Public bug reported: The following upstream patch is missing:
11d7a0bb95ea xfrm: Only add l3mdev oif to dst lookups https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=11d7a0bb95ea There are several ways to reproduce this problem. Here an example: # Prepare netns ip netns add test ip netns exec test sysctl -q -w net.ipv4.conf.all.forwarding=1 ip netns exec test ip link set lo up ip netns exec test ip addr add 172.16.1.1/24 dev lo # Create VTI iface and move it in netns test ip addr add 1.1.1.1/32 dev lo ip link add name vti_test type vti local 1.1.1.1 remote 2.2.2.2 key 0x1 ip link set dev vti_test netns test # Configure IPsec ip xfrm state add src 1.1.1.1 dst 2.2.2.2 proto esp spi 1 mode tunnel enc 'cbc(aes)' '0x11111111111111111111111111111111' auth-trunc 'hmac(sha1)' '0x2222222222222222222222222222222222222222' 96 flag align4 mark 0x1 ip xfrm state add src 2.2.2.2 dst 1.1.1.1 proto esp spi 2 mode tunnel enc 'cbc(aes)' '0x33333333333333333333333333333333' auth-trunc 'hmac(sha1)' '0x4444444444444444444444444444444444444444' 96 flag align4 mark 0x1 ip xfrm policy add dir out tmpl src 1.1.1.1 dst 2.2.2.2 proto esp mode tunnel mark 0x1 ip xfrm policy add dir in tmpl src 2.2.2.2 dst 1.1.1.1 proto esp mode tunnel mark 0x1 # Configure SVTI ip netns exec test ip link set dev vti_test up # Add route ip netns exec test ip route add 172.16.2.0/24 dev vti_test # Run a tcpdump on the output interface (given by "ip route get 2.2.2.2") tcpdump -nei eth0 & # Ping from the netns ip netns exec test ping 172.16.2.1 -I 172.16.1.1 -c 4 ------ On 4.4.0-109-generic: (ping) From 172.16.1.1 icmp_seq=1 Destination Host Unreachable (tcpdump) no IPsec packet => Problem On 4.8.0-58-generic: (ping): no error raised (tcpdump) 15:09:45.109776 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype IPv4 (0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x2), length 132 (tcpdump) 15:10:05.422243 de:ad:de:01:02:03 > 52:55:0a:00:02:02, ethertype IPv4 (0x0800), length 166: 1.1.1.1 > 2.2.2.2: ESP(spi=0x00000001,seq=0x3), length 132 => No problem ** Affects: linux (Ubuntu) Importance: Undecided Status: Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1744078 Title: linux < 4.8: x-netns vti is broken To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1744078/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
