net 00/05: routing based send-to-self implementation

net 00/05: routing based send-to-self implementation

[Patrick McHardy]

These patches are yet another attempt at adding "send-to-self" functionality,
allowing to send packets between two local interfaces over the wire. Unlike
the approaches I've seen so far, this one is purely routing based.
Especially the oif classification should also be useful for different setups.

The patchset consists of three parts:

- the first three patches add oif classification to fib_rules. This can be
  used create special routing tables for sockets bound to an interface.

- the fourth patch changes IPv4 and IPv6 to allow to delete the local rule
  with priority 0. This allows to re-create it using a lower priority and
  insert new rules below it to force packets with a local destination out
  on the wire.

- the fifth patch adds a devinet sysctl to accept packets with local source
  addresses in fib_validate_source(). This one unfortunately seems to be
  necessary, I couldn't come up with a method based purely on adding more
  routes to fool fib_validate_source() into accepting those packets.

Usage example:

# move local routing rule to lower priority
ip rule add pref 1000 lookup local
ip rule del pref 0

# only reply to ARP requests for addresses configured on the device
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore

# configure device and force packets of bound sockets out on eth1
ip address add dev eth1 10.0.0.1/24
echo 1 > /proc/sys/net/ipv4/conf/eth1/accept_local
ip link set eth1 up
ip rule add pref 500 oif eth1 lookup 500
ip route add default dev eth1 table 500

# configure device and force packets of bound sockets out on eth2
ip address add dev eth2 10.0.0.2/24
echo 1 > /proc/sys/net/ipv4/conf/eth2/accept_local
ip link set eth2 up
ip rule add pref 501 oif eth2 lookup 501
ip route add default dev eth2 table 501

At this point packets between sockets bound to eth1/eth2 will go over the wire.

Changes since last posting:

- fixed an incorrect FIB_RULE_DEV_DETACHED define
- fixed incorrect example in the changelog

Please apply, thanks!


 Documentation/networking/ip-sysctl.txt |    6 +++
 include/linux/fib_rules.h              |    8 +++-
 include/linux/inetdevice.h             |    1 +
 include/linux/sysctl.h                 |    1 +
 include/net/fib_rules.h                |    9 +++-
 kernel/sysctl_check.c                  |    1 +
 net/core/fib_rules.c                   |   71 +++++++++++++++++++++++---------
 net/ipv4/devinet.c                     |    1 +
 net/ipv4/fib_frontend.c                |   11 +++--
 net/ipv4/fib_rules.c                   |    2 +-
 net/ipv6/fib6_rules.c                  |    2 +-
 11 files changed, 82 insertions(+), 31 deletions(-)

Patrick McHardy (5):
      net: fib_rules: rearrange struct fib_rule
      net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
      net: fib_rules: add oif classification
      net: fib_rules: allow to delete local rule
      ipv4: add sysctl to accept packets with local source addresses

net 01/05: fib_rules: rearrange struct fib_rule

[Patrick McHardy]

commit b8952893d5d86f69c4e499d191b98c6658f64b0f
Author: Patrick McHardy <kaber@trash.net>
Date:   Thu Dec 3 12:05:22 2009 +0100

    net: fib_rules: rearrange struct fib_rule
    
    The ifname member is only used to resolve interface names and is not needed
    during rule lookups. The target and ctarget members however are used during
    rule lookups and are currently located in a second cacheline.
    
    Move ifname further to the end to make sure both target and ctarget are
    located in the same cacheline as other members used during rule lookups.
    
    The layout on 64 bit changes from:
    
    struct fib_rule {
    	...
            u32                        table;                /*    56     4 */
            u8                         action;               /*    60     1 */
    
            /* XXX 3 bytes hole, try to pack */
    
            /* --- cacheline 1 boundary (64 bytes) --- */
            u32                        target;               /*    64     4 */
    
            /* XXX 4 bytes hole, try to pack */
    
            struct fib_rule *          ctarget;              /*    72     8 */
            struct rcu_head            rcu;                  /*    80    16 */
            struct net *               fr_net;               /*    96     8 */
    };
    
    to:
    
    struct fib_rule {
    	...
            u32                        table;                /*    40     4 */
            u8                         action;               /*    44     1 */
    
            /* XXX 3 bytes hole, try to pack */
    
            u32                        target;               /*    48     4 */
    
            /* XXX 4 bytes hole, try to pack */
    
            struct fib_rule *          ctarget;              /*    56     8 */
            /* --- cacheline 1 boundary (64 bytes) --- */
            char                       ifname[16];           /*    64    16 */
            struct rcu_head            rcu;                  /*    80    16 */
            struct net *               fr_net;               /*    96     8 */
    
