Revert "ipsec: set interface ID different from 0" #19019
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pchaigno
added
area/encryption
This reverts commit 735ac6a. Linux commit 68ac0f3810e7 ("xfrm: state and policy should fail if XFRMA_IF_ID 0") broke userspace applications by refusing xfrm states and policies with a zero XFRMA_IF_ID. Commit 735ac6a ("ipsec: set interface ID different from 0") attempted to work around this by defining a non-zero XFRMA_IF_ID. Unfortunately, this workaround breaks IPsec connectivity between nodes. Once the XFRMA_IF_ID is set to the placeholder value (1), traffic that should be encrypted leave the node without any encryption. On GKE and self-managed clusters, that's the only noticeable impact. However, on AKS and EKS, we also have BPF logic to rewrite the outer IP address to the proper IP. This still happens despite the failure to encrypt traffic, leading to packet drops. The traffic leaves the node unencrypted because packets don't match the xfrm policies anymore, due to the non-zero XFRMA_IF_ID. Thus, we didn't notice this regression in the pull request introducing the workaround because 1) GKE and Jenkins tests didn't fail and 2) the EKS and AKS IPsec tests are currently disabled. This was noticed while attempting to reenable the AKS IPsec test. This revert was tested in CI by running the whole workflow three times successfully and locally by running the connectivity tests 10 times on the same cluster. Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
force-pushed
the
revert-if_id-fix
branch
from
c3b1773
to
f97f112
Compare
|
/test Job 'Cilium-PR-K8s-1.23-kernel-net-next' hit: #18895 (92.75% similarity) |
tklauser
approved these changes
Mar 3, 2022
There was a problem hiding this comment.
FWIW, I think with vishvananda/netlink#727 in place the netlink library should no longer set zero XFRMA_IF_ID values in any case. The above PR was vendored into master by #18506 That PR was backported to the v1.11 branch already and is in release v1.11.2. I just noticed that you also marked the PR to be backported to v1.10, thanks!
|
Oh right, a fix was already in 1.11.2 - good to know. Sorry for the noise then ! |
Other than that, the revert was extensively tested in another PR and locally as said above. The cilium/bpf review is covered by Tobias. Marking ready to merge. |
pchaigno
added
the
ready-to-merge
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 7, 2022
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
fengguang
pushed a commit
to 0day-ci/linux
that referenced
this pull request
Mar 9, 2022
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 10, 2022
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 10, 2022
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 10, 2022
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 11, 2022
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
Tashar02
pushed a commit
to Atom-X-Devs/android_kernel_qcom_sdm660
that referenced
this pull request
Mar 11, 2022
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c Signed-off-by: Tashfin Shakeer Rhythm <tashfinshakeerrhythm@gmail.com>
clarencelol
pushed a commit
to clarencelol/kernel_xiaomi_sdm660-4.19
that referenced
this pull request
Mar 11, 2022
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 16, 2022
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 16, 2022
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 16, 2022
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 16, 2022
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 16, 2022
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ammarfaizi2
pushed a commit
to ammarfaizi2/linux-block
that referenced
this pull request
Mar 16, 2022
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
jpuhlman
pushed a commit
to MontaVista-OpenSourceTechnology/linux-mvista
that referenced
this pull request
Mar 25, 2022
Source: Kernel.org MR: 116741 Type: Integration Disposition: Backport from git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable linux-5.4.y ChangeID: 57e401a53c9f80f65aecd31ceb615f4d2a14399c Description: commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com>
rohanmclure
pushed a commit
to rohanmclure/linux-ci
that referenced
this pull request
Mar 30, 2022
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
tuxedo-bot
pushed a commit
to tuxedocomputers/linux
that referenced
this pull request
Mar 31, 2022
