From: Florian Westphal <fw@strlen.de>
To: Antoine Tenart <atenart@kernel.org>
Cc: kuba@kernel.org, pablo@netfilter.org, kadlec@netfilter.org,
fw@strlen.de, roopa@nvidia.com, nikolay@nvidia.com,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
coreteam@netfilter.org, sbrivio@redhat.com
Subject: Re: [PATCH net-next] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal
Date: Mon, 23 Nov 2020 19:32:53 +0100 [thread overview]
Message-ID: <20201123183253.GA2730@breakpoint.cc> (raw)
In-Reply-To: <20201123174902.622102-1-atenart@kernel.org>
Antoine Tenart <atenart@kernel.org> wrote:
> Netfilter changes PACKET_OTHERHOST to PACKET_HOST before invoking the
> hooks as, while it's an expected value for a bridge, routing expects
> PACKET_HOST. The change is undone later on after hook traversal. This
> can be seen with pairs of functions updating skb>pkt_type and then
> reverting it to its original value:
>
> For hook NF_INET_PRE_ROUTING:
> setup_pre_routing / br_nf_pre_routing_finish
>
> For hook NF_INET_FORWARD:
> br_nf_forward_ip / br_nf_forward_finish
>
> But the third case where netfilter does this, for hook
> NF_INET_POST_ROUTING, the packet type is changed in br_nf_post_routing
> but never reverted. A comment says:
>
> /* We assume any code from br_dev_queue_push_xmit onwards doesn't care
> * about the value of skb->pkt_type. */
[..]
> But when having a tunnel (say vxlan) attached to a bridge we have the
> following call trace:
> In this specific case, this creates issues such as when an ICMPv6 PTB
> should be sent back. When CONFIG_BRIDGE_NETFILTER is enabled, the PTB
> isn't sent (as skb_tunnel_check_pmtu checks if pkt_type is PACKET_HOST
> and returns early).
>
> If the comment is right and no one cares about the value of
> skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting
> it to its original value should be safe.
That comment is 18 years old, safe bet noone thought of
ipv6-in-tunnel-interface-added-as-bridge-port back then.
Reviewed-by: Florian Westphal <fw@strlen.de>
next prev parent reply other threads:[~2020-11-23 18:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-23 17:49 [PATCH net-next] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal Antoine Tenart
2020-11-23 18:32 ` Florian Westphal [this message]
2020-11-28 0:06 ` Jakub Kicinski
2020-11-28 9:59 ` Florian Westphal
2020-11-28 19:49 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201123183253.GA2730@breakpoint.cc \
--to=fw@strlen.de \
--cc=atenart@kernel.org \
--cc=coreteam@netfilter.org \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nikolay@nvidia.com \
--cc=pablo@netfilter.org \
--cc=roopa@nvidia.com \
--cc=sbrivio@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.