* [PATCH nf v2 0/2] netfilter: Fix/update mangled packet re-routing within VRF domains @ 2022-04-19 13:46 Martin Willi 2022-04-19 13:47 ` [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain Martin Willi 2022-04-19 13:47 ` [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets Martin Willi 0 siblings, 2 replies; 7+ messages in thread From: Martin Willi @ 2022-04-19 13:46 UTC (permalink / raw) To: Pablo Neira Ayuso, Florian Westphal, David Ahern; +Cc: netfilter-devel, netdev The first patch fixes re-routing of IPv6 packets mangled by Netfilter rules to consider the layer 3 VRF domain. The second patch updates both IPv4 and IPv6 re-routing to use the recently added l3mdev flow key instead of abusing the oif flow key to select the L3 domain. These patches have been explicitly split up to allow stable to pick up the first patch as-is. Changes in v2: - Add a second patch to migrate IPv4/6 re-routing to l3mdev flow key Martin Willi (2): netfilter: Update ip6_route_me_harder to consider L3 domain netfilter: Use l3mdev flow key when re-routing mangled packets net/ipv4/netfilter.c | 3 +-- net/ipv6/netfilter.c | 9 +++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) -- 2.25.1 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain 2022-04-19 13:46 [PATCH nf v2 0/2] netfilter: Fix/update mangled packet re-routing within VRF domains Martin Willi @ 2022-04-19 13:47 ` Martin Willi 2022-04-19 20:05 ` David Ahern 2022-04-25 9:09 ` Pablo Neira Ayuso 2022-04-19 13:47 ` [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets Martin Willi 1 sibling, 2 replies; 7+ messages in thread From: Martin Willi @ 2022-04-19 13:47 UTC (permalink / raw) To: Pablo Neira Ayuso, Florian Westphal, David Ahern; +Cc: netfilter-devel, netdev The commit referenced below fixed packet re-routing if Netfilter mangles a routing key property of a packet and the packet is routed in a VRF L3 domain. The fix, however, addressed IPv4 re-routing, only. This commit applies the same behavior for IPv6. While at it, untangle the nested ternary operator to make the code more readable. Fixes: 6d8b49c3a3a3 ("netfilter: Update ip_route_me_harder to consider L3 domain") Cc: stable@vger.kernel.org Signed-off-by: Martin Willi <martin@strongswan.org> --- net/ipv6/netfilter.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index 1da332450d98..8ce60ab89015 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c @@ -24,14 +24,13 @@ int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff { const struct ipv6hdr *iph = ipv6_hdr(skb); struct sock *sk = sk_to_full_sk(sk_partial); + struct net_device *dev = skb_dst(skb)->dev; struct flow_keys flkeys; unsigned int hh_len; struct dst_entry *dst; int strict = (ipv6_addr_type(&iph->daddr) & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL)); struct flowi6 fl6 = { - .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if : - strict ? skb_dst(skb)->dev->ifindex : 0, .flowi6_mark = skb->mark, .flowi6_uid = sock_net_uid(net, sk), .daddr = iph->daddr, @@ -39,6 +38,13 @@ int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff }; int err; + if (sk && sk->sk_bound_dev_if) + fl6.flowi6_oif = sk->sk_bound_dev_if; + else if (strict) + fl6.flowi6_oif = dev->ifindex; + else + fl6.flowi6_oif = l3mdev_master_ifindex(dev); + fib6_rules_early_flow_dissect(net, skb, &fl6, &flkeys); dst = ip6_route_output(net, sk, &fl6); err = dst->error; -- 2.25.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain 2022-04-19 13:47 ` [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain Martin Willi @ 2022-04-19 20:05 ` David Ahern 2022-04-25 9:09 ` Pablo Neira Ayuso 1 sibling, 0 replies; 7+ messages in thread From: David Ahern @ 2022-04-19 20:05 UTC (permalink / raw) To: Martin Willi, Pablo Neira Ayuso, Florian Westphal; +Cc: netfilter-devel, netdev On 4/19/22 7:47 AM, Martin Willi wrote: > The commit referenced below fixed packet re-routing if Netfilter mangles > a routing key property of a packet and the packet is routed in a VRF L3 > domain. The fix, however, addressed IPv4 re-routing, only. > > This commit applies the same behavior for IPv6. While at it, untangle > the nested ternary operator to make the code more readable. > > Fixes: 6d8b49c3a3a3 ("netfilter: Update ip_route_me_harder to consider L3 domain") > Cc: stable@vger.kernel.org > Signed-off-by: Martin Willi <martin@strongswan.org> > --- > net/ipv6/netfilter.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > Reviewed-by: David Ahern <dsahern@kernel.org> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain 2022-04-19 13:47 ` [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain Martin Willi 2022-04-19 20:05 ` David Ahern @ 2022-04-25 9:09 ` Pablo Neira Ayuso 1 sibling, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2022-04-25 9:09 UTC (permalink / raw) To: Martin Willi; +Cc: Florian Westphal, David Ahern, netfilter-devel, netdev On Tue, Apr 19, 2022 at 03:47:00PM +0200, Martin Willi wrote: > The commit referenced below fixed packet re-routing if Netfilter mangles > a routing key property of a packet and the packet is routed in a VRF L3 > domain. The fix, however, addressed IPv4 re-routing, only. > > This commit applies the same behavior for IPv6. While