* net 01/05: fib_rules: rearrange struct fib_rule
2009-12-03 11:25 net 00/05: routing based send-to-self implementation Patrick McHardy
@ 2009-12-03 11:25 ` Patrick McHardy
2009-12-03 11:25 ` net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME Patrick McHardy
` (5 subsequent siblings)
6 siblings, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2009-12-03 11:25 UTC (permalink / raw)
To: davem; +Cc: netdev, Patrick McHardy
commit b8952893d5d86f69c4e499d191b98c6658f64b0f
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Dec 3 12:05:22 2009 +0100
net: fib_rules: rearrange struct fib_rule
The ifname member is only used to resolve interface names and is not needed
during rule lookups. The target and ctarget members however are used during
rule lookups and are currently located in a second cacheline.
Move ifname further to the end to make sure both target and ctarget are
located in the same cacheline as other members used during rule lookups.
The layout on 64 bit changes from:
struct fib_rule {
...
u32 table; /* 56 4 */
u8 action; /* 60 1 */
/* XXX 3 bytes hole, try to pack */
/* --- cacheline 1 boundary (64 bytes) --- */
u32 target; /* 64 4 */
/* XXX 4 bytes hole, try to pack */
struct fib_rule * ctarget; /* 72 8 */
struct rcu_head rcu; /* 80 16 */
struct net * fr_net; /* 96 8 */
};
to:
struct fib_rule {
...
u32 table; /* 40 4 */
u8 action; /* 44 1 */
/* XXX 3 bytes hole, try to pack */
u32 target; /* 48 4 */
/* XXX 4 bytes hole, try to pack */
struct fib_rule * ctarget; /* 56 8 */
/* --- cacheline 1 boundary (64 bytes) --- */
char ifname[16]; /* 64 16 */
struct rcu_head rcu; /* 80 16 */
struct net * fr_net; /* 96 8 */
};
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 2cd707b..22fb323 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -11,7 +11,6 @@ struct fib_rule {
struct list_head list;
atomic_t refcnt;
int ifindex;
- char ifname[IFNAMSIZ];
u32 mark;
u32 mark_mask;
u32 pref;
@@ -20,6 +19,7 @@ struct fib_rule {
u8 action;
u32 target;
struct fib_rule * ctarget;
+ char ifname[IFNAMSIZ];
struct rcu_head rcu;
struct net * fr_net;
};
^ permalink raw reply related [flat|nested] 14+ messages in thread* net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
2009-12-03 11:25 net 00/05: routing based send-to-self implementation Patrick McHardy
2009-12-03 11:25 ` net 01/05: fib_rules: rearrange struct fib_rule Patrick McHardy
@ 2009-12-03 11:25 ` Patrick McHardy
2009-12-03 11:25 ` net 03/05: fib_rules: add oif classification Patrick McHardy
` (4 subsequent siblings)
6 siblings, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2009-12-03 11:25 UTC (permalink / raw)
To: davem; +Cc: netdev, Patrick McHardy
commit 229e77eec406ad68662f18e49fda8b5d366768c5
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Dec 3 12:05:23 2009 +0100
net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
The next patch will add oif classification, rename interface related members
and attributes to reflect that they're used for iif classification.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
index c7e5b70..7e11bb2 100644
--- a/include/linux/fib_rules.h
+++ b/include/linux/fib_rules.h
@@ -8,7 +8,8 @@
#define FIB_RULE_PERMANENT 0x00000001
#define FIB_RULE_INVERT 0x00000002
#define FIB_RULE_UNRESOLVED 0x00000004
-#define FIB_RULE_DEV_DETACHED 0x00000008
+#define FIB_RULE_IIF_DETACHED 0x00000008
+#define FIB_RULE_DEV_DETACHED FIB_RULE_IIF_DETACHED
/* try to find source address in routing lookups */
#define FIB_RULE_FIND_SADDR 0x00010000
@@ -31,7 +32,8 @@ enum {
FRA_UNSPEC,
FRA_DST, /* destination address */
FRA_SRC, /* source address */
- FRA_IFNAME, /* interface name */
+ FRA_IIFNAME, /* interface name */
+#define FRA_IFNAME FRA_IIFNAME
FRA_GOTO, /* target to jump to (FR_ACT_GOTO) */
FRA_UNUSED2,
FRA_PRIORITY, /* priority/preference */
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 22fb323..62bebcb 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -10,7 +10,7 @@
struct fib_rule {
struct list_head list;
atomic_t refcnt;
- int ifindex;
+ int iifindex;
u32 mark;
u32 mark_mask;
u32 pref;
@@ -19,7 +19,7 @@ struct fib_rule {
u8 action;
u32 target;
struct fib_rule * ctarget;
- char ifname[IFNAMSIZ];
+ char iifname[IFNAMSIZ];
struct rcu_head rcu;
struct net * fr_net;
};
@@ -67,7 +67,7 @@ struct fib_rules_ops {
};
#define FRA_GENERIC_POLICY \
- [FRA_IFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+ [FRA_IIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
[FRA_PRIORITY] = { .type = NLA_U32 }, \
[FRA_FWMARK] = { .type = NLA_U32 }, \
[FRA_FWMASK] = { .type = NLA_U32 }, \
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index bd30938..8e8028c 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -135,7 +135,7 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
{
int ret = 0;
- if (rule->ifindex && (rule->ifindex != fl->iif))
+ if (rule->iifindex && (rule->iifindex != fl->iif))
goto out;
if ((rule->mark ^ fl->mark) & rule->mark_mask)
@@ -248,14 +248,14 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
if (tb[FRA_PRIORITY])
rule->pref = nla_get_u32(tb[FRA_PRIORITY]);
- if (tb[FRA_IFNAME]) {
+ if (tb[FRA_IIFNAME]) {
struct net_device *dev;
- rule->ifindex = -1;
- nla_strlcpy(rule->ifname, tb[FRA_IFNAME], IFNAMSIZ);
- dev = __dev_get_by_name(net, rule->ifname);
+ rule->iifindex = -1;
+ nla_strlcpy(rule->iifname, tb[FRA_IIFNAME], IFNAMSIZ);
+ dev = __dev_get_by_name(net, rule->iifname);
if (dev)
- rule->ifindex = dev->ifindex;
+ rule->iifindex = dev->ifindex;
}
if (tb[FRA_FWMARK]) {
@@ -388,8 +388,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
(rule->pref != nla_get_u32(tb[FRA_PRIORITY])))
continue;
- if (tb[FRA_IFNAME] &&
- nla_strcmp(tb[FRA_IFNAME], rule->ifname))
+ if (tb[FRA_IIFNAME] &&
+ nla_strcmp(tb[FRA_IIFNAME], rule->iifname))
continue;
if (tb[FRA_FWMARK] &&
@@ -447,7 +447,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
struct fib_rule *rule)
{
size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
- + nla_total_size(IFNAMSIZ) /* FRA_IFNAME */
+ + nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */
+ nla_total_size(4) /* FRA_PRIORITY */
+ nla_total_size(4) /* FRA_TABLE */
+ nla_total_size(4) /* FRA_FWMARK */
@@ -481,11 +481,11 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
if (rule->action == FR_ACT_GOTO && rule->ctarget == NULL)
frh->flags |= FIB_RULE_UNRESOLVED;
- if (rule->ifname[0]) {
- NLA_PUT_STRING(skb, FRA_IFNAME, rule->ifname);
+ if (rule->iifname[0]) {
+ NLA_PUT_STRING(skb, FRA_IIFNAME, rule->iifname);
- if (rule->ifindex == -1)
- frh->flags |= FIB_RULE_DEV_DETACHED;
+ if (rule->iifindex == -1)
+ frh->flags |= FIB_RULE_IIF_DETACHED;
}
if (rule->pref)
@@ -600,9 +600,9 @@ static void attach_rules(struct list_head *rules, struct net_device *dev)
struct fib_rule *rule;
list_for_each_entry(rule, rules, list) {
- if (rule->ifindex == -1 &&
- strcmp(dev->name, rule->ifname) == 0)
- rule->ifindex = dev->ifindex;
+ if (rule->iifindex == -1 &&
+ strcmp(dev->name, rule->iifname) == 0)
+ rule->iifindex = dev->ifindex;
}
}
@@ -611,8 +611,8 @@ static void detach_rules(struct list_head *rules, struct net_device *dev)
struct fib_rule *rule;
list_for_each_entry(rule, rules, list)
- if (rule->ifindex == dev->ifindex)
- rule->ifindex = -1;
+ if (rule->iifindex == dev->ifindex)
+ rule->iifindex = -1;
}
^ permalink raw reply related [flat|nested] 14+ messages in thread* net 03/05: fib_rules: add oif classification
2009-12-03 11:25 net 00/05: routing based send-to-self implementation Patrick McHardy
2009-12-03 11:25 ` net 01/05: fib_rules: rearrange struct fib_rule Patrick McHardy
2009-12-03 11:25 ` net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME Patrick McHardy
@ 2009-12-03 11:25 ` Patrick McHardy
2009-12-03 11:25 ` net 04/05: fib_rules: allow to delete local rule Patrick McHardy
` (3 subsequent siblings)
6 siblings, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2009-12-03 11:25 UTC (permalink / raw)
To: davem; +Cc: netdev, Patrick McHardy
commit 68144d350f4f6c348659c825cde6a82b34c27a91
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Dec 3 12:05:25 2009 +0100
net: fib_rules: add oif classification
Support routing table lookup based on the flow's oif. This is useful to
classify packets originating from sockets bound to interfaces differently.
The route cache already includes the oif and needs no changes.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
index 7e11bb2..51da65b 100644
--- a/include/linux/fib_rules.h
+++ b/include/linux/fib_rules.h
@@ -10,6 +10,7 @@
#define FIB_RULE_UNRESOLVED 0x00000004
#define FIB_RULE_IIF_DETACHED 0x00000008
#define FIB_RULE_DEV_DETACHED FIB_RULE_IIF_DETACHED
+#define FIB_RULE_OIF_DETACHED 0x00000010
/* try to find source address in routing lookups */
#define FIB_RULE_FIND_SADDR 0x00010000
@@ -47,6 +48,7 @@ enum {
FRA_UNUSED8,
FRA_TABLE, /* Extended table id */
FRA_FWMASK, /* mask for netfilter mark */
+ FRA_OIFNAME,
__FRA_MAX
};
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 62bebcb..d4e875a 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -11,6 +11,7 @@ struct fib_rule {
struct list_head list;
atomic_t refcnt;
int iifindex;
+ int oifindex;
u32 mark;
u32 mark_mask;
u32 pref;
@@ -20,6 +21,7 @@ struct fib_rule {
u32 target;
struct fib_rule * ctarget;
char iifname[IFNAMSIZ];
+ char oifname[IFNAMSIZ];
struct rcu_head rcu;
struct net * fr_net;
};
@@ -68,6 +70,7 @@ struct fib_rules_ops {
#define FRA_GENERIC_POLICY \
[FRA_IIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+ [FRA_OIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
[FRA_PRIORITY] = { .type = NLA_U32 }, \
[FRA_FWMARK] = { .type = NLA_U32 }, \
[FRA_FWMASK] = { .type = NLA_U32 }, \
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 8e8028c..d1a70ad 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -138,6 +138,9 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
if (rule->iifindex && (rule->iifindex != fl->iif))
goto out;
+ if (rule->oifindex && (rule->oifindex != fl->oif))
+ goto out;
+
if ((rule->mark ^ fl->mark) & rule->mark_mask)
