提交 7ba740ae 编写于 作者: T Taehee Yoo 提交者: Zheng Zengkai

bonding: disallow setting nested bonding + ipsec offload

stable inclusion
from stable-5.10.54
commit b3bd1f5e503716e09610e49bdccc36ed9356d27c
bugzilla: 175586 https://gitee.com/openeuler/kernel/issues/I4DVDU

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b3bd1f5e503716e09610e49bdccc36ed9356d27c

--------------------------------

[ Upstream commit b1216933 ]

bonding interface can be nested and it supports ipsec offload.
So, it allows setting the nested bonding + ipsec scenario.
But code does not support this scenario.
So, it should be disallowed.

interface graph:
bond2
   |
bond1
   |
eth0

The nested bonding + ipsec offload may not a real usecase.
So, disallowing this scenario is fine.

Fixes: 18cb261a ("bonding: support hardware encryption offload to slaves")
Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
Signed-off-by: NSasha Levin <sashal@kernel.org>
Signed-off-by: NChen Jun <chenjun102@huawei.com>
Acked-by: NWeilong Chen <chenweilong@huawei.com>
Signed-off-by: NChen Jun <chenjun102@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
上级 40938c2f
...@@ -403,8 +403,9 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs) ...@@ -403,8 +403,9 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs)
xs->xso.real_dev = slave->dev; xs->xso.real_dev = slave->dev;
bond->xs = xs; bond->xs = xs;
if (!(slave->dev->xfrmdev_ops if (!slave->dev->xfrmdev_ops ||
&& slave->dev->xfrmdev_ops->xdo_dev_state_add)) { !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
netif_is_bond_master(slave->dev)) {
slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n"); slave_warn(bond_dev, slave->dev, "Slave does not support ipsec offload\n");
rcu_read_unlock(); rcu_read_unlock();
return -EINVAL; return -EINVAL;
...@@ -437,8 +438,9 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs) ...@@ -437,8 +438,9 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
xs->xso.real_dev = slave->dev; xs->xso.real_dev = slave->dev;
if (!(slave->dev->xfrmdev_ops if (!slave->dev->xfrmdev_ops ||
&& slave->dev->xfrmdev_ops->xdo_dev_state_delete)) { !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
netif_is_bond_master(slave->dev)) {
slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__); slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__);
goto out; goto out;
} }
...@@ -463,8 +465,9 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs) ...@@ -463,8 +465,9 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP) if (BOND_MODE(bond) != BOND_MODE_ACTIVEBACKUP)
return true; return true;
if (!(slave_dev->xfrmdev_ops if (!slave_dev->xfrmdev_ops ||
&& slave_dev->xfrmdev_ops->xdo_dev_offload_ok)) { !slave_dev->xfrmdev_ops->xdo_dev_offload_ok ||
netif_is_bond_master(slave_dev)) {
slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__); slave_warn(bond_dev, slave_dev, "%s: no slave xdo_dev_offload_ok\n", __func__);
return false; return false;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册