* [PATCH v2 0/2] Disable rp_filter for IPsec packets @ 2011-04-07 14:51 Michael Smith 2011-04-07 14:51 ` [PATCH v2 1/2] fib_validate_source(): pass sk_buff instead of mark Michael Smith 2011-04-11 1:51 ` [PATCH v2 0/2] " David Miller 0 siblings, 2 replies; 4+ messages in thread From: Michael Smith @ 2011-04-07 14:51 UTC (permalink / raw) To: netdev The reverse path filter interferes with IPsec subnet-to-subnet tunnels, especially when the link to the IPsec peer is on an interface other than the one hosting the default route. IPsec provides a much stronger anti-spoofing policy than rp_filter, so this patch disables the rp_filter for packets with a security path. Patch is against net-next. (old discussion here: http://patchwork.ozlabs.org/patch/86826/) Michael Smith (2): fib_validate_source(): pass sk_buff instead of mark Disable rp_filter for IPsec packets include/net/ip_fib.h | 6 +++--- include/net/xfrm.h | 9 +++++++++ net/ipv4/fib_frontend.c | 16 +++++++++------- net/ipv4/route.c | 16 ++++++++-------- 4 files changed, 29 insertions(+), 18 deletions(-) ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 1/2] fib_validate_source(): pass sk_buff instead of mark 2011-04-07 14:51 [PATCH v2 0/2] Disable rp_filter for IPsec packets Michael Smith @ 2011-04-07 14:51 ` Michael Smith 2011-04-07 14:51 ` [PATCH v2 2/2] Disable rp_filter for IPsec packets Michael Smith 2011-04-11 1:51 ` [PATCH v2 0/2] " David Miller 1 sibling, 1 reply; 4+ messages in thread From: Michael Smith @ 2011-04-07 14:51 UTC (permalink / raw) To: netdev This makes sk_buff available for other use in fib_validate_source(). Signed-off-by: Michael Smith <msmith@cbnco.com> --- include/net/ip_fib.h | 6 +++--- net/ipv4/fib_frontend.c | 10 ++++------ net/ipv4/route.c | 16 ++++++++-------- 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h index e5d66ec..514627f 100644 --- a/include/net/ip_fib.h +++ b/include/net/ip_fib.h @@ -227,9 +227,9 @@ extern struct fib_table *fib_get_table(struct net *net, u32 id); /* Exported by fib_frontend.c */ extern const struct nla_policy rtm_ipv4_policy[]; extern void ip_fib_init(void); -extern int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif, - struct net_device *dev, __be32 *spec_dst, - u32 *itag, u32 mark); +extern int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, + u8 tos, int oif, struct net_device *dev, + __be32 *spec_dst, u32 *itag); extern void fib_select_default(struct fib_result *res); /* Exported by fib_semantics.c */ diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 4510883..f162f84 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -188,9 +188,9 @@ EXPORT_SYMBOL(inet_dev_addr_type); * - check, that packet arrived from expected physical interface. * called with rcu_read_lock() */ -int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif, - struct net_device *dev, __be32 *spec_dst, - u32 *itag, u32 mark) +int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos, + int oif, struct net_device *dev, __be32 *spec_dst, + u32 *itag) { struct in_device *in_dev; struct flowi4 fl4; @@ -202,7 +202,6 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif, fl4.flowi4_oif = 0; fl4.flowi4_iif = oif; - fl4.flowi4_mark = mark; fl4.daddr = src; fl4.saddr = dst; fl4.flowi4_tos = tos; @@ -214,8 +213,7 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif, no_addr = in_dev->ifa_list == NULL; rpf = IN_DEV_RPFILTER(in_dev); accept_local = IN_DEV_ACCEPT_LOCAL(in_dev); - if (mark && !IN_DEV_SRC_VMARK(in_dev)) - fl4.flowi4_mark = 0; + fl4.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0; } if (in_dev == NULL) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 4b0c811..57447b7 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -1871,8 +1871,8 @@ static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr, goto e_inval; spec_dst = inet_select_addr(dev, 0, RT_SCOPE_LINK); } else { - err = fib_validate_source(saddr, 0, tos, 0, dev, &spec_dst, - &itag, 0); + err = fib_validate_source(skb, saddr, 0, tos, 0, dev, &spec_dst, + &itag); if (err < 0) goto e_err; } @@ -1980,8 +1980,8 @@ static int __mkroute_input(struct sk_buff *skb, } - err = fib_validate_source(saddr, daddr, tos, FIB_RES_OIF(*res), - in_dev->dev, &spec_dst, &itag, skb->mark); + err = fib_validate_source(skb, saddr, daddr, tos, FIB_RES_OIF(*res), + in_dev->dev, &spec_dst, &itag); if (err < 