthrough warning
    - usbip: Fix potential format overflow in userspace tools
    - x86/microcode/intel: Fix BDW late-loading revision check
    - x86/retpoline: Fill RSB on context switch for affected CPUs
    - sched/deadline: Use the revised wakeup rule for suspending constrained dl
      tasks
    - can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once
    - can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once
    - PM / sleep: declare __tracedata symbols as char[] rather than char
    - time: Avoid undefined behaviour in ktime_add_safe()
    - timers: Plug locking race vs. timer migration
    - Prevent timer value 0 for MWAITX
    - drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled
    - drivers: base: cacheinfo: fix boot error message when acpi is enabled
    - PCI: layerscape: Add "fsl,ls2085a-pcie" compatible ID
    - PCI: layerscape: Fix MSG TLP drop setting
    - mmc: sdhci-of-esdhc: add/remove some quirks according to vendor version
    - fs/select: add vmalloc fallback for select(2)
    - hwpoison, memcg: forcibly uncharge LRU pages
    - cma: fix calculation of aligned offset
    - mm, page_alloc: fix potential false positive in __zone_watermark_ok
    - ipc: msg, make msgrcv work with LONG_MIN
    - x86/ioapic: Fix incorrect pointers in ioapic_setup_resources()
    - ACPI / processor: Avoid reserving IO regions too early
    - ACPI / scan: Prefer devices without _HID/_CID for _ADR matching
    - ACPICA: Namespace: fix operand cache leak
    - netfilter: x_tables: speed up jump target validation
    - netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed
      in 64bit kernel
    - netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags
    - netfilter: nf_ct_expect: remove the redundant slash when policy name is
      empty
    - netfilter: nfnetlink_queue: reject verdict request from different portid
    - netfilter: restart search if moved to other chain
    - netfilter: nf_conntrack_sip: extend request line validation
    - netfilter: use fwmark_reflect in nf_send_reset
    - ext2: Don't clear SGID when inheriting ACLs
    - reiserfs: fix race in prealloc discard
    - re...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers