]>
Commit | Line | Data |
---|---|---|
2fb975da TT |
1 | KERNEL REQUIREMENTS |
2 | =================== | |
3 | ||
4 | The linux kernel has had various major regressions, performance | |
5 | issues and subtle bugs (especially in pmtu). Here is a short list | |
6 | of some -stable kernels and the first point release that is supposedly | |
7 | working well with opennhrp/dmvpn: | |
8 | 3.12.8 or later | |
9 | 3.14.54 or later | |
10 | 3.18.22 or later[1] | |
11 | ||
12 | [1] But you need to apply the following two backported commits: | |
13 | 3cdaa5be9e ipv4: Don't increase PMTU with Datagram Too Big message | |
14 | cb6ccf09d6 route: Use ipv4_mtu instead of raw rt_pmtu | |
15 | ||
16 | See below for list of known issues in various kernel versions. | |
17 | ||
18 | Kernels earlier than 3.12 need CONFIG_ARPD enabled in the configuration. | |
19 | Many distributions do not enable it by default, and you may need to | |
20 | compile your own kernel. | |
21 | ||
22 | KERNEL BUGS | |
23 | =========== | |
24 | ||
25 | DMVPN and mGRE support in the kernel has been brittle. There are various | |
26 | regressions in multiple kernel versions. | |
27 | ||
28 | This list tries to collect them to one source of information: | |
29 | ||
30 | - forward pmtu is disabled intentionally (but tunnel devices rely on it) | |
31 | Broken since 3.14-rc1: | |
32 | commit "ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing" | |
33 | Workaround: | |
34 | Set sysctl net.ipv4.ip_forward_use_pmtu=1 | |
46d38021 | 35 | See: https://marc.info/?t=143636239500003&r=1&w=2 for details |
2fb975da TT |
36 | (Should fix kernel to have this by default on for tunnel devices) |
37 | ||
38 | - subtle path mtu mishandling issues | |
39 | Broken since (uncertain) | |
40 | Fixed in 4.1-rc2: | |
41 | commit "ipv4: Don't increase PMTU with Datagram Too Big message." | |
42 | commit "route: Use ipv4_mtu instead of raw rt_pmtu" | |
43 | ||
44 | - fragmentation of large packets inside tunnel not working | |
45 | Broken since 3.11-rc1 | |
46 | commit "ip_tunnels: Use skb-len to PMTU check." | |
47 | Fixed in 3.14.54, 3.18.22, 4.1.9, 4.2-rc3 | |
48 | commit "ip_tunnel: fix ipv4 pmtu check to honor inner ip header df" | |
49 | ||
50 | - ipsec will crash during xfrm gc | |
51 | Broke since 3.15-rc1 | |
52 | commit "flowcache: Make flow cache name space aware" | |
53 | Fixed in 3.18.10, 4.0 | |
54 | commit "flowcache: Fix kernel panic in flow_cache_flush_task" | |
55 | ||
56 | - TSO on GRE tunnels failed, and resulted in very slow performance | |
57 | Broke since 3.14.24, 3.18-rc3 | |
58 | commit "gre: Use inner mac length when computing tunnel length" | |
59 | Fixed in 3.14.30, 3.18.4 | |
60 | commit "gre: fix the inner mac header in nbma tunnel xmit path" | |
61 | commit "gre: Set inner mac header in gro complete" | |
62 | ||
63 | - NAPI GRO handling was broken; causing immediate crash (32-bit only?) | |
64 | Broken since 3.13-rc1 | |
65 | commit "net: gro: allow to build full sized skb" | |
66 | Fixed 3.14.5, 3.15-rc7 | |
67 | commit "net: gro: make sure skb->cb[] initial content has not to be zero" | |
68 | ||
69 | - ip_gre dst caching broke NBMA GRE tunnels | |
70 | Broken since 3.14-rc1 | |
71 | Fixed in 3.14.5, 3.15-rc6 | |
72 | commit "ipv4: ip_tunnels: disable cache for nbma gre tunnels" | |
73 | ||
74 | - Few packets can be lost when neighbor entry is in NUD_PROBE state, | |