goto out;
@@ -258,6 +261,16 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
rule->iifindex = dev->ifindex;
}
+ if (tb[FRA_OIFNAME]) {
+ struct net_device *dev;
+
+ rule->oifindex = -1;
+ nla_strlcpy(rule->oifname, tb[FRA_OIFNAME], IFNAMSIZ);
+ dev = __dev_get_by_name(net, rule->oifname);
+ if (dev)
+ rule->oifindex = dev->ifindex;
+ }
+
if (tb[FRA_FWMARK]) {
rule->mark = nla_get_u32(tb[FRA_FWMARK]);
if (rule->mark)
@@ -392,6 +405,10 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
nla_strcmp(tb[FRA_IIFNAME], rule->iifname))
continue;
+ if (tb[FRA_OIFNAME] &&
+ nla_strcmp(tb[FRA_OIFNAME], rule->oifname))
+ continue;
+
if (tb[FRA_FWMARK] &&
(rule->mark != nla_get_u32(tb[FRA_FWMARK])))
continue;
@@ -448,6 +465,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
{
size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
+ nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */
+ + nla_total_size(IFNAMSIZ) /* FRA_OIFNAME */
+ nla_total_size(4) /* FRA_PRIORITY */
+ nla_total_size(4) /* FRA_TABLE */
+ nla_total_size(4) /* FRA_FWMARK */
@@ -488,6 +506,13 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
frh->flags |= FIB_RULE_IIF_DETACHED;
}
+ if (rule->oifname[0]) {
+ NLA_PUT_STRING(skb, FRA_OIFNAME, rule->oifname);
+
+ if (rule->oifindex == -1)
+ frh->flags |= FIB_RULE_OIF_DETACHED;
+ }
+
if (rule->pref)
NLA_PUT_U32(skb, FRA_PRIORITY, rule->pref);
@@ -603,6 +628,9 @@ static void attach_rules(struct list_head *rules, struct net_device *dev)
if (rule->iifindex == -1 &&
strcmp(dev->name, rule->iifname) == 0)
rule->iifindex = dev->ifindex;
+ if (rule->oifindex == -1 &&
+ strcmp(dev->name, rule->oifname) == 0)
+ rule->oifindex = dev->ifindex;
}
}
@@ -610,9 +638,12 @@ static void detach_rules(struct list_head *rules, struct net_device *dev)
{
struct fib_rule *rule;
- list_for_each_entry(rule, rules, list)
+ list_for_each_entry(rule, rules, list) {
if (rule->iifindex == dev->ifindex)
rule->iifindex = -1;
+ if (rule->oifindex == dev->ifindex)
+ rule->oifindex = -1;
+ }
}
^ permalink raw reply related [flat|nested] 14+ messages in thread* net 04/05: fib_rules: allow to delete local rule
2009-12-03 11:25 net 00/05: routing based send-to-self implementation Patrick McHardy
` (2 preceding siblings ...)
2009-12-03 11:25 ` net 03/05: fib_rules: add oif classification Patrick McHardy
@ 2009-12-03 11:25 ` Patrick McHardy
2009-12-03 11:25 ` ipv4 05/05: add sysctl to accept packets with local source addresses Patrick McHardy
` (2 subsequent siblings)
6 siblings, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2009-12-03 11:25 UTC (permalink / raw)
To: davem; +Cc: netdev, Patrick McHardy
commit d124356ce314fff22a047ea334379d5105b2d834
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Dec 3 12:16:35 2009 +0100
net: fib_rules: allow to delete local rule
Allow to delete the local rule and recreate it with a higher priority. This
can be used to force packets with a local destination out on the wire instead
of routing them to loopback. Additionally this patch allows to recreate rules
with a priority of 0.
Combined with the previous patch to allow oif classification, a socket can
be bound to the desired interface and packets routed to the wire like this:
# move local rule to lower priority
ip rule add pref 1000 lookup local
ip rule del pref 0
# route packets of sockets bound to eth0 to the wire independant
# of the destination address
ip rule add pref 100 oif eth0 lookup 100
ip route add default dev eth0 table 100
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index d1a70ad..ef0e7d9 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -287,7 +287,7 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
rule->flags = frh->flags;
rule->table = frh_get_table(frh, tb);
- if (!rule->pref && ops->default_pref)
+ if (!tb[FRA_PRIORITY] && ops->default_pref)
rule->pref = ops->default_pref(ops);
err = -EINVAL;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 835262c..1239ed2 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -284,7 +284,7 @@ static int fib_default_rules_init(struct fib_rules_ops *ops)
{
int err;
- err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, FIB_RULE_PERMANENT);
+ err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, 0);
if (err < 0)
return err;
err = fib_default_rule_add(ops, 0x7FFE, RT_TABLE_MAIN, 0);
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index 00a7a5e..3b38f49 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -276,7 +276,7 @@ static int fib6_rules_net_init(struct net *net)
INIT_LIST_HEAD(&net->ipv6.fib6_rules_ops->rules_list);
err = fib_default_rule_add(net->ipv6.fib6_rules_ops, 0,
- RT6_TABLE_LOCAL, FIB_RULE_PERMANENT);
+ RT6_TABLE_LOCAL, 0);
if (err)
goto out_fib6_rules_ops;
^ permalink raw reply related [flat|nested] 14+ messages in thread* ipv4 05/05: add sysctl to accept packets with local source addresses
2009-12-03 11:25 net 00/05: routing based send-to-self implementation Patrick McHardy
` (3 preceding siblings ...)
2009-12-03 11:25 ` net 04/05: fib_rules: allow to delete local rule Patrick McHardy
@ 2009-12-03 11:25 ` Patrick McHardy
2009-12-04 7:52 ` Eric W. Biederman
2009-12-03 20:15 ` net 00/05: routing based send-to-self implementation David Miller
2011-01-14 10:18 ` Kirill Smelkov
6 siblings, 1 reply; 14+ messages in thread
From: Patrick McHardy @ 2009-12-03 11:25 UTC (permalink / raw)
To: davem; +Cc: netdev, Patrick McHardy
commit 8ec1e0ebe26087bfc5c0394ada5feb5758014fc8
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Dec 3 12:16:35 2009 +0100
ipv4: add sysctl to accept packets with local source addresses
Change fib_validate_source() to accept packets with a local source address when
the "accept_local" sysctl is set for the incoming inet device. Combined with the
previous patches, this allows to communicate between multiple local interfaces
over the wire.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 989f553..006b39d 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -731,6 +731,12 @@ accept_source_route - BOOLEAN
default TRUE (router)
FALSE (host)
+accept_local - BOOLEAN
+ Accept packets with local source addresses. In combination with
+ suitable routing, this can be used to direct packets between two
+ local interfaces over the wire and have them accepted properly.
+ default FALSE
+
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index eecfa55..699e85c 100644
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -83,6 +83,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
#define IN_DEV_RPFILTER(in_dev) IN_DEV_MAXCONF((in_dev), RP_FILTER)
#define IN_DEV_SOURCE_ROUTE(in_dev) IN_DEV_ANDCONF((in_dev), \
ACCEPT_SOURCE_ROUTE)
+#define IN_DEV_ACCEPT_LOCAL(in_dev) IN_DEV_ORCONF((in_dev), ACCEPT_LOCAL)
#define IN_DEV_BOOTP_RELAY(in_dev) IN_DEV_ANDCONF((in_dev), BOOTP_RELAY)
#define IN_DEV_LOG_MARTIANS(in_dev) IN_DEV_ORCONF((in_dev), LOG_MARTIANS)
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 1e4743e..9f047d7 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -490,6 +490,7 @@ enum
NET_IPV4_CONF_PROMOTE_SECONDARIES=20,
NET_IPV4_CONF_ARP_ACCEPT=21,
NET_IPV4_CONF_ARP_NOTIFY=22,
+ NET_IPV4_CONF_ACCEPT_LOCAL=23,
__NET_IPV4_CONF_MAX
};
diff --git a/kernel/sysctl_check.c b/kernel/sysctl_check.c
index b6e7aae..f1d676e 100644
--- a/kernel/sysctl_check.c
+++ b/kernel/sysctl_check.c
@@ -220,6 +220,7 @@ static const struct trans_ctl_table trans_net_ipv4_conf_vars_table[] = {
{ NET_IPV4_CONF_PROMOTE_SECONDARIES, "promote_secondaries" },
{ NET_IPV4_CONF_ARP_ACCEPT, "arp_accept" },
{ NET_IPV4_CONF_ARP_NOTIFY, "arp_notify" },
+ { NET_IPV4_CONF_ACCEPT_LOCAL, "accept_local" },
{}
};
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index c100709..e312661 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1468,6 +1468,7 @@ static struct devinet_sysctl_table {
DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"),
DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
"accept_source_route"),
+ DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 3b373a8..3323168 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -241,16 +241,17 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
.iif = oif };
struct fib_result res;
- int no_addr, rpf;
+ int no_addr, rpf, accept_local;
int ret;
struct net *net;
- no_addr = rpf = 0;
+ no_addr = rpf = accept_local = 0;
rcu_read_lock();
in_dev = __in_dev_get_rcu(dev);
if (in_dev) {
no_addr = in_dev->ifa_list == NULL;
rpf = IN_DEV_RPFILTER(in_dev);
+ accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
}
rcu_read_unlock();
@@ -260,8 +261,10 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
net = dev_net(dev);
if (fib_lookup(net, &fl, &res))
goto last_resort;
- if (res.type != RTN_UNICAST)
- goto e_inval_res;
+ if (res.type != RTN_UNICAST) {
+ if (res.type != RTN_LOCAL || !accept_local)
+ goto e_inval_res;
+ }
*spec_dst = FIB_RES_PREFSRC(res);
fib_combine_itag(itag, &res);
#ifdef CONFIG_IP_ROUTE_MULTIPATH
^ permalink raw reply related [flat|nested] 14+ messages in thread* Re: ipv4 05/05: add sysctl to accept packets with local source addresses
2009-12-03 11:25 ` ipv4 05/05: add sysctl to accept packets with local source addresses Patrick McHardy
@ 2009-12-04 7:52 ` Eric W. Biederman
2009-12-04 7:55 ` Patrick McHardy
0 siblings, 1 reply; 14+ messages in thread
From: Eric W. Biederman @ 2009-12-04 7:52 UTC (permalink / raw)
To: Patrick McHardy; +Cc: davem, netdev
Patrick McHardy <kaber@trash.net> writes:
> commit 8ec1e0ebe26087bfc5c0394ada5feb5758014fc8
> Author: Patrick McHardy <kaber@trash.net>
> Date: Thu Dec 3 12:16:35 2009 +0100
>
> ipv4: add sysctl to accept packets with local source addresses
>
> Change fib_validate_source() to accept packets with a local source address when
> the "accept_local" sysctl is set for the incoming inet device. Combined with the
> previous patches, this allows to communicate between multiple local interfaces
> over the wire.
>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
>
Obligatory grumble. New binary sysctl. Grumble.
Honestly this might be the one new sysctl that doesn't conflict with
my sysctl tree. That should merge to Linus sometime this merge cycle
which will stop exporting this to userspace. So I don't have any
real complaints. Grumble.
This overloading of sysctl.h for the binary sysctl numbers and
the index into the perdevice sysctls is something we should probably
change at some point to keep maintenance a little less confusing.
Eric
> diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
> index 1e4743e..9f047d7 100644
> --- a/include/linux/sysctl.h
> +++ b/include/linux/sysctl.h
> @@ -490,6 +490,7 @@ enum
> NET_IPV4_CONF_PROMOTE_SECONDARIES=20,
> NET_IPV4_CONF_ARP_ACCEPT=21,
> NET_IPV4_CONF_ARP_NOTIFY=22,
> + NET_IPV4_CONF_ACCEPT_LOCAL=23,
> __NET_IPV4_CONF_MAX
> };
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: ipv4 05/05: add sysctl to accept packets with local source addresses
2009-12-04 7:52 ` Eric W. Biederman
@ 2009-12-04 7:55 ` Patrick McHardy
0 siblings, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2009-12-04 7:55 UTC (permalink / raw)
To: Eric W. Biederman; +Cc: davem, netdev
Eric W. Biederman wrote:
> Patrick McHardy <kaber@trash.net> writes:
>
>> commit 8ec1e0ebe26087bfc5c0394ada5feb5758014fc8
>> Author: Patrick McHardy <kaber@trash.net>
>> Date: Thu Dec 3 12:16:35 2009 +0100
>>
>> ipv4: add sysctl to accept packets with local source addresses
>>
>> Change fib_validate_source() to accept packets with a local source address when
>> the "accept_local" sysctl is set for the incoming inet device. Combined with the
>> previous patches, this allows to communicate between multiple local interfaces
>> over the wire.
>>
>> Signed-off-by: Patrick McHardy <kaber@trash.net>
>>
>
> Obligatory grumble. New binary sysctl. Grumble.
>
> Honestly this might be the one new sysctl that doesn't conflict with
> my sysctl tree. That should merge to Linus sometime this merge cycle
> which will stop exporting this to userspace. So I don't have any
> real complaints. Grumble.
>
> This overloading of sysctl.h for the binary sysctl numbers and
> the index into the perdevice sysctls is something we should probably
> change at some point to keep maintenance a little less confusing.
Yes, unfortunately its currently not possible to add inetdev sysctls
without allocating new numbers.
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: net 00/05: routing based send-to-self implementation
2009-12-03 11:25 net 00/05: routing based send-to-self implementation Patrick McHardy
` (4 preceding siblings ...)
2009-12-03 11:25 ` ipv4 05/05: add sysctl to accept packets with local source addresses Patrick McHardy
@ 2009-12-03 20:15 ` David Miller
2011-01-14 10:18 ` Kirill Smelkov
6 siblings, 0 replies; 14+ messages in thread
From: David Miller @ 2009-12-03 20:15 UTC (permalink / raw)
To: kaber; +Cc: netdev
From: Patrick McHardy <kaber@trash.net>
Date: Thu, 3 Dec 2009 12:25:52 +0100 (MET)
> These patches are yet another attempt at adding "send-to-self" functionality,
> allowing to send packets between two local interfaces over the wire. Unlike
> the approaches I've seen so far, this one is purely routing based.
> Especially the oif classification should also be useful for different setups.
...
> Please apply, thanks!
All applied to net-next-2.6, thanks!
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: net 00/05: routing based send-to-self implementation
2009-12-03 11:25 net 00/05: routing based send-to-self implementation Patrick McHardy
` (5 preceding siblings ...)
2009-12-03 20:15 ` net 00/05: routing based send-to-self implementation David Miller
@ 2011-01-14 10:18 ` Kirill Smelkov
2011-01-14 12:22 ` Patrick McHardy
2011-01-14 13:40 ` Jonathan Corbet
6 siblings, 2 replies; 14+ messages in thread
From: Kirill Smelkov @ 2011-01-14 10:18 UTC (permalink / raw)
To: Patrick McHardy; +Cc: davem, netdev, Jonathan Corbet, Boris Kocherov
[ Cc'ing Jonathan Corbet and a friend of mine ]
On Thu, Dec 03, 2009 at 12:25:52PM +0100, Patrick McHardy wrote:
> These patches are yet another attempt at adding "send-to-self" functionality,
> allowing to send packets between two local interfaces over the wire. Unlike
> the approaches I've seen so far, this one is purely routing based.
> Especially the oif classification should also be useful for different setups.
>
> The patchset consists of three parts:
>
> - the first three patches add oif classification to fib_rules. This can be
> used create special routing tables for sockets bound to an interface.
>
> - the fourth patch changes IPv4 and IPv6 to allow to delete the local rule
> with priority 0. This allows to re-create it using a lower priority and
> insert new rules below it to force packets with a local destination out
> on the wire.
>
> - the fifth patch adds a devinet sysctl to accept packets with local source
> addresses in fib_validate_source(). This one unfortunately seems to be
> necessary, I couldn't come up with a method based purely on adding more
> routes to fool fib_validate_source() into accepting those packets.
