[PATCH net-next 0/2] net: vrf: Fix send to local broadcast address

[PATCH net-next 0/2] net: vrf: Fix send to local broadcast address

[David Ahern]

Patch set to fix packet send to the 255.255.255.255 address from a VRF.

First patch tell vrf driver to ignore those packets. Second patches
updates the uapi to allow sends from sockets bound to an L3 master
device.

David Ahern (2):
  net: vrf: Add support for sends to local broadcast address
  net/ipv4: Allow send to local broadcast from a socket bound to a VRF

 drivers/net/vrf.c      |  5 +++--
 net/ipv4/ip_sockglue.c |  6 +++++-
 net/ipv4/raw.c         | 15 ++++++++++++++-
 net/ipv4/udp.c         | 15 ++++++++++++++-
 4 files changed, 36 insertions(+), 5 deletions(-)

-- 
2.11.0

[PATCH net-next 1/2] net: vrf: Add support for sends to local broadcast address

[David Ahern]

Sukumar reported that sends to the local broadcast address
(255.255.255.255) are broken. Check for the address in vrf driver
and do not redirect to the VRF device - similar to multicast
packets.

With this change sockets can use SO_BINDTODEVICE to specify an
egress interface and receive responses. Note: the egress interface
can not be a VRF device but needs to be the enslaved device.

https://bugzilla.kernel.org/show_bug.cgi?id=198521

Reported-by: Sukumar Gopalakrishnan <sukumarg1973@gmail.com>
Signed-off-by: David Ahern <dsahern@gmail.com>

---
Dave: Really this is a day 1 bug that goes back to the beginning of VRF.
IMO, backport to the 4.14 LTS kernel is sufficient; the multicast
handling for IPv4 was only complete as of the 4.12 kernel. I directed
this at net-next because it is not urgent for the 4.15 merge window.

 drivers/net/vrf.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index feb1b2e15c2e..139c61c8244a 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -673,8 +673,9 @@ static struct sk_buff *vrf_ip_out(struct net_device *vrf_dev,
 				  struct sock *sk,
 				  struct sk_buff *skb)
 {
-	/* don't divert multicast */
-	if (ipv4_is_multicast(ip_hdr(skb)->daddr))
+	/* don't divert multicast or local broadcast */
+	if (ipv4_is_multicast(ip_hdr(skb)->daddr) ||
+	    ipv4_is_lbcast(ip_hdr(skb)->daddr))
 		return skb;
 
 	if (qdisc_tx_is_default(vrf_dev))
-- 
2.11.0

Re: [PATCH net-next 1/2] net: vrf: Add support for sends to local broadcast address

[David Miller]

From: David Ahern <dsahern@gmail.com>
Date: Wed, 24 Jan 2018 19:37:37 -0800

> Sukumar reported that sends to the local broadcast address
> (255.255.255.255) are broken. Check for the address in vrf driver
> and do not redirect to the VRF device - similar to multicast
> packets.
> 
> With this change sockets can use SO_BINDTODEVICE to specify an
> egress interface and receive responses. Note: the egress interface
> can not be a VRF device but needs to be the enslaved device.
> 
> https://bugzilla.kernel.org/show_bug.cgi?id=198521
> 
> Reported-by: Sukumar Gopalakrishnan <sukumarg1973@gmail.com>
> Signed-off-by: David Ahern <dsahern@gmail.com>
> 
> ---
> Dave: Really this is a day 1 bug that goes back to the beginning of VRF.
> IMO, backport to the 4.14 LTS kernel is sufficient; the multicast
> handling for IPv4 was only complete as of the 4.12 kernel. I directed
> this at net-next because it is not urgent for the 4.15 merge window.

You have to decide, either this is for 'net' and -stable, or it isn't.

We don't put things into net-next and then -stable backport it.  It
doesn't work like that.

Re: [PATCH net-next 1/2] net: vrf: Add support for sends to local broadcast address

[David Ahern]

On 1/25/18 2:23 PM, David Miller wrote:
> From: David Ahern <dsahern@gmail.com>
> Date: Wed, 24 Jan 2018 19:37:37 -0800
> 
>> Sukumar reported that sends to the local broadcast address
>> (255.255.255.255) are broken. Check for the address in vrf driver
>> and do not redirect to the VRF device - similar to multicast
>> packets.
>>
>> With this change sockets can use SO_BINDTODEVICE to specify an
>> egress interface and receive responses. Note: the egress interface
>> can not be a VRF device but needs to be the enslaved device.
>>
>> https://bugzilla.kernel.org/show_bug.cgi?id=198521
>>
>> Reported-by: Sukumar Gopalakrishnan <sukumarg1973@gmail.com>
>> Signed-off-by: David Ahern <dsahern@gmail.com>
>>
>> ---
>> Dave: Really this is a day 1 bug that goes back to the beginning of VRF.
>> IMO, backport to the 4.14 LTS kernel is sufficient; the multicast
>> handling for IPv4 was only complete as of the 4.12 kernel. I directed
>> this at net-next because it is not urgent for the 4.15 merge window.
> 
> You have to decide, either this is for 'net' and -stable, or it isn't.
> 
> We don't put things into net-next and then -stable backport it.  It
> doesn't work like that.
> 

Please take this one for -net and patch 2 for net-next (it's a new
feature). I can re-send as separate patches if needed.

