Received: by 2002:a05:6a10:9afc:0:0:0:0 with SMTP id t28csp1410478pxm; Thu, 24 Feb 2022 02:34:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJzx0tYQ53hr8SSQHucGSR04a2LJmpwVyJzGX2bCkaJMfjuEMyv4sQ1oZFWaS2XJQHos35rO X-Received: by 2002:a05:6402:2790:b0:412:8379:f248 with SMTP id b16-20020a056402279000b004128379f248mr1669273ede.285.1645698866068; Thu, 24 Feb 2022 02:34:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645698866; cv=none; d=google.com; s=arc-20160816; b=Qk8EH71vxJavWK1fYmDWaY+p3JJz4U3XO5N+sv4tOz8JcZ4DCZUXHHyEX6YH/4+ege qDobp9Fq3AXN9EuVZvCjuk5CZ6aDDjpFQ7K048evQXYQO1XSY3w8Lq6NE+tqPgHFYyUk s7aXQXf6ixpkbMtrfU+NSGTY8DuO6EnVld53flOrwbuX7aeO/NCVZvRDsyB1I9Nrdv05 QvdN+kK6lVIqhitqLXNh7CsVtYi8wEXgUNeEp/l2Sjf5yyO0yuSOhXd4ModwN0jlMzIV 1cdQUhKYhBrssqwwfGPL8co9U+tdYIk11u05+9o98kJiAaAacLriBTq7V07iIS34CEID Bm3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=l8LPoqj+hB5tabS5k1LbOfRSZZQk8ggbFJ+KIjy97kk=; b=faIADuWXgSSO36ntIe2cgeaElOrNxjKQvRqOf8U35IDbksrDIA1VmEfS8PwfzGMitL HDfNF9yd7fyPmsVcZLmD50ir+pxn8H6TUPXWt5A+feTNDX6KXg/HwG9rail5328MbmIJ B5QyCvAoIXfRLVQmm0Nmw9bUkR9EZ6ltdiBF3k+WfA5xE5YsDsDZurtkCWSQ2noU9SEs p+yxZe/Wb9abpa102Zxx/hCoNJZnOJGdAPcCzkqD7yXjhS4vajKnIRbivNkY4Bb/Krz8 upcNjsSFuYP9uFybGoSXKdy9ZwGr2fem/aZY/OT+WpBMpgRl9ZcNiIwNljnyuCM5xGbu JhSw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ca20si1241586edb.378.2022.02.24.02.34.00; Thu, 24 Feb 2022 02:34:26 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233387AbiBXKXq (ORCPT + 99 others); Thu, 24 Feb 2022 05:23:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232152AbiBXKXo (ORCPT ); Thu, 24 Feb 2022 05:23:44 -0500 Received: from a.mx.secunet.com (a.mx.secunet.com [62.96.220.36]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1939D16BFA4; Thu, 24 Feb 2022 02:23:13 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 8027220533; Thu, 24 Feb 2022 11:23:10 +0100 (CET) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xobbXqXTnjQx; Thu, 24 Feb 2022 11:23:09 +0100 (CET) Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id E574A20504; Thu, 24 Feb 2022 11:23:09 +0100 (CET) Received: from cas-essen-01.secunet.de (unknown [10.53.40.201]) by mailout1.secunet.com (Postfix) with ESMTP id DF56380004A; Thu, 24 Feb 2022 11:23:09 +0100 (CET) Received: from mbx-essen-01.secunet.de (10.53.40.197) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Thu, 24 Feb 2022 11:23:09 +0100 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.18; Thu, 24 Feb 2022 11:23:09 +0100 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 23B393182EF0; Thu, 24 Feb 2022 11:23:09 +0100 (CET) Date: Thu, 24 Feb 2022 11:23:09 +0100 From: Steffen Klassert To: Lina Wang CC: Herbert Xu , "David S . Miller" , Hideaki YOSHIFUJI , "David Ahern" , Jakub Kicinski , "Matthias Brugger" , , , Subject: Re: [PATCH v2] xfrm: fix tunnel model fragmentation behavior Message-ID: <20220224102309.GN1223722@gauss3.secunet.de> References: <20220224060931.30404-1-lina.wang@mediatek.