>
> Usage example:
>
> # move local routing rule to lower priority
> ip rule add pref 1000 lookup local
> ip rule del pref 0
>
> # only reply to ARP requests for addresses configured on the device
> echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
>
> # configure device and force packets of bound sockets out on eth1
> ip address add dev eth1 10.0.0.1/24
> echo 1 > /proc/sys/net/ipv4/conf/eth1/accept_local
> ip link set eth1 up
> ip rule add pref 500 oif eth1 lookup 500
> ip route add default dev eth1 table 500
>
> # configure device and force packets of bound sockets out on eth2
> ip address add dev eth2 10.0.0.2/24
> echo 1 > /proc/sys/net/ipv4/conf/eth2/accept_local
> ip link set eth2 up
> ip rule add pref 501 oif eth2 lookup 501
> ip route add default dev eth2 table 501
>
> At this point packets between sockets bound to eth1/eth2 will go over the wire.
Patrick, thanks a lot for doing this!
Just a small follow-up: it is possible to setup such loops without
requiring sockets to be bound to devices. The idea is to setup rules
like
$ ip rule add pref 100 to <ip-on-eth1> lookup 100
$ ip route add default dev eth0 table 100
so that on TX, packets go through appropriate interfaces.
And for RX, another rules like
$ ip rule add pref 10 iif eth0 lookup local
so that packets can be received at all.
I've spent several days to find this, debugging and tracing kernel and
trying various variants on how to do it, so I though I'd better share
the info for poor souls like me :)
For completeness, here is the script which will setup tap0/tap1 loop
through virtual vde_switch.
( Jonathan, I though something like this could be useful for LDD4 in
revised snull not needing to play dirty tricks with IP addresses anymore )
---- 8< (mk-tap-loop.sh) ----
#!/bin/sh -e
# reset interfaces
ip link del tap0 2>/dev/null || :
ip link del tap1 2>/dev/null || :
# create interfaces
vde_tunctl -t tap0
vde_tunctl -t tap1
# assign addresses
ip addr add 192.168.23.10/24 dev tap0
ip addr add 192.168.23.11/24 dev tap1
# put ifs up
ip link set tap0 up
ip link set tap1 up
# lower priority of kernel local table to 500
ip rule del pref 0 lookup local 2>/dev/null || :
ip rule del pref 500 lookup local 2>/dev/null || :
ip rule add pref 500 lookup local
# on rx side handle packets by local table, so we can receive them
echo 1 >/proc/sys/net/ipv4/conf/tap0/accept_local
echo 1 >/proc/sys/net/ipv4/conf/tap1/accept_local
ip rule del pref 10 2>/dev/null || :
ip rule del pref 11 2>/dev/null || :
ip rule add pref 10 iif tap0 lookup local
ip rule add pref 11 iif tap1 lookup local
# tx
ip rule del pref 100 2>/dev/null || :
ip rule del pref 101 2>/dev/null || :
ip rule add pref 100 to 192.168.23.10 lookup 100 # tap0 <- tap1
ip rule add pref 101 to 192.168.23.11 lookup 101 # tap1 <- tap0
ip route flush table 100
ip route flush table 101
ip route add default dev tap1 table 100
ip route add default dev tap0 table 101
# ensure (visually) we've set up it ok
echo
echo " >>> rules:"
ip rule
echo
echo " >>> tap(0|1) routing table:"
#routel | grep '\<tap\(0\|1\)\>'
ip route show table all | grep '\<tap\(0\|1\)\>'
# tx path
echo
echo " >>> checking routing for tx path:"
ip route get 192.168.23.10 connected
ip route get 192.168.23.11 connected
# rx path
echo
echo " >>> checking routing for rx path:"
ip route get from 192.168.23.10 to 192.168.23.11 iif tap1
ip route get from 192.168.23.11 to 192.168.23.10 iif tap0
# start switch and connect switch-tap0 and switch-tap1
echo
echo " >>> ready to start vde_switch and connect wires..."
read
screen sh -c 'screen sh -cx "sleep 4; vde_plug2tap tap0"; screen sh -cx "sleep 4; vde_plug2tap tap1"; sh -cx vde_switch'
# now e.g. ping 192.168.23.11 sends packets to tap0 which are received
# on tap1 and ICMP-ECHO'ed by kernel on tap1 and received on tap0.
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: net 00/05: routing based send-to-self implementation
2011-01-14 10:18 ` Kirill Smelkov
@ 2011-01-14 12:22 ` Patrick McHardy
2011-01-14 13:40 ` Jonathan Corbet
1 sibling, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2011-01-14 12:22 UTC (permalink / raw)
To: Kirill Smelkov; +Cc: davem, netdev, Jonathan Corbet, Boris Kocherov
On 14.01.2011 11:18, Kirill Smelkov wrote:
> [ Cc'ing Jonathan Corbet and a friend of mine ]
>
> On Thu, Dec 03, 2009 at 12:25:52PM +0100, Patrick McHardy wrote:
>> These patches are yet another attempt at adding "send-to-self" functionality,
>> allowing to send packets between two local interfaces over the wire. Unlike
>> the approaches I've seen so far, this one is purely routing based.
>> Especially the oif classification should also be useful for different setups.
>>
>> The patchset consists of three parts:
>>
>> - the first three patches add oif classification to fib_rules. This can be
>> used create special routing tables for sockets bound to an interface.
>>
>> - the fourth patch changes IPv4 and IPv6 to allow to delete the local rule
>> with priority 0. This allows to re-create it using a lower priority and
>> insert new rules below it to force packets with a local destination out
>> on the wire.
>>
>> - the fifth patch adds a devinet sysctl to accept packets with local source
>> addresses in fib_validate_source(). This one unfortunately seems to be
>> necessary, I couldn't come up with a method based purely on adding more
>> routes to fool fib_validate_source() into accepting those packets.