BugLink: https://bugs.launchpad.net/bugs/1966057 commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>
raystef66
pushed a commit
to raystef66/InfiniR_kernel_alioth
that referenced
this pull request
Apr 1, 2022
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
snajpa
pushed a commit
to vpsfreecz/linux
that referenced
this pull request
Apr 2, 2022
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
usaleem-ix
pushed a commit
to truenas/linux
that referenced
this pull request
Apr 7, 2022
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
DozNaka
pushed a commit
to DozNaka/KawaKernel-A217X
that referenced
this pull request
Apr 11, 2022
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
borkra
pushed a commit
to LairdCP/wb-kernel
that referenced
this pull request
Apr 20, 2022
commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
it-is-a-robot
pushed a commit
to openeuler-mirror/kernel
that referenced
this pull request
May 8, 2022
stable inclusion from linux-4.19.236 commit c8c9220cc0fb0dcdcce140533cc46128bd836347 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5646A CVE: NA -------------------------------- commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Divyanshu-Modi
pushed a commit
to Atom-X-Devs/android_kernel_xiaomi_sm7325
that referenced
this pull request
May 11, 2022
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Bug: 220227367 Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 57e401a) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0d6c17e14d562cef2a4d76b7c4299cf0dd3641d1 Git-commit: 67a0446 Git-repo: https://android.googlesource.com/kernel/common/ Signed-off-by: Srinivasarao Pathipati <quic_spathi@quicinc.com>
arter97
pushed a commit
to arter97/caf_msm-5.4
that referenced
this pull request
May 15, 2022
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Bug: 220227367 Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 57e401a) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0d6c17e14d562cef2a4d76b7c4299cf0dd3641d1 Git-commit: 67a0446 Git-repo: https://android.googlesource.com/kernel/common/ Signed-off-by: Satyanarayana Dash <quic_satydash@quicinc.com>
momojuro
pushed a commit
to fsociety-tribute/redbull
that referenced
this pull request
Jun 4, 2022
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Bug: 218597355 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
delphix-devops-bot
pushed a commit
to delphix/linux-kernel-generic
that referenced
this pull request
Jun 10, 2022
BugLink: https://bugs.launchpad.net/bugs/1969678 commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Kamal Mostafa <kamal@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
it-is-a-robot
pushed a commit
to openeuler-mirror/kernel
that referenced
this pull request
Jun 15, 2022
stable inclusion from stable-v5.10.107 commit bdf0316982f00010d6e56f1379a51cd0568d51cd bugzilla: https://gitee.com/openeuler/kernel/issues/I574A2 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bdf0316982f00010d6e56f1379a51cd0568d51cd -------------------------------- commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yu Liao <liaoyu15@huawei.com> Reviewed-by: Wei Li <liwei391@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
it-is-a-robot
pushed a commit
to openeuler-mirror/kernel
that referenced
this pull request
Jun 15, 2022
stable inclusion from stable-v5.10.107 commit bdf0316982f00010d6e56f1379a51cd0568d51cd bugzilla: https://gitee.com/openeuler/kernel/issues/I574A2 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=bdf0316982f00010d6e56f1379a51cd0568d51cd -------------------------------- commit a3d9001 upstream. This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Yu Liao <liaoyu15@huawei.com> Reviewed-by: Wei Li <liwei391@huawei.com> Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
hellobbn
pushed a commit
to hellobbn/android_kernel_sony_sm8250
that referenced
this pull request
Jul 21, 2022
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
arter97
pushed a commit
to arter97/caf_msm-5.4
that referenced
this pull request
Aug 3, 2022
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Bug: 220227367 Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 57e401a) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0d6c17e14d562cef2a4d76b7c4299cf0dd3641d1 Git-commit: 67a0446 Git-repo: https://android.googlesource.com/kernel/common/ Signed-off-by: Satyanarayana Dash <quic_satydash@quicinc.com>
xzeldon
pushed a commit
to xzeldon/IllusionX_sm8250
