From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Ahern Subject: Re: [PATCH net-next v5 3/9] net: ensure unbound datagram socket to be chosen when not in a VRF Date: Wed, 7 Nov 2018 12:06:48 -0700 Message-ID: References: <20181107153610.7526-1-mmanning@vyatta.att-mail.com> <20181107153610.7526-4-mmanning@vyatta.att-mail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit To: Mike Manning , netdev@vger.kernel.org Return-path: Received: from mail-pf1-f194.google.com ([209.85.210.194]:43137 "EHLO mail-pf1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726440AbeKHEib (ORCPT ); Wed, 7 Nov 2018 23:38:31 -0500 Received: by mail-pf1-f194.google.com with SMTP id g7-v6so5831721pfo.10 for ; Wed, 07 Nov 2018 11:06:50 -0800 (PST) In-Reply-To: <20181107153610.7526-4-mmanning@vyatta.att-mail.com> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: On 11/7/18 8:36 AM, Mike Manning wrote: > Ensure an unbound datagram skt is chosen when not in a VRF. The check > for a device match in compute_score() for UDP must be performed when > there is no device match. For this, a failure is returned when there is > no device match. This ensures that bound sockets are never selected, > even if there is no unbound socket. > > Allow IPv6 packets to be sent over a datagram skt bound to a VRF. These > packets are currently blocked, as flowi6_oif was set to that of the > master vrf device, and the ipi6_ifindex is that of the slave device. > Allow these packets to be sent by checking the device with ipi6_ifindex > has the same L3 scope as that of the bound device of the skt, which is > the master vrf device. Note that this check always succeeds if the skt > is unbound. > > Even though the right datagram skt is now selected by compute_score(), > a different skt is being returned that is bound to the wrong vrf. The > difference between these and stream sockets is the handling of the skt > option for SO_REUSEPORT. While the handling when adding a skt for reuse > correctly checks that the bound device of the skt is a match, the skts > in the hashslot are already incorrect. So for the same hash, a skt for > the wrong vrf may be selected for the required port. The root cause is > that the skt is immediately placed into a slot when it is created, > but when the skt is then bound using SO_BINDTODEVICE, it remains in the > same slot. The solution is to move the skt to the correct slot by > forcing a rehash. > > Signed-off-by: Mike Manning > --- > include/net/udp.h | 11 +++++++++++ > net/core/sock.c | 2 ++ > net/ipv4/udp.c | 15 ++++++--------- > net/ipv6/datagram.c | 10 +++++++--- > net/ipv6/udp.c | 14 +++++--------- > 5 files changed, 31 insertions(+), 21 deletions(-) Reviewed-by: David Ahern Tested-by: David Ahern