>>
>> Usage example:
>>
>> # move local routing rule to lower priority
>> ip rule add pref 1000 lookup local
>> ip rule del pref 0
>>
>> # only reply to ARP requests for addresses configured on the device
>> echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
>>
>> # configure device and force packets of bound sockets out on eth1
>> ip address add dev eth1 10.0.0.1/24
>> echo 1 > /proc/sys/net/ipv4/conf/eth1/accept_local
>> ip link set eth1 up
>> ip rule add pref 500 oif eth1 lookup 500
>> ip route add default dev eth1 table 500
>>
>> # configure device and force packets of bound sockets out on eth2
>> ip address add dev eth2 10.0.0.2/24
>> echo 1 > /proc/sys/net/ipv4/conf/eth2/accept_local
>> ip link set eth2 up
>> ip rule add pref 501 oif eth2 lookup 501
>> ip route add default dev eth2 table 501
>>
>> At this point packets between sockets bound to eth1/eth2 will go over the wire.
>
> Patrick, thanks a lot for doing this!
>
> Just a small follow-up: it is possible to setup such loops without
> requiring sockets to be bound to devices. The idea is to setup rules
> like
>
> $ ip rule add pref 100 to <ip-on-eth1> lookup 100
> $ ip route add default dev eth0 table 100
>
> so that on TX, packets go through appropriate interfaces.
>
> And for RX, another rules like
>
> $ ip rule add pref 10 iif eth0 lookup local
>
> so that packets can be received at all.
>
>
> I've spent several days to find this, debugging and tracing kernel and
> trying various variants on how to do it, so I though I'd better share
> the info for poor souls like me :)
>
> For completeness, here is the script which will setup tap0/tap1 loop
> through virtual vde_switch.
>
> ( Jonathan, I though something like this could be useful for LDD4 in
> revised snull not needing to play dirty tricks with IP addresses anymore )
Thanks for sharing this. Setups using this get pretty complicated,
I've done something similar recently to have packets loop through
the network stack twice using veth devices to perform double NAT
for remapping clashing networks. If I can get permission I'll post
that script as well.
>
>
> ---- 8< (mk-tap-loop.sh) ----
> #!/bin/sh -e
>
> # reset interfaces
> ip link del tap0 2>/dev/null || :
> ip link del tap1 2>/dev/null || :
>
> # create interfaces
> vde_tunctl -t tap0
> vde_tunctl -t tap1
>
> # assign addresses
> ip addr add 192.168.23.10/24 dev tap0
> ip addr add 192.168.23.11/24 dev tap1
>
> # put ifs up
> ip link set tap0 up
> ip link set tap1 up
>
> # lower priority of kernel local table to 500
> ip rule del pref 0 lookup local 2>/dev/null || :
> ip rule del pref 500 lookup local 2>/dev/null || :
> ip rule add pref 500 lookup local
>
> # on rx side handle packets by local table, so we can receive them
> echo 1 >/proc/sys/net/ipv4/conf/tap0/accept_local
> echo 1 >/proc/sys/net/ipv4/conf/tap1/accept_local
> ip rule del pref 10 2>/dev/null || :
> ip rule del pref 11 2>/dev/null || :
> ip rule add pref 10 iif tap0 lookup local
> ip rule add pref 11 iif tap1 lookup local
>
> # tx
> ip rule del pref 100 2>/dev/null || :
> ip rule del pref 101 2>/dev/null || :
> ip rule add pref 100 to 192.168.23.10 lookup 100 # tap0 <- tap1
> ip rule add pref 101 to 192.168.23.11 lookup 101 # tap1 <- tap0
>
> ip route flush table 100
> ip route flush table 101
> ip route add default dev tap1 table 100
> ip route add default dev tap0 table 101
>
>
> # ensure (visually) we've set up it ok
>
> echo
> echo " >>> rules:"
> ip rule
>
> echo
> echo " >>> tap(0|1) routing table:"
> #routel | grep '\<tap\(0\|1\)\>'
> ip route show table all | grep '\<tap\(0\|1\)\>'
>
> # tx path
> echo
> echo " >>> checking routing for tx path:"
> ip route get 192.168.23.10 connected
> ip route get 192.168.23.11 connected
>
> # rx path
> echo
> echo " >>> checking routing for rx path:"
> ip route get from 192.168.23.10 to 192.168.23.11 iif tap1
> ip route get from 192.168.23.11 to 192.168.23.10 iif tap0
>
>
>
> # start switch and connect switch-tap0 and switch-tap1
> echo
> echo " >>> ready to start vde_switch and connect wires..."
> read
> screen sh -c 'screen sh -cx "sleep 4; vde_plug2tap tap0"; screen sh -cx "sleep 4; vde_plug2tap tap1"; sh -cx vde_switch'
>
>
> # now e.g. ping 192.168.23.11 sends packets to tap0 which are received
> # on tap1 and ICMP-ECHO'ed by kernel on tap1 and received on tap0.
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: net 00/05: routing based send-to-self implementation
2011-01-14 10:18 ` Kirill Smelkov
2011-01-14 12:22 ` Patrick McHardy
@ 2011-01-14 13:40 ` Jonathan Corbet
2011-01-14 15:02 ` Kirill Smelkov
1 sibling, 1 reply; 14+ messages in thread
From: Jonathan Corbet @ 2011-01-14 13:40 UTC (permalink / raw)
To: Kirill Smelkov; +Cc: Patrick McHardy, davem, netdev, Boris Kocherov
On Fri, 14 Jan 2011 13:18:32 +0300
Kirill Smelkov <kirr@mns.spb.ru> wrote:
> ( Jonathan, I though something like this could be useful for LDD4 in
> revised snull not needing to play dirty tricks with IP addresses anymore )
Nice thought, thanks. I don't know yet whether we'd want to do that or
just run stuff on a virtual machine for LDD4 - lots of stuff to figure
out still.