    };
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 2cd707b..22fb323 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -11,7 +11,6 @@ struct fib_rule {
 	struct list_head	list;
 	atomic_t		refcnt;
 	int			ifindex;
-	char			ifname[IFNAMSIZ];
 	u32			mark;
 	u32			mark_mask;
 	u32			pref;
@@ -20,6 +19,7 @@ struct fib_rule {
 	u8			action;
 	u32			target;
 	struct fib_rule *	ctarget;
+	char			ifname[IFNAMSIZ];
 	struct rcu_head		rcu;
 	struct net *		fr_net;
 };

net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME

[Patrick McHardy]

commit 229e77eec406ad68662f18e49fda8b5d366768c5
Author: Patrick McHardy <kaber@trash.net>
Date:   Thu Dec 3 12:05:23 2009 +0100

    net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
    
    The next patch will add oif classification, rename interface related members
    and attributes to reflect that they're used for iif classification.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
index c7e5b70..7e11bb2 100644
--- a/include/linux/fib_rules.h
+++ b/include/linux/fib_rules.h
@@ -8,7 +8,8 @@
 #define FIB_RULE_PERMANENT	0x00000001
 #define FIB_RULE_INVERT		0x00000002
 #define FIB_RULE_UNRESOLVED	0x00000004
-#define FIB_RULE_DEV_DETACHED	0x00000008
+#define FIB_RULE_IIF_DETACHED	0x00000008
+#define FIB_RULE_DEV_DETACHED	FIB_RULE_IIF_DETACHED
 
 /* try to find source address in routing lookups */
 #define FIB_RULE_FIND_SADDR	0x00010000
@@ -31,7 +32,8 @@ enum {
 	FRA_UNSPEC,
 	FRA_DST,	/* destination address */
 	FRA_SRC,	/* source address */
-	FRA_IFNAME,	/* interface name */
+	FRA_IIFNAME,	/* interface name */
+#define FRA_IFNAME	FRA_IIFNAME
 	FRA_GOTO,	/* target to jump to (FR_ACT_GOTO) */
 	FRA_UNUSED2,
 	FRA_PRIORITY,	/* priority/preference */
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 22fb323..62bebcb 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -10,7 +10,7 @@
 struct fib_rule {
 	struct list_head	list;
 	atomic_t		refcnt;
-	int			ifindex;
+	int			iifindex;
 	u32			mark;
 	u32			mark_mask;
 	u32			pref;
@@ -19,7 +19,7 @@ struct fib_rule {
 	u8			action;
 	u32			target;
 	struct fib_rule *	ctarget;
-	char			ifname[IFNAMSIZ];
+	char			iifname[IFNAMSIZ];
 	struct rcu_head		rcu;
 	struct net *		fr_net;
 };
@@ -67,7 +67,7 @@ struct fib_rules_ops {
 };
 
 #define FRA_GENERIC_POLICY \
-	[FRA_IFNAME]	= { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+	[FRA_IIFNAME]	= { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
 	[FRA_PRIORITY]	= { .type = NLA_U32 }, \
 	[FRA_FWMARK]	= { .type = NLA_U32 }, \
 	[FRA_FWMASK]	= { .type = NLA_U32 }, \
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index bd30938..8e8028c 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -135,7 +135,7 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
 {
 	int ret = 0;
 
-	if (rule->ifindex && (rule->ifindex != fl->iif))
+	if (rule->iifindex && (rule->iifindex != fl->iif))
 		goto out;
 
 	if ((rule->mark ^ fl->mark) & rule->mark_mask)
@@ -248,14 +248,14 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 	if (tb[FRA_PRIORITY])
 		rule->pref = nla_get_u32(tb[FRA_PRIORITY]);
 
-	if (tb[FRA_IFNAME]) {
+	if (tb[FRA_IIFNAME]) {
 		struct net_device *dev;
 
-		rule->ifindex = -1;
-		nla_strlcpy(rule->ifname, tb[FRA_IFNAME], IFNAMSIZ);
-		dev = __dev_get_by_name(net, rule->ifname);
+		rule->iifindex = -1;
+		nla_strlcpy(rule->iifname, tb[FRA_IIFNAME], IFNAMSIZ);
+		dev = __dev_get_by_name(net, rule->iifname);
 		if (dev)
-			rule->ifindex = dev->ifindex;
+			rule->iifindex = dev->ifindex;
 	}
 
 	if (tb[FRA_FWMARK]) {
@@ -388,8 +388,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 		    (rule->pref != nla_get_u32(tb[FRA_PRIORITY])))
 			continue;
 
-		if (tb[FRA_IFNAME] &&
-		    nla_strcmp(tb[FRA_IFNAME], rule->ifname))
+		if (tb[FRA_IIFNAME] &&
+		    nla_strcmp(tb[FRA_IIFNAME], rule->iifname))
 			continue;
 
 		if (tb[FRA_FWMARK] &&
@@ -447,7 +447,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
 					 struct fib_rule *rule)
 {
 	size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
-			 + nla_total_size(IFNAMSIZ) /* FRA_IFNAME */
+			 + nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */
 			 + nla_total_size(4) /* FRA_PRIORITY */
 			 + nla_total_size(4) /* FRA_TABLE */
 			 + nla_total_size(4) /* FRA_FWMARK */
@@ -481,11 +481,11 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
 	if (rule->action == FR_ACT_GOTO && rule->ctarget == NULL)
 		frh->flags |= FIB_RULE_UNRESOLVED;
 
-	if (rule->ifname[0]) {
-		NLA_PUT_STRING(skb, FRA_IFNAME, rule->ifname);
+	if (rule->iifname[0]) {
+		NLA_PUT_STRING(skb, FRA_IIFNAME, rule->iifname);
 
-		if (rule->ifindex == -1)
-			frh->flags |= FIB_RULE_DEV_DETACHED;
+		if (rule->iifindex == -1)
+			frh->flags |= FIB_RULE_IIF_DETACHED;
 	}
 
 	if (rule->pref)
@@ -600,9 +600,9 @@ static void attach_rules(struct list_head *rules, struct net_device *dev)
 	struct fib_rule *rule;
 
 	list_for_each_entry(rule, rules, list) {
-		if (rule->ifindex == -1 &&
-		    strcmp(dev->name, rule->ifname) == 0)
-			rule->ifindex = dev->ifindex;
+		if (rule->iifindex == -1 &&
+		    strcmp(dev->name, rule->iifname) == 0)
+			rule->iifindex = dev->ifindex;
 	}
 }
 
@@ -611,8 +611,8 @@ static void detach_rules(struct list_head *rules, struct net_device *dev)
 	struct fib_rule *rule;
 
 	list_for_each_entry(rule, rules, list)
-		if (rule->ifindex == dev->ifindex)
-			rule->ifindex = -1;
+		if (rule->iifindex == dev->ifindex)
+			rule->iifindex = -1;
 }
 
 

net 03/05: fib_rules: add oif classification

[Patrick McHardy]

commit 68144d350f4f6c348659c825cde6a82b34c27a91
Author: Patrick McHardy <kaber@trash.net>
Date:   Thu Dec 3 12:05:25 2009 +0100

    net: fib_rules: add oif classification
    
    Support routing table lookup based on the flow's oif. This is useful to
    classify packets originating from sockets bound to interfaces differently.
    
    The route cache already includes the oif and needs no changes.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
index 7e11bb2..51da65b 100644
--- a/include/linux/fib_rules.h
+++ b/include/linux/fib_rules.h
@@ -10,6 +10,7 @@
 #define FIB_RULE_UNRESOLVED	0x00000004
 #define FIB_RULE_IIF_DETACHED	0x00000008
 #define FIB_RULE_DEV_DETACHED	FIB_RULE_IIF_DETACHED
+#define FIB_RULE_OIF_DETACHED	0x00000010
 
 /* try to find source address in routing lookups */
 #define FIB_RULE_FIND_SADDR	0x00010000
@@ -47,6 +48,7 @@ enum {
 	FRA_UNUSED8,
 	FRA_TABLE,	/* Extended table id */
 	FRA_FWMASK,	/* mask for netfilter mark */
+	FRA_OIFNAME,
 	__FRA_MAX
 };
 
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 62bebcb..d4e875a 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -11,6 +11,7 @@ struct fib_rule {
 	struct list_head	list;
 	atomic_t		refcnt;
 	int			iifindex;
+	int			oifindex;
 	u32			mark;
 	u32			mark_mask;
 	u32			pref;
@@ -20,6 +21,7 @@ struct fib_rule {
 	u32			target;
 	struct fib_rule *	ctarget;
 	char			iifname[IFNAMSIZ];
+	char			oifname[IFNAMSIZ];
 	struct rcu_head		rcu;
 	struct net *		fr_net;
 };
@@ -68,6 +70,7 @@ struct fib_rules_ops {
 
 #define FRA_GENERIC_POLICY \
 	[FRA_IIFNAME]	= { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+	[FRA_OIFNAME]	= { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
 	[FRA_PRIORITY]	= { .type = NLA_U32 }, \
 	[FRA_FWMARK]	= { .type = NLA_U32 }, \
 	[FRA_FWMASK]	= { .type = NLA_U32 }, \
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 8e8028c..d1a70ad 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -138,6 +138,9 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
 	if (rule->iifindex && (rule->iifindex != fl->iif))
 		goto out;
 
+	if (rule->oifindex && (rule->oifindex != fl->oif))
+		goto out;
+
 	if ((rule->mark ^ fl->mark) & rule->mark_mask)
 		goto out;
 
@@ -258,6 +261,16 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 			rule->iifindex = dev->ifindex;
 	}
 
+	if (tb[FRA_OIFNAME]) {
+		struct net_device *dev;
+
+		rule->oifindex = -1;
+		nla_strlcpy(rule->oifname, tb[FRA_OIFNAME], IFNAMSIZ);
+		dev = __dev_get_by_name(net, rule->oifname);
+		if (dev)
+			rule->oifindex = dev->ifindex;
+	}
+
 	if (tb[FRA_FWMARK]) {
 		rule->mark = nla_get_u32(tb[FRA_FWMARK]);
 		if (rule->mark)
@@ -392,6 +405,10 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 		    nla_strcmp(tb[FRA_IIFNAME], rule->iifname))
 			continue;
 
+		if (tb[FRA_OIFNAME] &&
+		    nla_strcmp(tb[FRA_OIFNAME], rule->oifname))
+			continue;
+
 		if (tb[FRA_FWMARK] &&
 		    (rule->mark != nla_get_u32(tb[FRA_FWMARK])))
 			continue;
@@ -448,6 +465,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
 {
 	size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
 			 + nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */
+			 + nla_total_size(IFNAMSIZ) /* FRA_OIFNAME */
 			 + nla_total_size(4) /* FRA_PRIORITY */
 			 + nla_total_size(4) /* FRA_TABLE */
 			 + nla_total_size(4) /* FRA_FWMARK */
@@ -488,6 +506,13 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
 			frh->flags |= FIB_RULE_IIF_DETACHED;
 	}
 
+	if (rule->oifname[0]) {
+		NLA_PUT_STRING(skb, FRA_OIFNAME, rule->oifname);
+
+		if (rule->oifindex == -1)
+			frh->flags |= FIB_RULE_OIF_DETACHED;
+	}
+
 	if (rule->pref)
 		NLA_PUT_U32(skb, FRA_PRIORITY, rule->pref);
 
@@ -603,6 +628,9 @@ static void attach_rules(struct list_head *rules, struct net_device *dev)
 		if (rule->iifindex == -1 &&
 		    strcmp(dev->name, rule->iifname) == 0)
 			rule->iifindex = dev->ifindex;
+		if (rule->oifindex == -1 &&
+		    strcmp(dev->name, rule->oifname) == 0)
+			rule->oifindex = dev->ifindex;
 	}
 }
 
@@ -610,9 +638,12 @@ static void detach_rules(struct list_head *rules, struct net_device *dev)
 {
 	struct fib_rule *rule;
 
-	list_for_each_entry(rule, rules, list)
+	list_for_each_entry(rule, rules, list) {
 		if (rule->iifindex == dev->ifindex)
 			rule->iifindex = -1;
+		if (rule->oifindex == dev->ifindex)
+			rule->oifindex = -1;
+	}
 }
 
 

net 04/05: fib_rules: allow to delete local rule

[Patrick McHardy]

commit d124356ce314fff22a047ea334379d5105b2d834
Author: Patrick McHardy <kaber@trash.net>
Date:   Thu Dec 3 12:16:35 2009 +0100

    net: fib_rules: allow to delete local rule
    
    Allow to delete the local rule and recreate it with a higher priority. This
    can be used to force packets with a local destination out on the wire instead
    of routing them to loopback. Additionally this patch allows to recreate rules
    with a priority of 0.
    
    Combined with the previous patch to allow oif classification, a socket can
    be bound to the desired interface and packets routed to the wire like this:
    
    # move local rule to lower priority
    ip rule add pref 1000 lookup local
    ip rule del pref 0
    
    # route packets of sockets bound to eth0 to the wire independant
    # of the destination address
    ip rule add pref 100 oif eth0 lookup 100
    ip route add default dev eth0 table 100
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index d1a70ad..ef0e7d9 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -287,7 +287,7 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 	rule->flags = frh->flags;
 	rule->table = frh_get_table(frh, tb);
 
-	if (!rule->pref && ops->default_pref)
+	if (!tb[FRA_PRIORITY] && ops->default_pref)
 		rule->pref = ops->default_pref(ops);
 
 	err = -EINVAL;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 835262c..1239ed2 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -284,7 +284,7 @@ static int fib_default_rules_init(struct fib_rules_ops *ops)
 {
 	int err;
 
-	err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, FIB_RULE_PERMANENT);
+	err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, 0);
 	if (err < 0)
 		return err;
 	err = fib_default_rule_add(ops, 0x7FFE, RT_TABLE_MAIN, 0);
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index 00a7a5e..3b38f49 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -276,7 +276,7 @@ static int fib6_rules_net_init(struct net *net)
 	INIT_LIST_HEAD(&net->ipv6.fib6_rules_ops->rules_list);
 
 	err = fib_default_rule_add(net->ipv6.fib6_rules_ops, 0,
-				   RT6_TABLE_LOCAL, FIB_RULE_PERMANENT);
+				   RT6_TABLE_LOCAL, 0);
 	if (err)
 		goto out_fib6_rules_ops;
 

ipv4 05/05: add sysctl to accept packets with local source addresses

[Patrick McHardy]

commit 8ec1e0ebe26087bfc5c0394ada5feb5758014fc8
Author: Patrick McHardy <kaber@trash.net>
Date:   Thu Dec 3 12:16:35 2009 +0100

    ipv4: add sysctl to accept packets with local source addresses
    
    Change fib_validate_source() to accept packets with a local source address when
    the "accept_local" sysctl is set for the incoming inet device. Combined with the
    previous patches, this allows to communicate between multiple local interfaces
    over the wire.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index 989f553..006b39d 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -731,6 +731,12 @@ accept_source_route - BOOLEAN
 	default TRUE (router)
 		FALSE (host)
 
+accept_local - BOOLEAN
+	Accept packets with local source addresses. In combination with
+	suitable routing, this can be used to direct packets between two
+	local interfaces over the wire and have them accepted properly.
+	default FALSE
+
 rp_filter - INTEGER
 	0 - No source validation.
 	1 - Strict mode as defined in RFC3704 Strict Reverse Path
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index eecfa55..699e85c 100644
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -83,6 +83,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
 #define IN_DEV_RPFILTER(in_dev)		IN_DEV_MAXCONF((in_dev), RP_FILTER)
 #define IN_DEV_SOURCE_ROUTE(in_dev)	IN_DEV_ANDCONF((in_dev), \
 						       ACCEPT_SOURCE_ROUTE)
+#define IN_DEV_ACCEPT_LOCAL(in_dev)	IN_DEV_ORCONF((in_dev), ACCEPT_LOCAL)
 #define IN_DEV_BOOTP_RELAY(in_dev)	IN_DEV_ANDCONF((in_dev), BOOTP_RELAY)
 
 #define IN_DEV_LOG_MARTIANS(in_dev)	IN_DEV_ORCONF((in_dev), LOG_MARTIANS)
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 1e4743e..9f047d7 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -490,6 +490,7 @@ enum
 	NET_IPV4_CONF_PROMOTE_SECONDARIES=20,
 	NET_IPV4_CONF_ARP_ACCEPT=21,
 	NET_IPV4_CONF_ARP_NOTIFY=22,
+	NET_IPV4_CONF_ACCEPT_LOCAL=23,
 	__NET_IPV4_CONF_MAX
 };
 
diff --git a/kernel/sysctl_check.c b/kernel/sysctl_check.c
index b6e7aae..f1d676e 100644
--- a/kernel/sysctl_check.c
+++ b/kernel/sysctl_check.c
@@ -220,6 +220,7 @@ static const struct trans_ctl_table trans_net_ipv4_conf_vars_table[] = {
 	{ NET_IPV4_CONF_PROMOTE_SECONDARIES,	"promote_secondaries" },
 	{ NET_IPV4_CONF_ARP_ACCEPT,		"arp_accept" },
 	{ NET_IPV4_CONF_ARP_NOTIFY,		"arp_notify" },
+	{ NET_IPV4_CONF_ACCEPT_LOCAL,		"accept_local" },
 	{}
 };
 
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index c100709..e312661 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1468,6 +1468,7 @@ static struct devinet_sysctl_table {
 		DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"),
 		DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
 					"accept_source_route"),
+		DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
 		DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
 		DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
 		DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 3b373a8..3323168 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -241,16 +241,17 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
 			    .iif = oif };
 
 	struct fib_result res;
-	int no_addr, rpf;
+	int no_addr, rpf, accept_local;
 	int ret;
 	struct net *net;
 
-	no_addr = rpf = 0;
+	no_addr = rpf = accept_local = 0;
 	rcu_read_lock();
 	in_dev = __in_dev_get_rcu(dev);
 	if (in_dev) {
 		no_addr = in_dev->ifa_list == NULL;
 		rpf = IN_DEV_RPFILTER(in_dev);
+		accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
 	}
 	rcu_read_unlock();
 
@@ -260,8 +261,10 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
 	net = dev_net(dev);
 	if (fib_lookup(net, &fl, &res))
 		goto last_resort;
-	if (res.type != RTN_UNICAST)
-		goto e_inval_res;
+	if (res.type != RTN_UNICAST) {
+		if (res.type != RTN_LOCAL || !accept_local)
+			goto e_inval_res;
+	}
 	*spec_dst = FIB_RES_PREFSRC(res);
 	fib_combine_itag(itag, &res);
 #ifdef CONFIG_IP_ROUTE_MULTIPATH

Re: net 00/05: routing based send-to-self implementation

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Thu,  3 Dec 2009 12:25:52 +0100 (MET)

> These patches are yet another attempt at adding "send-to-self" functionality,
> allowing to send packets between two local interfaces over the wire. Unlike
> the approaches I've seen so far, this one is purely routing based.
> Especially the oif classification should also be useful for different setups.
...
> Please apply, thanks!

All applied to net-next-2.6, thanks!

Re: ipv4 05/05: add sysctl to accept packets with local source addresses

[Eric W. Biederman]

Patrick McHardy <kaber@trash.net> writes:

> commit 8ec1e0ebe26087bfc5c0394ada5feb5758014fc8
> Author: Patrick McHardy <kaber@trash.net>
> Date:   Thu Dec 3 12:16:35 2009 +0100
>
>     ipv4: add sysctl to accept packets with local source addresses
>     
>     Change fib_validate_source() to accept packets with a local source address when
>     the "accept_local" sysctl is set for the incoming inet device. Combined with the
>     previous patches, this allows to communicate between multiple local interfaces
>     over the wire.
>     
>     Signed-off-by: Patrick McHardy <kaber@trash.net>
>

Obligatory grumble. New binary sysctl.  Grumble.

Honestly this might be the one new sysctl that doesn't conflict with
my sysctl tree.  That should merge to Linus sometime this merge cycle
which will stop exporting this to userspace. So I don't have any
real complaints.  Grumble.

This overloading of sysctl.h for the binary sysctl numbers and
the index into the perdevice sysctls is something we should probably
change at some point to keep maintenance a little less confusing.