that referenced
this pull request
Sep 12, 2022
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Blackmanx
pushed a commit
to Blackmanx/bigshot_kernel_realme_sm8250
that referenced
this pull request
Dec 21, 2022
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tashar02
pushed a commit
to Atom-X-Devs/scarlet_xiaomi_sdm660
that referenced
this pull request
Feb 20, 2023
This reverts commit 68ac0f3 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Bug: 218597355 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
bggRGjQaUbCoE
pushed a commit
to bggRGjQaUbCoE/android_kernel_samsung_sm8250-mohammad92
that referenced
this pull request
Apr 6, 2023
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
intersectRaven
pushed a commit
to intersectRaven/rk356x-kernel
that referenced
this pull request
Sep 16, 2023
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
backslashxx
pushed a commit
to backslashxx/android_karnol_ximi_fog
that referenced
this pull request
Feb 14, 2024
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
backslashxx
pushed a commit
to backslashxx/android_karnol_ximi_fog
that referenced
this pull request
Feb 14, 2024
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
backslashxx
pushed a commit
to backslashxx/android_karnol_ximi_fog
that referenced
this pull request
Feb 20, 2024
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
backslashxx
pushed a commit
to backslashxx/android_karnol_ximi_fog
that referenced
this pull request
Feb 20, 2024
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dheeraj3031A
pushed a commit
to Dheeraj3031A/kernel_oplus_RMX3461
that referenced
this pull request
Mar 13, 2024
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dheeraj3031A
pushed a commit
to Dheeraj3031A/kernel_oplus_RMX3461
that referenced
this pull request
Mar 13, 2024
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
nokidevz
pushed a commit
to nokidevz/android_kernel_xiaomi_mt6781
that referenced
this pull request
Jun 26, 2024
This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Link: https://lore.kernel.org/netdev/20220309130839.3263912-3-steffen.klassert@secunet.com/ (cherry picked from commit a3d9001b4e287fc043e5539d03d71a32ab114bcb https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=a3d9001b4e287fc043e5539d03d71a32ab114bcb) Bug: 221187056 Test: run_net_test.sh Change-Id: Iccaf42f776cad9166f808c490bfce586f850554c
nokidevz
pushed a commit
to nokidevz/android_kernel_xiaomi_mt6781
that referenced
this pull request
Jun 26, 2024
commit a3d9001b4e287fc043e5539d03d71a32ab114bcb upstream. This reverts commit 68ac0f3810e76a853b5f7b90601a05c3048b8b54 because ID 0 was meant to be used for configuring the policy/state without matching for a specific interface (e.g., Cilium is affected, see cilium/cilium#18789 and cilium/cilium#19019). Signed-off-by: Kai Lueke <kailueke@linux.microsoft.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This reverts pull request #18789.
Linux commit
68ac0f3810e7("xfrm: state and policy should fail if XFRMA_IF_ID 0") broke userspace applications by refusing xfrm states and policies with a zeroXFRMA_IF_ID. Commit 735ac6a ("ipsec: set interface ID different from 0") attempted to work around this by defining a non-zeroXFRMA_IF_ID.Unfortunately, this workaround breaks IPsec connectivity between nodes. Once the
XFRMA_IF_IDis set to the placeholder value (1), traffic that should be encrypted leave the node without any encryption. On GKE and self-managed clusters, that's the only noticeable impact. However, on AKS and EKS, we also have BPF logic to rewrite the outer IP address to the proper IP. This still happens despite the failure to encrypt traffic, leading to packet drops.The traffic leaves the node unencrypted because packets don't match the xfrm policies anymore, due to the non-zero
XFRMA_IF_ID.Thus, we didn't notice this regression in the pull request introducing the workaround because 1) GKE and Jenkins tests didn't fail and 2) the EKS and AKS IPsec tests are currently disabled. This was noticed while attempting to reenable the AKS IPsec test.
This revert was tested in CI by running the whole AKS+IPsec workflow three times successfully (at https://github.com/cilium/cilium/runs/5407467510, the two failures are because I restarted too soon and the previous cluster was not deleted yet) and locally by running the connectivity tests 10 times on the same AKS cluster.
/cc @tormath1