Re: [PATCH net-next 1/2] net: vrf: Add support for sends to local broadcast address

[David Miller]

From: David Ahern <dsahern@gmail.com>
Date: Thu, 25 Jan 2018 15:01:23 -0700

> On 1/25/18 2:23 PM, David Miller wrote:
>> From: David Ahern <dsahern@gmail.com>
>> Date: Wed, 24 Jan 2018 19:37:37 -0800
>> 
>>> Sukumar reported that sends to the local broadcast address
>>> (255.255.255.255) are broken. Check for the address in vrf driver
>>> and do not redirect to the VRF device - similar to multicast
>>> packets.
>>>
>>> With this change sockets can use SO_BINDTODEVICE to specify an
>>> egress interface and receive responses. Note: the egress interface
>>> can not be a VRF device but needs to be the enslaved device.
>>>
>>> https://bugzilla.kernel.org/show_bug.cgi?id=198521
>>>
>>> Reported-by: Sukumar Gopalakrishnan <sukumarg1973@gmail.com>
>>> Signed-off-by: David Ahern <dsahern@gmail.com>
>>>
>>> ---
>>> Dave: Really this is a day 1 bug that goes back to the beginning of VRF.
>>> IMO, backport to the 4.14 LTS kernel is sufficient; the multicast
>>> handling for IPv4 was only complete as of the 4.12 kernel. I directed
>>> this at net-next because it is not urgent for the 4.15 merge window.
>> 
>> You have to decide, either this is for 'net' and -stable, or it isn't.
>> 
>> We don't put things into net-next and then -stable backport it.  It
>> doesn't work like that.
> 
> Please take this one for -net and patch 2 for net-next (it's a new
> feature). I can re-send as separate patches if needed.

Ok I'll do that, no need to resend.

Thanks.

[PATCH net-next 2/2] net/ipv4: Allow send to local broadcast from a socket bound to a VRF

[David Ahern]

Message sends to the local broadcast address (255.255.255.255) require
uc_index or sk_bound_dev_if to be set to an egress device. However,
responses or only received if the socket is bound to the device. This
is overly constraining for processes running in an L3 domain. This
patch allows a socket bound to the VRF device to send to the local
broadcast address by using IP_UNICAST_IF to set the egress interface
with packet receipt handled by the VRF binding.

Similar to IP_MULTICAST_IF, relax the constraint on setting
IP_UNICAST_IF if a socket is bound to an L3 master device. In this
case allow uc_index to be set to an enslaved if sk_bound_dev_if is
an L3 master device and is the master device for the ifindex.

In udp and raw sendmsg, allow uc_index to override the oif if
uc_index master device is oif (ie., the oif is an L3 master and the
index is an L3 slave).

Signed-off-by: David Ahern <dsahern@gmail.com>
---
 net/ipv4/ip_sockglue.c |  6 +++++-
 net/ipv4/raw.c         | 15 ++++++++++++++-
 net/ipv4/udp.c         | 15 ++++++++++++++-
 3 files changed, 33 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 60fb1eb7d7d8..6cc70fa488cb 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -808,6 +808,7 @@ static int do_ip_setsockopt(struct sock *sk, int level,
 	{
 		struct net_device *dev = NULL;
 		int ifindex;
+		int midx;
 
 		if (optlen != sizeof(int))
 			goto e_inval;
@@ -823,10 +824,13 @@ static int do_ip_setsockopt(struct sock *sk, int level,
 		err = -EADDRNOTAVAIL;
 		if (!dev)
 			break;
+
+		midx = l3mdev_master_ifindex(dev);
 		dev_put(dev);
 
 		err = -EINVAL;
-		if (sk->sk_bound_dev_if)
+		if (sk->sk_bound_dev_if &&
+		    (!midx || midx != sk->sk_bound_dev_if))
 			break;
 
 		inet->uc_index = ifindex;
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 136544b36a46..7c509697ebc7 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -617,8 +617,21 @@ static int raw_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
 			ipc.oif = inet->mc_index;
 		if (!saddr)
 			saddr = inet->mc_addr;
-	} else if (!ipc.oif)
+	} else if (!ipc.oif) {
 		ipc.oif = inet->uc_index;
+	} else if (ipv4_is_lbcast(daddr) && inet->uc_index) {
+		/* oif is set, packet is to local broadcast and
+		 * and uc_index is set. oif is most likely set
+		 * by sk_bound_dev_if. If uc_index != oif check if the
+		 * oif is an L3 master and uc_index is an L3 slave.
+		 * If so, we want to allow the send using the uc_index.
+		 */
+		if (ipc.oif != inet->uc_index &&
+		    ipc.oif == l3mdev_master_ifindex_by_index(sock_net(sk),
+							      inet->uc_index)) {
+			ipc.oif = inet->uc_index;
+		}
+	}
 
 	flowi4_init_output(&fl4, ipc.oif, sk->sk_mark, tos,
 			   RT_SCOPE_UNIVERSE,
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 853321555a4e..3f018f34cf56 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -977,8 +977,21 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
 		if (!saddr)
 			saddr = inet->mc_addr;
 		connected = 0;
-	} else if (!ipc.oif)
+	} else if (!ipc.oif) {
 		ipc.oif = inet->uc_index;
+	} else if (ipv4_is_lbcast(daddr) && inet->uc_index) {
+		/* oif is set, packet is to local broadcast and
+		 * and uc_index is set. oif is most likely set
+		 * by sk_bound_dev_if. If uc_index != oif check if the
+		 * oif is an L3 master and uc_index is an L3 slave.
+		 * If so, we want to allow the send using the uc_index.
+		 */
+		if (ipc.oif != inet->uc_index &&
+		    ipc.oif == l3mdev_master_ifindex_by_index(sock_net(sk),
+							      inet->uc_index)) {
+			ipc.oif = inet->uc_index;
+		}
+	}
 
 	if (connected)
 		rt = (struct rtable *)sk_dst_check(sk, 0);
-- 
2.11.0