0) { ip_handle_martian_source(in_dev->dev, in_dev, skb, daddr, saddr); @@ -2148,9 +2148,9 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, goto brd_input; if (res.type == RTN_LOCAL) { - err = fib_validate_source(saddr, daddr, tos, + err = fib_validate_source(skb, saddr, daddr, tos, net->loopback_dev->ifindex, - dev, &spec_dst, &itag, skb->mark); + dev, &spec_dst, &itag); if (err < 0) goto martian_source_keep_err; if (err) @@ -2174,8 +2174,8 @@ brd_input: if (ipv4_is_zeronet(saddr)) spec_dst = inet_select_addr(dev, 0, RT_SCOPE_LINK); else { - err = fib_validate_source(saddr, 0, tos, 0, dev, &spec_dst, - &itag, skb->mark); + err = fib_validate_source(skb, saddr, 0, tos, 0, dev, &spec_dst, + &itag); if (err < 0) goto martian_source_keep_err; if (err) -- 1.6.3.2 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/2] Disable rp_filter for IPsec packets 2011-04-07 14:51 ` [PATCH v2 1/2] fib_validate_source(): pass sk_buff instead of mark Michael Smith @ 2011-04-07 14:51 ` Michael Smith 0 siblings, 0 replies; 4+ messages in thread From: Michael Smith @ 2011-04-07 14:51 UTC (permalink / raw) To: netdev The reverse path filter interferes with IPsec subnet-to-subnet tunnels, especially when the link to the IPsec peer is on an interface other than the one hosting the default route. With dynamic routing, where the peer might be reachable through eth0 today and eth1 tomorrow, it's difficult to keep rp_filter enabled unless fake routes to the remote subnets are configured on the interface currently used to reach the peer. IPsec provides a much stronger anti-spoofing policy than rp_filter, so this patch disables the rp_filter for packets with a security path. Signed-off-by: Michael Smith <msmith@cbnco.com> --- include/net/xfrm.h | 9 +++++++++ net/ipv4/fib_frontend.c | 6 +++++- 2 files changed, 14 insertions(+), 1 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 6ae4bc5..65ea313 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -957,6 +957,15 @@ struct sec_path { struct xfrm_state *xvec[XFRM_MAX_DEPTH]; }; +static inline int secpath_exists(struct sk_buff *skb) +{ +#ifdef CONFIG_XFRM + return skb->sp != NULL; +#else + return 0; +#endif +} + static inline struct sec_path * secpath_get(struct sec_path *sp) { diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index f162f84..2252471 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -44,6 +44,7 @@ #include <net/arp.h> #include <net/ip_fib.h> #include <net/rtnetlink.h> +#include <net/xfrm.h> #ifndef CONFIG_IP_MULTIPLE_TABLES @@ -211,7 +212,10 @@ int fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst, u8 tos, in_dev = __in_dev_get_rcu(dev); if (in_dev) { no_addr = in_dev->ifa_list == NULL; - rpf = IN_DEV_RPFILTER(in_dev); + + /* Ignore rp_filter for packets protected by IPsec. */ + rpf = secpath_exists(skb) ? 0 : IN_DEV_RPFILTER(in_dev); + accept_local = IN_DEV_ACCEPT_LOCAL(in_dev); fl4.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0; } -- 1.6.3.2 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 0/2] Disable rp_filter for IPsec packets 2011-04-07 14:51 [PATCH v2 0/2] Disable rp_filter for IPsec packets Michael Smith 2011-04-07 14:51 ` [PATCH v2 1/2] fib_validate_source(): pass sk_buff instead of mark Michael Smith @ 2011-04-11 1:51 ` David Miller 1 sibling, 0 replies; 4+ messages in thread From: David Miller @ 2011-04-11 1:51 UTC (permalink / raw) To: msmith; +Cc: netdev From: Michael Smith <msmith@cbnco.com> Date: Thu, 7 Apr 2011 10:51:49 -0400 > The reverse path filter interferes with IPsec subnet-to-subnet tunnels, > especially when the link to the IPsec peer is on an interface other than > the one hosting the default route. > > IPsec provides a much stronger anti-spoofing policy than rp_filter, so > this patch disables the rp_filter for packets with a security path. > > Patch is against net-next. All applied, thanks Michael. ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2011-04-11 1:51 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-04-07 14:51 [PATCH v2 0/2] Disable rp_filter for IPsec packets Michael Smith 2011-04-07 14:51 ` [PATCH v2 1/2] fib_validate_source(): pass sk_buff instead of mark Michael Smith 2011-04-07 14:51 ` [PATCH v2 2/2] Disable rp_filter for IPsec packets Michael Smith 2011-04-11 1:51 ` [PATCH v2 0/2] " David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).