From: Dries De Winter <dries.dewinter@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: pablo@netfilter.org, kaber@trash.net, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org
Subject: Re: [PATCH] net: ICMPv6 packets transmitted on wrong interface if nfmark is mangled
Date: Mon, 3 Dec 2012 22:31:51 +0100 [thread overview]
Message-ID: <CA+e04fjWMDE9xEApysFRprZDBdM3Ya2RHrxtoau7i+fxzGT8CQ@mail.gmail.com> (raw)
In-Reply-To: <20121203.141128.206409637987621093.davem@davemloft.net>
2012/12/3 David Miller <davem@davemloft.net>:
> Thinking about this some more I can't see how this is correct.
>
> What if netfilter modified one of the keys that go into the route
> lookup such as the source or destination address?
That is a question I have as well. What if the destination address of
a neighbour solicitation is rewritten to some random unicast address
for example? You could say that in that case indeed the routing table
should be followed. But you could also say that ICMPv6 is a
fundamental part of IPv6 and sending out a neighbour solicitation for
instance on a different interface than the one it is intended for is
wrong. Or you could even say that it is a total non-issue because
rewriting the destination address of ICMPv6 is already wrong in the
first place.
Anyway, what if the source address is modified while there is no
source based routing or skb->mark is modified while there is no policy
based routing? In that case routing is not affected but still the
ICMPv6 packet will go out on a different interface than the one you
would expect. This is because the dst of such packet is special in the
sense that it is not referred to by the routing table, so when
rerouting the packet it is impossible to find back the original
destination.
Not fixing this means that skb->mark is unavailable for use on ICMPv6
packets because it will inevitably put those packets on the wrong
interface. I use skb->mark for QoS, not for routing so I don't expect
the outgoing interface to be affected by my markers. Now that I know
this issue, it is easy enough for me to work around, but I suspect
that I'm not the only one in the world that uses skb->mark for other
purposes than routing. Moreover, the road from seeing a neighbour
solicitation or MLD report going out on the wrong interface to finding
this limitation can be quite painful. Anyway, in the end it's up to
you to decide of course.
Kind regards,
Dries.
next prev parent reply other threads:[~2012-12-03 21:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <22884633.2468.1354092935228.JavaMail.driesdw@sahwcmp0020>
2012-11-28 9:09 ` [PATCH] net: ICMPv6 packets transmitted on wrong interface if nfmark is mangled Dries De Winter
2012-11-28 23:30 ` David Miller
2012-11-30 12:29 ` Dries De Winter
2012-11-30 17:22 ` David Miller
2012-12-03 12:46 ` Dries De Winter
2012-12-03 19:11 ` David Miller
2012-12-03 21:31 ` Dries De Winter [this message]
2012-12-03 22:06 ` David Miller
2012-12-05 13:41 ` Dries De Winter
2012-12-05 17:57 ` David Miller
2012-12-06 9:11 ` Dries De Winter
2012-12-03 23:38 ` Jan Engelhardt
2012-12-03 23:52 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+e04fjWMDE9xEApysFRprZDBdM3Ya2RHrxtoau7i+fxzGT8CQ@mail.gmail.com \
--to=dries.dewinter@gmail.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).