Eric


> diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
> index 1e4743e..9f047d7 100644
> --- a/include/linux/sysctl.h
> +++ b/include/linux/sysctl.h
> @@ -490,6 +490,7 @@ enum
>  	NET_IPV4_CONF_PROMOTE_SECONDARIES=20,
>  	NET_IPV4_CONF_ARP_ACCEPT=21,
>  	NET_IPV4_CONF_ARP_NOTIFY=22,
> +	NET_IPV4_CONF_ACCEPT_LOCAL=23,
>  	__NET_IPV4_CONF_MAX
>  };
>  

Re: ipv4 05/05: add sysctl to accept packets with local source addresses

[Patrick McHardy]

Eric W. Biederman wrote:
> Patrick McHardy <kaber@trash.net> writes:
> 
>> commit 8ec1e0ebe26087bfc5c0394ada5feb5758014fc8
>> Author: Patrick McHardy <kaber@trash.net>
>> Date:   Thu Dec 3 12:16:35 2009 +0100
>>
>>     ipv4: add sysctl to accept packets with local source addresses
>>     
>>     Change fib_validate_source() to accept packets with a local source address when
>>     the "accept_local" sysctl is set for the incoming inet device. Combined with the
>>     previous patches, this allows to communicate between multiple local interfaces
>>     over the wire.
>>     
>>     Signed-off-by: Patrick McHardy <kaber@trash.net>
>>
> 
> Obligatory grumble. New binary sysctl.  Grumble.
> 
> Honestly this might be the one new sysctl that doesn't conflict with
> my sysctl tree.  That should merge to Linus sometime this merge cycle
> which will stop exporting this to userspace. So I don't have any
> real complaints.  Grumble.
> 
> This overloading of sysctl.h for the binary sysctl numbers and
> the index into the perdevice sysctls is something we should probably
> change at some point to keep maintenance a little less confusing.

Yes, unfortunately its currently not possible to add inetdev sysctls
without allocating new numbers.

Re: net 00/05: routing based send-to-self implementation

[Kirill Smelkov]

 [ Cc'ing Jonathan Corbet and a friend of mine ]

On Thu, Dec 03, 2009 at 12:25:52PM +0100, Patrick McHardy wrote:
> These patches are yet another attempt at adding "send-to-self" functionality,
> allowing to send packets between two local interfaces over the wire. Unlike
> the approaches I've seen so far, this one is purely routing based.
> Especially the oif classification should also be useful for different setups.
> 
> The patchset consists of three parts:
> 
> - the first three patches add oif classification to fib_rules. This can be
>   used create special routing tables for sockets bound to an interface.
> 
> - the fourth patch changes IPv4 and IPv6 to allow to delete the local rule
>   with priority 0. This allows to re-create it using a lower priority and
>   insert new rules below it to force packets with a local destination out
>   on the wire.
> 
> - the fifth patch adds a devinet sysctl to accept packets with local source
>   addresses in fib_validate_source(). This one unfortunately seems to be
>   necessary, I couldn't come up with a method based purely on adding more
>   routes to fool fib_validate_source() into accepting those packets.
> 
> Usage example:
> 
> # move local routing rule to lower priority
> ip rule add pref 1000 lookup local
> ip rule del pref 0
> 
> # only reply to ARP requests for addresses configured on the device
> echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
> 
> # configure device and force packets of bound sockets out on eth1
> ip address add dev eth1 10.0.0.1/24
> echo 1 > /proc/sys/net/ipv4/conf/eth1/accept_local
> ip link set eth1 up
> ip rule add pref 500 oif eth1 lookup 500
> ip route add default dev eth1 table 500
> 
> # configure device and force packets of bound sockets out on eth2
> ip address add dev eth2 10.0.0.2/24
> echo 1 > /proc/sys/net/ipv4/conf/eth2/accept_local
> ip link set eth2 up
> ip rule add pref 501 oif eth2 lookup 501
> ip route add default dev eth2 table 501
> 
> At this point packets between sockets bound to eth1/eth2 will go over the wire.

Patrick, thanks a lot for doing this!

Just a small follow-up: it is possible to setup such loops without
requiring sockets to be bound to devices. The idea is to setup rules
like

    $ ip rule add pref 100 to <ip-on-eth1> lookup 100
    $ ip route add default dev eth0 table 100

so that on TX, packets go through appropriate interfaces.

And for RX, another rules like

    $ ip rule add pref 10 iif eth0 lookup local

so that packets can be received at all.


I've spent several days to find this, debugging and tracing kernel and
trying various variants on how to do it, so I though I'd better share
the info for poor souls like me :)

For completeness, here is the script which will setup tap0/tap1 loop
through virtual vde_switch.

 ( Jonathan, I though something like this could be useful for LDD4 in
   revised snull not needing to play dirty tricks with IP addresses anymore )


---- 8< (mk-tap-loop.sh) ----
#!/bin/sh -e

# reset interfaces
ip link del tap0 2>/dev/null || :
ip link del tap1 2>/dev/null || :

# create interfaces
vde_tunctl -t tap0
vde_tunctl -t tap1

# assign addresses
ip addr add 192.168.23.10/24 dev tap0
ip addr add 192.168.23.11/24 dev tap1

# put ifs up
ip link set tap0 up
ip link set tap1 up

# lower priority of kernel local table to 500
ip rule del pref   0 lookup local 2>/dev/null || :
ip rule del pref 500 lookup local 2>/dev/null || :
ip rule add pref 500 lookup local

# on rx side handle packets by local table, so we can receive them
echo 1 >/proc/sys/net/ipv4/conf/tap0/accept_local
echo 1 >/proc/sys/net/ipv4/conf/tap1/accept_local
ip rule del pref 10 2>/dev/null || :
ip rule del pref 11 2>/dev/null || :
ip rule add pref 10 iif tap0 lookup local
ip rule add pref 11 iif tap1 lookup local

# tx
ip rule del pref 100 2>/dev/null || :
ip rule del pref 101 2>/dev/null || :
ip rule add pref 100 to 192.168.23.10 lookup 100	# tap0 <- tap1
ip rule add pref 101 to 192.168.23.11 lookup 101	# tap1 <- tap0

ip route flush table 100
ip route flush table 101
ip route add default dev tap1 table 100
ip route add default dev tap0 table 101


# ensure (visually) we've set up it ok

echo
echo " >>> rules:"
ip rule

echo
echo " >>> tap(0|1) routing table:"
#routel | grep '\<tap\(0\|1\)\>'
ip route show table all | grep '\<tap\(0\|1\)\>'

# tx path
echo
echo " >>> checking routing for tx path:"
ip route get 192.168.23.10 connected
ip route get 192.168.23.11 connected

# rx path
echo
echo " >>> checking routing for rx path:"
ip route get from 192.168.23.10 to 192.168.23.11 iif tap1
ip route get from 192.168.23.11 to 192.168.23.10 iif tap0



# start switch and connect switch-tap0 and switch-tap1
echo
echo " >>> ready to start vde_switch and connect wires..."
read
screen sh -c 'screen sh -cx "sleep 4; vde_plug2tap tap0"; screen sh -cx "sleep 4; vde_plug2tap tap1"; sh -cx vde_switch'


# now e.g. ping 192.168.23.11 sends packets to tap0 which are received
# on tap1 and ICMP-ECHO'ed by kernel on tap1 and received on tap0.

Re: net 00/05: routing based send-to-self implementation

[Patrick McHardy]

On 14.01.2011 11:18, Kirill Smelkov wrote:
>  [ Cc'ing Jonathan Corbet and a friend of mine ]
> 
> On Thu, Dec 03, 2009 at 12:25:52PM +0100, Patrick McHardy wrote:
>> These patches are yet another attempt at adding "send-to-self" functionality,
>> allowing to send packets between two local interfaces over the wire. Unlike
>> the approaches I've seen so far, this one is purely routing based.
>> Especially the oif classification should also be useful for different setups.
>>
>> The patchset consists of three parts:
>>
>> - the first three patches add oif classification to fib_rules. This can be
>>   used create special routing tables for sockets bound to an interface.
>>
>> - the fourth patch changes IPv4 and IPv6 to allow to delete the local rule
>>   with priority 0. This allows to re-create it using a lower priority and
>>   insert new rules below it to force packets with a local destination out
>>   on the wire.
>>
>> - the fifth patch adds a devinet sysctl to accept packets with local source
>>   addresses in fib_validate_source(). This one unfortunately seems to be
>>   necessary, I couldn't come up with a method based purely on adding more
>>   routes to fool fib_validate_source() into accepting those packets.
>>
>> Usage example:
>>
>> # move local routing rule to lower priority
>> ip rule add pref 1000 lookup local
>> ip rule del pref 0
>>
>> # only reply to ARP requests for addresses configured on the device
>> echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
>>
>> # configure device and force packets of bound sockets out on eth1
>> ip address add dev eth1 10.0.0.1/24
>> echo 1 > /proc/sys/net/ipv4/conf/eth1/accept_local
>> ip link set eth1 up
>> ip rule add pref 500 oif eth1 lookup 500
>> ip route add default dev eth1 table 500
>>
>> # configure device and force packets of bound sockets out on eth2
>> ip address add dev eth2 10.0.0.2/24
>> echo 1 > /proc/sys/net/ipv4/conf/eth2/accept_local
>> ip link set eth2 up
>> ip rule add pref 501 oif eth2 lookup 501
>> ip route add default dev eth2 table 501
>>
>> At this point packets between sockets bound to eth1/eth2 will go over the wire.
> 
> Patrick, thanks a lot for doing this!
> 
> Just a small follow-up: it is possible to setup such loops without
> requiring sockets to be bound to devices. The idea is to setup rules
> like
> 
>     $ ip rule add pref 100 to <ip-on-eth1> lookup 100
>     $ ip route add default dev eth0 table 100
> 
> so that on TX, packets go through appropriate interfaces.
> 
> And for RX, another rules like
> 
>     $ ip rule add pref 10 iif eth0 lookup local
> 
> so that packets can be received at all.
> 
> 
> I've spent several days to find this, debugging and tracing kernel and
> trying various variants on how to do it, so I though I'd better share
> the info for poor souls like me :)
> 
> For completeness, here is the script which will setup tap0/tap1 loop
> through virtual vde_switch.
> 
>  ( Jonathan, I though something like this could be useful for LDD4 in
>    revised snull not needing to play dirty tricks with IP addresses anymore )

Thanks for sharing this. Setups using this get pretty complicated,
I've done something similar recently to have packets loop through
the network stack twice using veth devices to perform double NAT
for remapping clashing networks. If I can get permission I'll post
that script as well.

