Discussion:
[strongSwan] HA kernel patch and CONFIG_XFRM_OFFLOAD
Jean-Daniel
2018-05-27 08:16:33 UTC
Permalink
Hello,

I’m trying to setup an HA strongswan cluster. I encounter an issue. I’m trying to use the last Ubuntu LTS (18.04) with kernel 4.15.x.

I managed to rebuild it with the 4.15.7 HA patch, but this kernel panic very often. I think the issue is because the ubuntu kernel enable CONFIG_XFRM_OFFLOAD by default.

In the strongswan kernel branch, the commit "xfrm: Add XFRM replay failover function to increment outgoing sequence numbers » adds a failover function to struct xfrm_replay, but this filed is populated only when CONFIG_XFRM_OFFLOAD is disabled ( https://git.strongswan.org/?p=linux-dumm.git;a=commitdiff;h=411c1f9e1b566f316bdc33c79ad32aa0950ac963 ). As this field is not properly setup, each time the code try to call
The failover function, it results in a null pointer access and a kernel panic.

So my question is what is the proper way to fix this ?
Was the CONFIG_XFRM_OFFLOAD missing failover an overlook and I can safely populate the failover field in xfrm_replay.c
or is it intentional because using CONFIG_XFRM_OFFLOAD introduce some known incompatibility with the HA patch ?
Tobias Brunner
2018-05-28 09:23:13 UTC
Permalink
Hi Jean-Daniel,
Post by Jean-Daniel
Was the CONFIG_XFRM_OFFLOAD missing failover an overlook and I can safely populate the failover field in xfrm_replay.c
Yes, the HA patch (originally created for 3.x kernels) predates the HW
offloading (added with 4.12) by some years and this went unnoticed when
lifting the patch to recent kernels, in particular, because the kernels
used in our testing environment don't have CONFIG_XFRM_OFFLOAD enabled
(besides not needing it, it has some less than ideal side effects, like
inbound ESP packets not being visible in tcpdump anymore).
Post by Jean-Daniel
or is it intentional because using CONFIG_XFRM_OFFLOAD introduce some known incompatibility with the HA patch ?
No idea if HA would actually work with HW offloading, but other than
that it should probably be fine to assign the same functions to the
structs in the CONFIG_XFRM_OFFLOAD case.

I've updated the ha-4.15.7 branch accordingly.

Regards,
Tobias
Jean-Daniel Dupas
2018-05-28 09:50:50 UTC
Permalink
Post by Tobias Brunner
Hi Jean-Daniel,
Post by Jean-Daniel
Was the CONFIG_XFRM_OFFLOAD missing failover an overlook and I can safely populate the failover field in xfrm_replay.c
Yes, the HA patch (originally created for 3.x kernels) predates the HW
offloading (added with 4.12) by some years and this went unnoticed when
lifting the patch to recent kernels, in particular, because the kernels
used in our testing environment don't have CONFIG_XFRM_OFFLOAD enabled
(besides not needing it, it has some less than ideal side effects, like
inbound ESP packets not being visible in tcpdump anymore).
Post by Jean-Daniel
or is it intentional because using CONFIG_XFRM_OFFLOAD introduce some known incompatibility with the HA patch ?
No idea if HA would actually work with HW offloading, but other than
that it should probably be fine to assign the same functions to the
structs in the CONFIG_XFRM_OFFLOAD case.
I've updated the ha-4.15.7 branch accordingly.
Thank you,

I started to deploy a cluster with CONFIG_XFRM_OFFLOAD enabled. It looks like HA is working well.
Loading...