-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "ipsec: set interface ID different from 0" #19019
Conversation
This reverts commit 735ac6a. Linux commit 68ac0f3810e7 ("xfrm: state and policy should fail if XFRMA_IF_ID 0") broke userspace applications by refusing xfrm states and policies with a zero XFRMA_IF_ID. Commit 735ac6a ("ipsec: set interface ID different from 0") attempted to work around this by defining a non-zero XFRMA_IF_ID. Unfortunately, this workaround breaks IPsec connectivity between nodes. Once the XFRMA_IF_ID is set to the placeholder value (1), traffic that should be encrypted leave the node without any encryption. On GKE and self-managed clusters, that's the only noticeable impact. However, on AKS and EKS, we also have BPF logic to rewrite the outer IP address to the proper IP. This still happens despite the failure to encrypt traffic, leading to packet drops. The traffic leaves the node unencrypted because packets don't match the xfrm policies anymore, due to the non-zero XFRMA_IF_ID. Thus, we didn't notice this regression in the pull request introducing the workaround because 1) GKE and Jenkins tests didn't fail and 2) the EKS and AKS IPsec tests are currently disabled. This was noticed while attempting to reenable the AKS IPsec test. This revert was tested in CI by running the whole workflow three times successfully and locally by running the connectivity tests 10 times on the same cluster. Signed-off-by: Paul Chaignon <paul@cilium.io>
c3b1773
to
f97f112
Compare
/test Job 'Cilium-PR-K8s-1.23-kernel-net-next' hit: #18895 (92.75% similarity) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, I think with vishvananda/netlink#727 in place the netlink library should no longer set zero XFRMA_IF_ID
values in any case. The above PR was vendored into master
by #18506 That PR was backported to the v1.11
branch already and is in release v1.11.2. I just noticed that you also marked the PR to be backported to v1.10
, thanks!
Oh right, a fix was already in 1.11.2 - good to know. Sorry for the noise then ! |
Other than that, the revert was extensively tested in another PR and locally as said above. The cilium/bpf review is covered by Tobias. Marking ready to merge. |
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c Signed-off-by: Tashfin Shakeer Rhythm <tashfinshakeerrhythm@gmail.com>
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Source: Kernel.org MR: 116741 Type: Integration Disposition: Backport from git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable linux-5.4.y ChangeID: 57e401a53c9f80f65aecd31ceb615f4d2a14399c Description: commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com>
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
BugLink: https://bugs.launchpad.net/bugs/1966057 commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
stable inclusion from linux-4.19.236 commit c8c9220cc0fb0dcdcce140533cc46128bd836347 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5646A CVE: NA -------------------------------- commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Bug: 220227367 Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 57e401a) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0d6c17e14d562cef2a4d76b7c4299cf0dd3641d1 Git-commit: 67a0446 Git-repo: https://android.googlesource.com/kernel/common/ Signed-off-by: Srinivasarao Pathipati <quic_spathi@quicinc.com>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Bug: 220227367 Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 57e401a) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0d6c17e14d562cef2a4d76b7c4299cf0dd3641d1 Git-commit: 67a0446 Git-repo: https://android.googlesource.com/kernel/common/ Signed-off-by: Satyanarayana Dash <quic_satydash@quicinc.com>
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Bug: 218597355 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
BugLink: https://bugs.launchpad.net/bugs/1969678 commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
stable inclusion from stable-v5.10.107 commit bdf0316982f00010d6e56f1379a51cd0568d51cd bugzilla: https://gitee.com/openeuler/kernel/issues/I574A2 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bdf0316982f00010d6e56f1379a51cd0568d51cd -------------------------------- commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yu Liao <liaoyu15@huawei.com> Reviewed-by: Wei Li <liwei391@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
stable inclusion from stable-v5.10.107 commit bdf0316982f00010d6e56f1379a51cd0568d51cd bugzilla: https://gitee.com/openeuler/kernel/issues/I574A2 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bdf0316982f00010d6e56f1379a51cd0568d51cd -------------------------------- commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yu Liao <liaoyu15@huawei.com> Reviewed-by: Wei Li <liwei391@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Bug: 220227367 Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 57e401a) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0d6c17e14d562cef2a4d76b7c4299cf0dd3641d1 Git-commit: 67a0446 Git-repo: https://android.googlesource.com/kernel/common/ Signed-off-by: Satyanarayana Dash <quic_satydash@quicinc.com>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Bug: 218597355 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts pull request #18789.
Linux commit
68ac0f3810e7
("xfrm: state and policy should fail if XFRMA_IF_ID 0") broke userspace applications by refusing xfrm states and policies with a zeroXFRMA_IF_ID
. Commit 735ac6a ("ipsec: set interface ID different from 0") attempted to work around this by defining a non-zeroXFRMA_IF_ID
.Unfortunately, this workaround breaks IPsec connectivity between nodes. Once the
XFRMA_IF_ID
is set to the placeholder value (1), traffic that should be encrypted leave the node without any encryption. On GKE and self-managed clusters, that's the only noticeable impact. However, on AKS and EKS, we also have BPF logic to rewrite the outer IP address to the proper IP. This still happens despite the failure to encrypt traffic, leading to packet drops.The traffic leaves the node unencrypted because packets don't match the xfrm policies anymore, due to the non-zero
XFRMA_IF_ID
.Thus, we didn't notice this regression in the pull request introducing the workaround because 1) GKE and Jenkins tests didn't fail and 2) the EKS and AKS IPsec tests are currently disabled. This was noticed while attempting to reenable the AKS IPsec test.
This revert was tested in CI by running the whole AKS+IPsec workflow three times successfully (at https://github.com/cilium/cilium/runs/5407467510, the two failures are because I restarted too soon and the previous cluster was not deleted yet) and locally by running the connectivity tests 10 times on the same AKS cluster.
/cc @tormath1