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20220224060931.30404-1-lina.wang@mediatek.com> X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Feb 24, 2022 at 02:09:31PM +0800, Lina Wang wrote: > In tunnel mode, if outer interface(ipv4) is less, it is easily to let > inner IPV6 mtu be less than 1280. If so, a Packet Too Big ICMPV6 message > is received. When send again, packets are fragmentized with 1280, they > are still rejected with ICMPV6(Packet Too Big) by xfrmi_xmit2(). > > According to RFC4213 Section3.2.2: > if (IPv4 path MTU - 20) is less than 1280 > if packet is larger than 1280 bytes > Send ICMPv6 "packet too big" with MTU = 1280. > Drop packet. > else > Encapsulate but do not set the Don't Fragment > flag in the IPv4 header. The resulting IPv4 > packet might be fragmented by the IPv4 layer > on the encapsulator or by some router along > the IPv4 path. > endif > else > if packet is larger than (IPv4 path MTU - 20) > Send ICMPv6 "packet too big" with > MTU = (IPv4 path MTU - 20). > Drop packet. > else > Encapsulate and set the Don't Fragment flag > in the IPv4 header. > endif > endif > Packets should be fragmentized with ipv4 outer interface, so change it. > > After it is fragemtized with ipv4, there will be double fragmenation. > No.48 & No.51 are ipv6 fragment packets, No.48 is double fragmentized, > then tunneled with IPv4(No.49& No.50), which obey spec. And received peer > cannot decrypt it rightly. > > 48 2002::10 2002::11 1296(length) IPv6 fragment (off=0 more=y ident=0xa20da5bc nxt=50) > 49 0x0000 (0) 2002::10 2002::11 1304 IPv6 fragment (off=0 more=y ident=0x7448042c nxt=44) > 50 0x0000 (0) 2002::10 2002::11 200 ESP (SPI=0x00035000) > 51 2002::10 2002::11 180 Echo (ping) request > 52 0x56dc 2002::10 2002::11 248 IPv6 fragment (off=1232 more=n ident=0xa20da5bc nxt=50) > > esp_noneed_fragment has fixed above issues. Finally, it acted like below: > 1 0x6206 192.168.1.138 192.168.1.1 1316 Fragmented IP protocol (proto=Encap Security Payload 50, off=0, ID=6206) [Reassembled in #2] > 2 0x6206 2002::10 2002::11 88 IPv6 fragment (off=0 more=y ident=0x1f440778 nxt=50) > 3 0x0000 2002::10 2002::11 248 ICMPv6 Echo (ping) request > > Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") > Signed-off-by: Lina Wang Your patch does not apply, it is not in plain text format. > --- > net/ipv6/xfrm6_output.c | 16 ++++++++++++++++ > net/xfrm/xfrm_interface.c | 5 ++++- > 2 files changed, 20 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c > index d0d280077721..1ee643f8f5d5 100644 > --- a/net/ipv6/xfrm6_output.c > +++ b/net/ipv6/xfrm6_output.c > @@ -45,6 +45,19 @@ static int __xfrm6_output_finish(struct net *net, struct sock *sk, struct sk_buf > return xfrm_output(sk, skb); > } > > +static int esp_noneed_fragment(struct sk_buff *skb) > +{ > + struct frag_hdr *fh; > + u8 prevhdr = ipv6_hdr(skb)->nexthdr; > + > + if (prevhdr != NEXTHDR_FRAGMENT) > + return 0; > + fh = (struct frag_hdr *)(skb->data + sizeof(struct ipv6hdr)); > + if (fh->nexthdr == NEXTHDR_ESP || fh->nexthdr == NEXTHDR_AUTH) > + return 1; > + return 0; > +} While at it, this is not an ESP speciffic function. Please rename to xfrm_noneed_fragment.