at it, untangle > the nested ternary operator to make the code more readable. Applied to nf.git ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets 2022-04-19 13:46 [PATCH nf v2 0/2] netfilter: Fix/update mangled packet re-routing within VRF domains Martin Willi 2022-04-19 13:47 ` [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain Martin Willi @ 2022-04-19 13:47 ` Martin Willi 2022-04-19 20:06 ` David Ahern 2022-05-16 11:03 ` Pablo Neira Ayuso 1 sibling, 2 replies; 7+ messages in thread From: Martin Willi @ 2022-04-19 13:47 UTC (permalink / raw) To: Pablo Neira Ayuso, Florian Westphal, David Ahern; +Cc: netfilter-devel, netdev Commit 40867d74c374 ("net: Add l3mdev index to flow struct and avoid oif reset for port devices") introduces a flow key specific for layer 3 domains, such as a VRF master device. This allows for explicit VRF domain selection instead of abusing the oif flow key. Update ip[6]_route_me_harder() to make use of that new key when re-routing mangled packets within VRFs instead of setting the flow oif, making it consistent with other users. Signed-off-by: Martin Willi <martin@strongswan.org> --- net/ipv4/netfilter.c | 3 +-- net/ipv6/netfilter.c | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c index aff707988e23..bd135165482a 100644 --- a/net/ipv4/netfilter.c +++ b/net/ipv4/netfilter.c @@ -45,8 +45,7 @@ int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, un fl4.saddr = saddr; fl4.flowi4_tos = RT_TOS(iph->tos); fl4.flowi4_oif = sk ? sk->sk_bound_dev_if : 0; - if (!fl4.flowi4_oif) - fl4.flowi4_oif = l3mdev_master_ifindex(dev); + fl4.flowi4_l3mdev = l3mdev_master_ifindex(dev); fl4.flowi4_mark = skb->mark; fl4.flowi4_flags = flags; fib4_rules_early_flow_dissect(net, skb, &fl4, &flkeys); diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index 8ce60ab89015..857713d7a38a 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c @@ -31,6 +31,7 @@ int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff int strict = (ipv6_addr_type(&iph->daddr) & (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL)); struct flowi6 fl6 = { + .flowi6_l3mdev = l3mdev_master_ifindex(dev), .flowi6_mark = skb->mark, .flowi6_uid = sock_net_uid(net, sk), .daddr = iph->daddr, @@ -42,8 +43,6 @@ int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff fl6.flowi6_oif = sk->sk_bound_dev_if; else if (strict) fl6.flowi6_oif = dev->ifindex; - else - fl6.flowi6_oif = l3mdev_master_ifindex(dev); fib6_rules_early_flow_dissect(net, skb, &fl6, &flkeys); dst = ip6_route_output(net, sk, &fl6); -- 2.25.1 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets 2022-04-19 13:47 ` [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets Martin Willi @ 2022-04-19 20:06 ` David Ahern 2022-05-16 11:03 ` Pablo Neira Ayuso 1 sibling, 0 replies; 7+ messages in thread From: David Ahern @ 2022-04-19 20:06 UTC (permalink / raw) To: Martin Willi, Pablo Neira Ayuso, Florian Westphal; +Cc: netfilter-devel, netdev On 4/19/22 7:47 AM, Martin Willi wrote: > Commit 40867d74c374 ("net: Add l3mdev index to flow struct and avoid oif > reset for port devices") introduces a flow key specific for layer 3 > domains, such as a VRF master device. This allows for explicit VRF domain > selection instead of abusing the oif flow key. > > Update ip[6]_route_me_harder() to make use of that new key when re-routing > mangled packets within VRFs instead of setting the flow oif, making it > consistent with other users. > > Signed-off-by: Martin Willi <martin@strongswan.org> > --- > net/ipv4/netfilter.c | 3 +-- > net/ipv6/netfilter.c | 3 +-- > 2 files changed, 2 insertions(+), 4 deletions(-) > > This one will go to -next Reviewed-by: David Ahern <dsahern@kernel.org> ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets 2022-04-19 13:47 ` [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets Martin Willi 2022-04-19 20:06 ` David Ahern @ 2022-05-16 11:03 ` Pablo Neira Ayuso 1 sibling, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2022-05-16 11:03 UTC (permalink / raw) To: Martin Willi; +Cc: Florian Westphal, David Ahern, netfilter-devel, netdev On Tue, Apr 19, 2022 at 03:47:01PM +0200, Martin Willi wrote: > Commit 40867d74c374 ("net: Add l3mdev index to flow struct and avoid oif > reset for port devices") introduces a flow key specific for layer 3 > domains, such as a VRF master device. This allows for explicit VRF domain > selection instead of abusing the oif flow key. > > Update ip[6]_route_me_harder() to make use of that new key when re-routing > mangled packets within VRFs instead of setting the flow oif, making it > consistent with other users. Applied to nf-next ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-05-16 11:04 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-04-19 13:46 [PATCH nf v2 0/2] netfilter: Fix/update mangled packet re-routing within VRF domains Martin Willi 2022-04-19 13:47 ` [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain Martin Willi 2022-04-19 20:05 ` David Ahern 2022-04-25 9:09 ` Pablo Neira Ayuso 2022-04-19 13:47 ` [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets Martin Willi 2022-04-19 20:06 ` David Ahern 2022-05-16 11:03 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).