75 | and there is continuous traffic to it. | |
76 | Broken since dawn of time | |
77 | Fixed in 3.15-rc1 | |
78 | commit "neigh: probe application via netlink in NUD_PROBE" | |
79 | ||
80 | - GRO was implemented for GRE, but the hw capabilities were not updated | |
81 | correctly. In practice forwarding from non-GRE (physical) interface | |
82 | to GRE interface with gro/gso/tx offloads enabled (also on the target | |
83 | interface) does not work properly. | |
84 | Broken around 3.9 to 3.11, need to check details. | |
85 | ||
86 | - recvfrom() returned incorrect NBMA address, breaking NAT detection | |
87 | Broken since 3.10-rc1 | |
88 | commit "GRE: Refactor GRE tunneling code." | |
89 | Fixed in 3.10.27, 3.12.8, 3.13-rc7 | |
90 | commit "ip_gre: fix msg_name parsing for recvfrom/recvmsg" | |
91 | ||
92 | - sendto() was broken causing opennhrp not work at all | |
93 | Broken since 3.10-rc1 | |
94 | commit "GRE: Refactor GRE tunneling code." | |
95 | Fixed in 3.10.12, 3.11-rc6 | |
96 | commit "ip_gre: fix ipgre_header to return correct offset" | |
97 | ||
98 | - PMTU was broken due to GRE driver rewrite | |
99 | Broken since 3.10-rc1 | |
100 | commit "GRE: Refactor GRE tunneling code." | |
101 | Fixed in 3.11-rc1 | |
102 | commit "ip_tunnels: Use skb-len to PMTU check." | |
103 | ||
104 | - PMTU was broken due to routing cache removal | |
105 | Broken since 3.6-rc1 | |
106 | commit "ipv4: Cache input routes in fib_info nexthops" | |
107 | Fixed in 3.11-rc1 | |
108 | commit "ipv4: use next hop exceptions also for input routes" | |
109 | + 3 other commits | |
110 | Patches exist for 3.10, but they were not approved to 3.10-stable. | |
111 | ||
112 | - Race condition during bootup: changing ARP flag did not flush | |
113 | existing neighbor entries, causing problems if traffic was routed | |
114 | to gre interface before opennhrp was running. | |
115 | Broken since dawn of time | |
116 | Fixed in 3.11-rc1 | |
117 | commit "arp: flush arp cache on IFF_NOARP change" | |
118 | ||
119 | - Crash in IPsec | |
120 | Broken since 3.9-rc1 | |
121 | commit "xfrm: removes a superfluous check and add a statistic" | |
122 | Fixed in 3.10-rc3 | |
123 | commit "xfrm: properly handle invalid states as an error" | |
124 | ||
125 | - An incorrect ip_gre change broke NHRP traffic over GRE | |
126 | Broken since 3.8-rc2 | |
127 | commit "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally" | |
128 | Fixed in 3.8.5, 3.9-rc4 | |
129 | commit "Revert "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally"" | |
130 | ||
131 | - Multicast traffic over mGRE was broken. | |
132 | Broken since 2.6.34-rc2 | |
133 | commit "gre: fix hard header destination address checking" | |
134 | Fixed in 2.6.39-rc2 | |
135 | commit "net: gre: provide multicast mappings for ipv4 and ipv6" | |
136 | ||
137 | - Serious performance issues causing small throughput on medium to large DMVPN networks | |
138 | Broken since dawn of time | |
139 | Fixed in 2.6.35 | |
140 | multiple commits rewriting ipsec caching | |
141 | ||
142 | - Even though around 2.6.24 is the first version where opennhrp started | |
143 | to work, there has been various PMTU, performance, and functionality | |
144 | bugs before 2.6.34. That's one of the first version I consider stable | |
145 | wrt. to opennhrp functionality. | |
146 |