[Kernel-packages] [Bug 1744078] [NEW] linux < 4.8: x-netns vti is broken

[Julien Meunier]

Public bug reported:

The following upstream patch is missing:

11d7a0bb95ea xfrm: Only add l3mdev oif to dst lookups 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=11d7a0bb95ea

There are several ways to reproduce this problem. Here an example:

# Prepare netns
ip netns add test
ip netns exec test sysctl -q -w net.ipv4.conf.all.forwarding=1
ip netns exec test ip link set lo up
ip netns exec test ip addr add 172.16.1.1/24 dev lo

# Create VTI iface and move it in netns test
ip addr add 1.1.1.1/32 dev lo
ip link add name vti_test type vti local 1.1.1.1 remote 2.2.2.2 key 0x1
ip link set dev vti_test netns test

# Configure IPsec
ip xfrm state add src 1.1.1.1 dst 2.2.2.2 proto esp spi 1 mode tunnel enc 
'cbc(aes)' '0x11111111111111111111111111111111' auth-trunc 'hmac(sha1)' 
'0x2222222222222222222222222222222222222222' 96 flag  align4 mark 0x1
ip xfrm state add src 2.2.2.2 dst 1.1.1.1 proto esp spi 2 mode tunnel enc 
'cbc(aes)' '0x33333333333333333333333333333333' auth-trunc 'hmac(sha1)' 
'0x4444444444444444444444444444444444444444' 96 flag  align4 mark 0x1
ip xfrm policy add dir out tmpl src 1.1.1.1 dst 2.2.2.2 proto esp mode tunnel 
mark 0x1
ip xfrm policy add dir in tmpl src 2.2.2.2 dst 1.1.1.1 proto esp mode tunnel 
mark 0x1

# Configure SVTI
ip netns exec test ip link set dev vti_test up

# Add route
ip netns exec test ip route add 172.16.2.0/24 dev vti_test

# Run a tcpdump on the output interface (given by "ip route get 2.2.2.2")
tcpdump -nei eth0 &

# Ping from the netns
ip netns exec test ping 172.16.2.1 -I 172.16.1.1 -c 4

------

On 4.4.0-109-generic:
(ping) From 172.16.1.1 icmp_seq=1 Destination Host Unreachable
(tcpdump) no IPsec packet

=> Problem

On 4.8.0-58-generic:
(ping): no error raised
(tcpdump) 15:09:45.109776 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype IPv4 
(0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x2), length 132
(tcpdump) 15:10:05.422243 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype IPv4 
(0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x3), length 132

=> No problem

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1744078

Title:
  linux < 4.8: x-netns vti is broken

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  The following upstream patch is missing:

  11d7a0bb95ea xfrm: Only add l3mdev oif to dst lookups 
  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=11d7a0bb95ea

  There are several ways to reproduce this problem. Here an example:

  # Prepare netns
  ip netns add test
  ip netns exec test sysctl -q -w net.ipv4.conf.all.forwarding=1
  ip netns exec test ip link set lo up
  ip netns exec test ip addr add 172.16.1.1/24 dev lo

  # Create VTI iface and move it in netns test
  ip addr add 1.1.1.1/32 dev lo
  ip link add name vti_test type vti local 1.1.1.1 remote 2.2.2.2 key 0x1
  ip link set dev vti_test netns test

  # Configure IPsec
  ip xfrm state add src 1.1.1.1 dst 2.2.2.2 proto esp spi 1 mode tunnel enc 
'cbc(aes)' '0x11111111111111111111111111111111' auth-trunc 'hmac(sha1)' 
'0x2222222222222222222222222222222222222222' 96 flag  align4 mark 0x1
  ip xfrm state add src 2.2.2.2 dst 1.1.1.1 proto esp spi 2 mode tunnel enc 
'cbc(aes)' '0x33333333333333333333333333333333' auth-trunc 'hmac(sha1)' 
'0x4444444444444444444444444444444444444444' 96 flag  align4 mark 0x1
  ip xfrm policy add dir out tmpl src 1.1.1.1 dst 2.2.2.2 proto esp mode tunnel 
mark 0x1
  ip xfrm policy add dir in tmpl src 2.2.2.2 dst 1.1.1.1 proto esp mode tunnel 
mark 0x1

  # Configure SVTI
  ip netns exec test ip link set dev vti_test up

  # Add route
  ip netns exec test ip route add 172.16.2.0/24 dev vti_test

  # Run a tcpdump on the output interface (given by "ip route get 2.2.2.2")
  tcpdump -nei eth0 &

  # Ping from the netns
  ip netns exec test ping 172.16.2.1 -I 172.16.1.1 -c 4

  ------

  On 4.4.0-109-generic:
  (ping) From 172.16.1.1 icmp_seq=1 Destination Host Unreachable
  (tcpdump) no IPsec packet

  => Problem

  On 4.8.0-58-generic:
  (ping): no error raised
  (tcpdump) 15:09:45.109776 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype 
IPv4 (0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x2), 
length 132
  (tcpdump) 15:10:05.422243 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype 
IPv4 (0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x3), 
length 132

  => No problem

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1744078/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp