README.kernel 5.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148
  1. LINUX KERNEL REQUIREMENTS
  2. =========================
  3. The linux kernel has had various major regressions, performance
  4. issues and subtle bugs (especially in pmtu). Here is a short list
  5. of some -stable kernels that have been tested (at least briefly)
  6. and seem to be working well with Quagga/NHRP:
  7. 3.12.8 or later
  8. 3.14.54 or later
  9. 3.18.22 or later[1]
  10. 4.4.52 or later
  11. 4.9.30 or later
  12. [1] But you need to apply the following two backported commits:
  13. 3cdaa5be9e ipv4: Don't increase PMTU with Datagram Too Big message
  14. cb6ccf09d6 route: Use ipv4_mtu instead of raw rt_pmtu
  15. See below for list of known issues in various kernel versions.
  16. Kernels earlier than 3.12 need CONFIG_ARPD enabled in the configuration.
  17. Many distributions do not enable it by default, and you may need to
  18. compile your own kernel.
  19. KERNEL BUGS
  20. ===========
  21. DMVPN and mGRE support in the kernel has been brittle. There are various
  22. regressions in multiple kernel versions.
  23. This list tries to collect them to one source of information:
  24. - forward pmtu is disabled intentionally (but tunnel devices rely on it)
  25. Broken since 3.14-rc1:
  26. commit "ipv4: introduce ip_dst_mtu_maybe_forward and protect forwarding path against pmtu spoofing"
  27. Workaround:
  28. Set sysctl net.ipv4.ip_forward_use_pmtu=1
  29. See: https://marc.info/?t=143636239500003&r=1&w=2 for details
  30. (Should fix kernel to have this by default on for tunnel devices)
  31. - subtle path mtu mishandling issues
  32. Broken since (uncertain)
  33. Fixed in 4.1-rc2:
  34. commit "ipv4: Don't increase PMTU with Datagram Too Big message."
  35. commit "route: Use ipv4_mtu instead of raw rt_pmtu"
  36. - fragmentation of large packets inside tunnel not working
  37. Broken since 3.11-rc1
  38. commit "ip_tunnels: Use skb-len to PMTU check."
  39. Fixed in 3.14.54, 3.18.22, 4.1.9, 4.2-rc3
  40. commit "ip_tunnel: fix ipv4 pmtu check to honor inner ip header df"
  41. - ipsec will crash during xfrm gc
  42. Broke since 3.15-rc1
  43. commit "flowcache: Make flow cache name space aware"
  44. Fixed in 3.18.10, 4.0
  45. commit "flowcache: Fix kernel panic in flow_cache_flush_task"
  46. - TSO on GRE tunnels failed, and resulted in very slow performance
  47. Broke since 3.14.24, 3.18-rc3
  48. commit "gre: Use inner mac length when computing tunnel length"
  49. Fixed in 3.14.30, 3.18.4
  50. commit "gre: fix the inner mac header in nbma tunnel xmit path"
  51. commit "gre: Set inner mac header in gro complete"
  52. - NAPI GRO handling was broken; causing immediate crash (32-bit only?)
  53. Broken since 3.13-rc1
  54. commit "net: gro: allow to build full sized skb"
  55. Fixed 3.14.5, 3.15-rc7
  56. commit "net: gro: make sure skb->cb[] initial content has not to be zero"
  57. - ip_gre dst caching broke NBMA GRE tunnels
  58. Broken since 3.14-rc1
  59. Fixed in 3.14.5, 3.15-rc6
  60. commit "ipv4: ip_tunnels: disable cache for nbma gre tunnels"
  61. - Few packets can be lost when neighbor entry is in NUD_PROBE state,
  62. and there is continuous traffic to it.
  63. Broken since dawn of time
  64. Fixed in 3.15-rc1
  65. commit "neigh: probe application via netlink in NUD_PROBE"
  66. - GRO was implemented for GRE, but the hw capabilities were not updated
  67. correctly. In practice forwarding from non-GRE (physical) interface
  68. to GRE interface with gro/gso/tx offloads enabled (also on the target
  69. interface) does not work properly.
  70. Broken around 3.9 to 3.11, need to check details.
  71. - recvfrom() returned incorrect NBMA address, breaking NAT detection
  72. Broken since 3.10-rc1
  73. commit "GRE: Refactor GRE tunneling code."
  74. Fixed in 3.10.27, 3.12.8, 3.13-rc7
  75. commit "ip_gre: fix msg_name parsing for recvfrom/recvmsg"
  76. - sendto() was broken causing opennhrp not work at all
  77. Broken since 3.10-rc1
  78. commit "GRE: Refactor GRE tunneling code."
  79. Fixed in 3.10.12, 3.11-rc6
  80. commit "ip_gre: fix ipgre_header to return correct offset"
  81. - PMTU was broken due to GRE driver rewrite
  82. Broken since 3.10-rc1
  83. commit "GRE: Refactor GRE tunneling code."
  84. Fixed in 3.11-rc1
  85. commit "ip_tunnels: Use skb-len to PMTU check."
  86. - PMTU was broken due to routing cache removal
  87. Broken since 3.6-rc1
  88. commit "ipv4: Cache input routes in fib_info nexthops"
  89. Fixed in 3.11-rc1
  90. commit "ipv4: use next hop exceptions also for input routes"
  91. + 3 other commits
  92. Patches exist for 3.10, but they were not approved to 3.10-stable.
  93. - Race condition during bootup: changing ARP flag did not flush
  94. existing neighbor entries, causing problems if traffic was routed
  95. to gre interface before opennhrp was running.
  96. Broken since dawn of time
  97. Fixed in 3.11-rc1
  98. commit "arp: flush arp cache on IFF_NOARP change"
  99. - Crash in IPsec
  100. Broken since 3.9-rc1
  101. commit "xfrm: removes a superfluous check and add a statistic"
  102. Fixed in 3.10-rc3
  103. commit "xfrm: properly handle invalid states as an error"
  104. - An incorrect ip_gre change broke NHRP traffic over GRE
  105. Broken since 3.8-rc2
  106. commit "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally"
  107. Fixed in 3.8.5, 3.9-rc4
  108. commit "Revert "ip_gre: make ipgre_tunnel_xmit() not parse network header as IP unconditionally""
  109. - Multicast traffic over mGRE was broken.
  110. Broken since 2.6.34-rc2
  111. commit "gre: fix hard header destination address checking"
  112. Fixed in 2.6.39-rc2
  113. commit "net: gre: provide multicast mappings for ipv4 and ipv6"
  114. - Serious performance issues causing small throughput on medium to large DMVPN networks
  115. Broken since dawn of time
  116. Fixed in 2.6.35
  117. multiple commits rewriting ipsec caching
  118. - Even though around 2.6.24 is the first version where opennhrp started
  119. to work, there has been various PMTU, performance, and functionality
  120. bugs before 2.6.34. That's one of the first version I consider stable
  121. wrt. to opennhrp functionality.