Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpf: Correctly use revalidate_data_pull() in do_decrypt() #14689

Merged
merged 1 commit into from Jan 22, 2021
Merged

bpf: Correctly use revalidate_data_pull() in do_decrypt() #14689

merged 1 commit into from Jan 22, 2021

Conversation

tgraf
Copy link
Member

@tgraf tgraf commented Jan 21, 2021

The IPv6 path in do_decrypt() was already correctly using
revalidate_data_pull(). The IPv4 path was node. If not enough headers
were pull'ed, the call would fail which resulted in ESP packets not
being detected correctly and thus not decrypted due to lacking the
packet mark.

This seems to be a regression introduced with the refactoring commit
9ed106a. Only 1.9 is affected.

Fixes: 9ed106a ("cilium: create lib for encryption")

Suggested-by: John Fastabend john.fastabend@gmail.com

@tgraf
bpf: Correctly use revalidate_data_pull() in do_decrypt()
863c8e9 
The IPv6 path in do_decrypt() was already correctly using
revalidate_data_pull(). The IPv4 path was node. If not enough headers
were pull'ed, the call would fail which resulted in ESP packets not
being detected correctly and thus not decrypted due to lacking the
packet mark.

This seems to be a regression introduced with the refactoring commit
9ed106a.

Fixes: 9ed106a ("cilium: create lib for encryption")

Suggested-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Thomas Graf <thomas@cilium.io>
@tgraf tgraf added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.9 labels Jan 21, 2021
@tgraf tgraf requested a review from a team January 21, 2021 21:24
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.10.0 Jan 21, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.9.3 Jan 21, 2021
@tgraf tgraf requested a review from jrfastab January 21, 2021 21:24
@tgraf tgraf added the kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. label Jan 21, 2021
jrfastab
jrfastab approved these changes Jan 21, 2021
View reviewed changes
Copy link
Contributor

@jrfastab jrfastab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks.

borkmann
borkmann approved these changes Jan 21, 2021
View reviewed changes
Copy link
Member

@borkmann borkmann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@tgraf
Copy link
Member Author

tgraf commented Jan 21, 2021

test-me-please

@pchaigno pchaigno added the area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. label Jan 21, 2021
@tgraf
Copy link
Member Author

tgraf commented Jan 21, 2021

retest-gke

@tgraf tgraf merged commit d6d8683 into master Jan 22, 2021
@tgraf tgraf deleted the pr/tgraf/encrypt-pull-fix branch January 22, 2021 08:42
@aanm aanm added this to Needs backport from master in 1.9.4 Jan 22, 2021
@aanm aanm removed this from Needs backport from master in 1.9.3 Jan 22, 2021
@joestringer joestringer mentioned this pull request Jan 28, 2021
Merged
@christarazi christarazi moved this from Needs backport from master to Backport done to v1.9 in 1.9.4 Feb 3, 2021
@christarazi christarazi mentioned this pull request Feb 3, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@borkmann borkmann borkmann approved these changes

@jrfastab jrfastab jrfastab approved these changes

@pchaigno pchaigno pchaigno approved these changes

Assignees
No one assigned
Labels
area/encryption Impacts encryption support such as IPSec, WireGuard, or kTLS. kind/bug This is a bug in the Cilium logic. kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.10.0
Done
1.9.4
Backport done to v1.9
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@tgraf @borkmann @jrfastab @pchaigno @joestringer @aanm