Thanks,
jon
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: net 00/05: routing based send-to-self implementation
2011-01-14 13:40 ` Jonathan Corbet
@ 2011-01-14 15:02 ` Kirill Smelkov
0 siblings, 0 replies; 14+ messages in thread
From: Kirill Smelkov @ 2011-01-14 15:02 UTC (permalink / raw)
To: Jonathan Corbet; +Cc: Patrick McHardy, davem, netdev, Boris Kocherov
On Fri, Jan 14, 2011 at 06:40:48AM -0700, Jonathan Corbet wrote:
> On Fri, 14 Jan 2011 13:18:32 +0300
> Kirill Smelkov <kirr@mns.spb.ru> wrote:
>
> > ( Jonathan, I though something like this could be useful for LDD4 in
> > revised snull not needing to play dirty tricks with IP addresses anymore )
>
> Nice thought, thanks. I don't know yet whether we'd want to do that or
> just run stuff on a virtual machine for LDD4 - lots of stuff to figure
> out still.
Just FYI: I've started with virtual machines, but figured out it is
(sometimes, maybe my fault) a bit of pain to coherently setup and also
that not all hardware have support for KVM - for example my netbook with
Atom N455, which I use half the time, does not support VT and they've
killed support for KQEMU in QEMU recently...
Anyway, good luck with LDD4!
Thanks,
Kirill
^ permalink raw reply [flat|nested] 14+ messages in thread
* ipv4 05/05: add sysctl to accept packets with local source addresses
2009-11-30 17:55 RFC: " Patrick McHardy
@ 2009-11-30 17:55 ` Patrick McHardy
0 siblings, 0 replies; 14+ messages in thread
From: Patrick McHardy @ 2009-11-30 17:55 UTC (permalink / raw)
To: netdev; +Cc: Patrick McHardy
commit 35924708110a98ac8407deaef95194ff9d0375d2
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Nov 30 17:48:03 2009 +0100
ipv4: add sysctl to accept packets with local source addresses
Change fib_validate_source() to accept packets with a local source address when
the "accept_local" sysctl is set for the incoming inet device. Combined with the
previous patches, this allows to communicate between multiple local interfaces
over the wire.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index a0e134d..b319d4f 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -723,6 +723,12 @@ accept_source_route - BOOLEAN
default TRUE (router)
FALSE (host)
+accept_local - BOOLEAN
+ Accept packets with local source addresses. In combination with
+ suitable routing, this can be used to direct packets between two
+ local interfaces over the wire and have them accepted properly.
+ default FALSE
+
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index eecfa55..699e85c 100644
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -83,6 +83,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
#define IN_DEV_RPFILTER(in_dev) IN_DEV_MAXCONF((in_dev), RP_FILTER)
#define IN_DEV_SOURCE_ROUTE(in_dev) IN_DEV_ANDCONF((in_dev), \
ACCEPT_SOURCE_ROUTE)
+#define IN_DEV_ACCEPT_LOCAL(in_dev) IN_DEV_ORCONF((in_dev), ACCEPT_LOCAL)
#define IN_DEV_BOOTP_RELAY(in_dev) IN_DEV_ANDCONF((in_dev), BOOTP_RELAY)
#define IN_DEV_LOG_MARTIANS(in_dev) IN_DEV_ORCONF((in_dev), LOG_MARTIANS)
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 1e4743e..9f047d7 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -490,6 +490,7 @@ enum
NET_IPV4_CONF_PROMOTE_SECONDARIES=20,
NET_IPV4_CONF_ARP_ACCEPT=21,
NET_IPV4_CONF_ARP_NOTIFY=22,
+ NET_IPV4_CONF_ACCEPT_LOCAL=23,
__NET_IPV4_CONF_MAX
};
diff --git a/kernel/sysctl_check.c b/kernel/sysctl_check.c
index b6e7aae..f1d676e 100644
--- a/kernel/sysctl_check.c
+++ b/kernel/sysctl_check.c
@@ -220,6 +220,7 @@ static const struct trans_ctl_table trans_net_ipv4_conf_vars_table[] = {
{ NET_IPV4_CONF_PROMOTE_SECONDARIES, "promote_secondaries" },
{ NET_IPV4_CONF_ARP_ACCEPT, "arp_accept" },
{ NET_IPV4_CONF_ARP_NOTIFY, "arp_notify" },
+ { NET_IPV4_CONF_ACCEPT_LOCAL, "accept_local" },
{}
};
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index c100709..e312661 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1468,6 +1468,7 @@ static struct devinet_sysctl_table {
DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"),
DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
"accept_source_route"),
+ DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 6c1e56a..32ea949 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -241,16 +241,17 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
.iif = oif };
struct fib_result res;
- int no_addr, rpf;
+ int no_addr, rpf, accept_local;
int ret;
struct net *net;
- no_addr = rpf = 0;
+ no_addr = rpf = accept_local = 0;
rcu_read_lock();
in_dev = __in_dev_get_rcu(dev);
if (in_dev) {
no_addr = in_dev->ifa_list == NULL;
rpf = IN_DEV_RPFILTER(in_dev);
+ accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
}
rcu_read_unlock();
@@ -260,8 +261,10 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
net = dev_net(dev);
if (fib_lookup(net, &fl, &res))
goto last_resort;
- if (res.type != RTN_UNICAST)
- goto e_inval_res;
+ if (res.type != RTN_UNICAST) {
+ if (res.type != RTN_LOCAL || !accept_local)
+ goto e_inval_res;
+ }
*spec_dst = FIB_RES_PREFSRC(res);
fib_combine_itag(itag, &res);
#ifdef CONFIG_IP_ROUTE_MULTIPATH
^ permalink raw reply related [flat|nested] 14+ messages in thread