Re: [PATCH v4] net: netfilter: Fix rpfilter dropping vrf packets by mistake

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Re: [PATCH v4] net: netfilter: Fix rpfilter dropping vrf packets by mistake
@ 2019-06-29  2:13 linmiaohe
  2019-06-29 12:19 ` David Ahern
  0 siblings, 1 reply; 4+ messages in thread
From: linmiaohe @ 2019-06-29  2:13 UTC (permalink / raw)
  To: David Ahern
  Cc: pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de,
	davem@davemloft.net, kuznet@ms2.inr.ac.ru,
	yoshfuji@linux-ipv6.org, netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, Mingfangsen

On 6/29/19 1:05 AM, David Ahern wrote:
> On 6/28/19 3:06 AM, Miaohe Lin wrote:
> > diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c 
> > b/net/ipv6/netfilter/ip6t_rpfilter.c
> > index 6bcaf7357183..3c4a1772c15f 100644
> > --- a/net/ipv6/netfilter/ip6t_rpfilter.c
> > +++ b/net/ipv6/netfilter/ip6t_rpfilter.c
> > @@ -55,6 +55,10 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
> >  	if (rpfilter_addr_linklocal(&iph->saddr)) {
> >  		lookup_flags |= RT6_LOOKUP_F_IFACE;
> >  		fl6.flowi6_oif = dev->ifindex;
> > +	/* Set flowi6_oif for vrf devices to lookup route in l3mdev domain. */
> > +	} else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev)) {
> > +		lookup_flags |= FLOWI_FLAG_SKIP_NH_OIF;
>
> you don't need to set that flag here. It is done by the fib_rules code as needed.
>
You're right. Fib rules code would set FLOWI_FLAG_SKIP_NH_OIF flag.  But I set
it here for distinguish with the flags & XT_RPFILTER_LOOSE branch. Without
this, they do the same work and maybe should be  combined. I don't want to
do that as that makes code confusing.
Is this code snipet below ok ? If so, I would delete this flag setting.
 
       } else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev)) {
               fl6.flowi6_oif = dev->ifindex;
        } else if ((flags & XT_RPFILTER_LOOSE) == 0)
                fl6.flowi6_oif = dev->ifindex;

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v4] net: netfilter: Fix rpfilter dropping vrf packets by mistake
  2019-06-29  2:13 [PATCH v4] net: netfilter: Fix rpfilter dropping vrf packets by mistake linmiaohe
@ 2019-06-29 12:19 ` David Ahern
  2019-06-29 14:13   ` 答复: " linmiaohe
  0 siblings, 1 reply; 4+ messages in thread
From: David Ahern @ 2019-06-29 12:19 UTC (permalink / raw)
  To: linmiaohe, pablo@netfilter.org
  Cc: kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net,
	kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mingfangsen

On 6/28/19 8:13 PM, linmiaohe wrote:
> You're right. Fib rules code would set FLOWI_FLAG_SKIP_NH_OIF flag.  But I set
> it here for distinguish with the flags & XT_RPFILTER_LOOSE branch. Without
> this, they do the same work and maybe should be  combined. I don't want to
> do that as that makes code confusing.
> Is this code snipet below ok ? If so, I would delete this flag setting.
>  
>        } else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev)) {
>                fl6.flowi6_oif = dev->ifindex;
>         } else if ((flags & XT_RPFILTER_LOOSE) == 0)
>                 fl6.flowi6_oif = dev->ifindex;

that looks fine to me, but it is up to Pablo.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* 答复: [PATCH v4] net: netfilter: Fix rpfilter dropping vrf packets by mistake
  2019-06-29 12:19 ` David Ahern
@ 2019-06-29 14:13   ` linmiaohe
  2019-07-01 18:01     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 4+ messages in thread
From: linmiaohe @ 2019-06-29 14:13 UTC (permalink / raw)
  To: David Ahern, pablo@netfilter.org
  Cc: kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net,
	kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Mingfangsen

On 6/29/19 20:20 PM, David Ahern wrote:
> On 6/28/19 8:13 PM, linmiaohe wrote:
> > You're right. Fib rules code would set FLOWI_FLAG_SKIP_NH_OIF flag.  
> > But I set it here for distinguish with the flags & XT_RPFILTER_LOOSE 
> > branch. Without this, they do the same work and maybe should be  
> > combined. I don't want to do that as that makes code confusing.
> > Is this code snipet below ok ? If so, I would delete this flag setting.
> >  
> >        } else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev)) {
> >                fl6.flowi6_oif = dev->ifindex;
> >         } else if ((flags & XT_RPFILTER_LOOSE) == 0)
> >                 fl6.flowi6_oif = dev->ifindex;

> that looks fine to me, but it is up to Pablo.

@David Ahern  Many thanks for your valuable advice.

@ Pablo Hi, could you please tell me if this code snipet is ok?
If not, which code would you prefer? It's very nice of you to
figure it out for me. Thanks a lot.

Have a nice day.
Best wishes.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: 答复: [PATCH v4] net: netfilter: Fix rpfilter dropping vrf packets by mistake
  2019-06-29 14:13   ` 答复: " linmiaohe
@ 2019-07-01 18:01     ` Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2019-07-01 18:01 UTC (permalink / raw)
  To: linmiaohe
  Cc: David Ahern, kadlec@blackhole.kfki.hu, fw@strlen.de,
	davem@davemloft.net, kuznet@ms2.inr.ac.ru,
	yoshfuji@linux-ipv6.org, netfilter-devel@vger.kernel.org,
	coreteam@netfilter.org, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, Mingfangsen

On Sat, Jun 29, 2019 at 02:13:59PM +0000, linmiaohe wrote:
> On 6/29/19 20:20 PM, David Ahern wrote:
> > On 6/28/19 8:13 PM, linmiaohe wrote:
> > > You're right. Fib rules code would set FLOWI_FLAG_SKIP_NH_OIF flag.  
> > > But I set it here for distinguish with the flags & XT_RPFILTER_LOOSE 
> > > branch. Without this, they do the same work and maybe should be  
> > > combined. I don't want to do that as that makes code confusing.
> > > Is this code snipet below ok ? If so, I would delete this flag setting.
> > >  
> > >        } else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev)) {
> > >                fl6.flowi6_oif = dev->ifindex;
> > >         } else if ((flags & XT_RPFILTER_LOOSE) == 0)
> > >                 fl6.flowi6_oif = dev->ifindex;
> 
> > that looks fine to me, but it is up to Pablo.
> 
> @David Ahern  Many thanks for your valuable advice.
> 
> @ Pablo Hi, could you please tell me if this code snipet is ok?
> If not, which code would you prefer? It's very nice of you to
> figure it out for me. Thanks a lot.

Probably this?

        } else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev) ||
                   (flags & XT_RPFILTER_LOOSE) == 0) {
                fl6.flowi6_oif = dev->ifindex;
        }

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-07-01 18:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-29  2:13 [PATCH v4] net: netfilter: Fix rpfilter dropping vrf packets by mistake linmiaohe
2019-06-29 12:19 ` David Ahern
2019-06-29 14:13   ` 答复: " linmiaohe
2019-07-01 18:01     ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).