> 
> 
> ---- 8< (mk-tap-loop.sh) ----
> #!/bin/sh -e
> 
> # reset interfaces
> ip link del tap0 2>/dev/null || :
> ip link del tap1 2>/dev/null || :
> 
> # create interfaces
> vde_tunctl -t tap0
> vde_tunctl -t tap1
> 
> # assign addresses
> ip addr add 192.168.23.10/24 dev tap0
> ip addr add 192.168.23.11/24 dev tap1
> 
> # put ifs up
> ip link set tap0 up
> ip link set tap1 up
> 
> # lower priority of kernel local table to 500
> ip rule del pref   0 lookup local 2>/dev/null || :
> ip rule del pref 500 lookup local 2>/dev/null || :
> ip rule add pref 500 lookup local
> 
> # on rx side handle packets by local table, so we can receive them
> echo 1 >/proc/sys/net/ipv4/conf/tap0/accept_local
> echo 1 >/proc/sys/net/ipv4/conf/tap1/accept_local
> ip rule del pref 10 2>/dev/null || :
> ip rule del pref 11 2>/dev/null || :
> ip rule add pref 10 iif tap0 lookup local
> ip rule add pref 11 iif tap1 lookup local
> 
> # tx
> ip rule del pref 100 2>/dev/null || :
> ip rule del pref 101 2>/dev/null || :
> ip rule add pref 100 to 192.168.23.10 lookup 100	# tap0 <- tap1
> ip rule add pref 101 to 192.168.23.11 lookup 101	# tap1 <- tap0
> 
> ip route flush table 100
> ip route flush table 101
> ip route add default dev tap1 table 100
> ip route add default dev tap0 table 101
> 
> 
> # ensure (visually) we've set up it ok
> 
> echo
> echo " >>> rules:"
> ip rule
> 
> echo
> echo " >>> tap(0|1) routing table:"
> #routel | grep '\<tap\(0\|1\)\>'
> ip route show table all | grep '\<tap\(0\|1\)\>'
> 
> # tx path
> echo
> echo " >>> checking routing for tx path:"
> ip route get 192.168.23.10 connected
> ip route get 192.168.23.11 connected
> 
> # rx path
> echo
> echo " >>> checking routing for rx path:"
> ip route get from 192.168.23.10 to 192.168.23.11 iif tap1
> ip route get from 192.168.23.11 to 192.168.23.10 iif tap0
> 
> 
> 
> # start switch and connect switch-tap0 and switch-tap1
> echo
> echo " >>> ready to start vde_switch and connect wires..."
> read
> screen sh -c 'screen sh -cx "sleep 4; vde_plug2tap tap0"; screen sh -cx "sleep 4; vde_plug2tap tap1"; sh -cx vde_switch'
> 
> 
> # now e.g. ping 192.168.23.11 sends packets to tap0 which are received
> # on tap1 and ICMP-ECHO'ed by kernel on tap1 and received on tap0.
> 

Re: net 00/05: routing based send-to-self implementation

[Jonathan Corbet]

On Fri, 14 Jan 2011 13:18:32 +0300
Kirill Smelkov <kirr@mns.spb.ru> wrote:

>  ( Jonathan, I though something like this could be useful for LDD4 in
>    revised snull not needing to play dirty tricks with IP addresses anymore )

Nice thought, thanks.  I don't know yet whether we'd want to do that or
just run stuff on a virtual machine for LDD4 - lots of stuff to figure
out still.

Thanks,

jon

Re: net 00/05: routing based send-to-self implementation

[Kirill Smelkov]

On Fri, Jan 14, 2011 at 06:40:48AM -0700, Jonathan Corbet wrote:
> On Fri, 14 Jan 2011 13:18:32 +0300
> Kirill Smelkov <kirr@mns.spb.ru> wrote:
> 
> >  ( Jonathan, I though something like this could be useful for LDD4 in
> >    revised snull not needing to play dirty tricks with IP addresses anymore )
> 
> Nice thought, thanks.  I don't know yet whether we'd want to do that or
> just run stuff on a virtual machine for LDD4 - lots of stuff to figure
> out still.

Just FYI: I've started with virtual machines, but figured out it is
(sometimes, maybe my fault) a bit of pain to coherently setup and also
that not all hardware have support for KVM - for example my netbook with
Atom N455, which I use half the time, does not support VT and they've
killed support for KQEMU in QEMU recently...

Anyway, good luck with LDD4!

Thanks,
Kirill