All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] ipv6: Preserve link scope traffic original oif
@ 2017-03-01 13:47 Alin Nastac
  2017-03-03 11:39 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Alin Nastac @ 2017-03-01 13:47 UTC (permalink / raw)
  To: netfilter-devel

Link-local and multicast packets must keep their original oif after
ip6_route_me_harder is called.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
---
 net/ipv6/netfilter.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 39970e2..02811c5 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
 	unsigned int hh_len;
 	struct dst_entry *dst;
 	struct flowi6 fl6 = {
-		.flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
+		.flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if :
+			rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
 		.flowi6_mark = skb->mark,
 		.flowi6_uid = sock_net_uid(net, skb->sk),
 		.daddr = iph->daddr,
-- 
1.7.12.4


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] ipv6: Preserve link scope traffic original oif
  2017-03-01 13:47 [PATCH] ipv6: Preserve link scope traffic original oif Alin Nastac
@ 2017-03-03 11:39 ` Pablo Neira Ayuso
  2017-03-03 11:56   ` Alin Năstac
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-03-03 11:39 UTC (permalink / raw)
  To: Alin Nastac; +Cc: netfilter-devel

On Wed, Mar 01, 2017 at 02:47:23PM +0100, Alin Nastac wrote:
> Link-local and multicast packets must keep their original oif after
> ip6_route_me_harder is called.

Out of curiosity, how does the setup you use look like to trigger this
problem?

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] ipv6: Preserve link scope traffic original oif
  2017-03-03 11:39 ` Pablo Neira Ayuso
@ 2017-03-03 11:56   ` Alin Năstac
  2017-03-03 12:12     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Alin Năstac @ 2017-03-03 11:56 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

On Fri, Mar 3, 2017 at 12:39 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Mar 01, 2017 at 02:47:23PM +0100, Alin Nastac wrote:
>> Link-local and multicast packets must keep their original oif after
>> ip6_route_me_harder is called.
>
> Out of curiosity, how does the setup you use look like to trigger this
> problem?

ICMPv6 RA/NS/NA are marked by a -j MARK iptables rule (the mark value
is used to set the QoS queue).
Because skb->mark value changed, ip6t_mangle_out will call ip6_route_me_harder.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] ipv6: Preserve link scope traffic original oif
  2017-03-03 11:56   ` Alin Năstac
@ 2017-03-03 12:12     ` Pablo Neira Ayuso
  2017-03-03 13:22       ` Alin Năstac
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2017-03-03 12:12 UTC (permalink / raw)
  To: Alin Năstac; +Cc: netfilter-devel

On Fri, Mar 03, 2017 at 12:56:50PM +0100, Alin Năstac wrote:
> On Fri, Mar 3, 2017 at 12:39 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Wed, Mar 01, 2017 at 02:47:23PM +0100, Alin Nastac wrote:
> >> Link-local and multicast packets must keep their original oif after
> >> ip6_route_me_harder is called.
> >
> > Out of curiosity, how does the setup you use look like to trigger this
> > problem?
> 
> ICMPv6 RA/NS/NA are marked by a -j MARK iptables rule (the mark value
> is used to set the QoS queue).
> Because skb->mark value changed, ip6t_mangle_out will call ip6_route_me_harder.

That sounds quite standard. Did this broke after kernel upgrade? I'm
trying to guess if the problem is somewhere else...

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] ipv6: Preserve link scope traffic original oif
  2017-03-03 12:12     ` Pablo Neira Ayuso
@ 2017-03-03 13:22       ` Alin Năstac
  0 siblings, 0 replies; 6+ messages in thread
From: Alin Năstac @ 2017-03-03 13:22 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

On Fri, Mar 3, 2017 at 1:12 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Fri, Mar 03, 2017 at 12:56:50PM +0100, Alin Năstac wrote:
>> On Fri, Mar 3, 2017 at 12:39 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>> > On Wed, Mar 01, 2017 at 02:47:23PM +0100, Alin Nastac wrote:
>> >> Link-local and multicast packets must keep their original oif after
>> >> ip6_route_me_harder is called.
>> >
>> > Out of curiosity, how does the setup you use look like to trigger this
>> > problem?
>>
>> ICMPv6 RA/NS/NA are marked by a -j MARK iptables rule (the mark value
>> is used to set the QoS queue).
>> Because skb->mark value changed, ip6t_mangle_out will call ip6_route_me_harder.
>
> That sounds quite standard. Did this broke after kernel upgrade? I'm
> trying to guess if the problem is somewhere else...

I used kernel version 4.1 to test an adapted version of this patch.

Judging after ip6_route_output_flags() definition present in kernel
version 4.10, callers are expected to provide a valid value for
fl6->flowi6_oif when rt6_need_strict(&fl6->daddr) is true.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH] ipv6: Preserve link scope traffic original oif
@ 2017-03-01 13:00 Alin Nastac
  0 siblings, 0 replies; 6+ messages in thread
From: Alin Nastac @ 2017-03-01 13:00 UTC (permalink / raw)
  To: netfilter-devel

Link-local and multicast packets must keep their original oif after
ip6_route_me_harder is called.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
---
 net/ipv6/netfilter.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 39970e2..02811c5 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb)
 	unsigned int hh_len;
 	struct dst_entry *dst;
 	struct flowi6 fl6 = {
-		.flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
+		.flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if :
+			rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
 		.flowi6_mark = skb->mark,
 		.flowi6_uid = sock_net_uid(net, skb->sk),
 		.daddr = iph->daddr,
-- 
1.7.12.4


^ permalink raw reply related	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-03-03 14:44 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-01 13:47 [PATCH] ipv6: Preserve link scope traffic original oif Alin Nastac
2017-03-03 11:39 ` Pablo Neira Ayuso
2017-03-03 11:56   ` Alin Năstac
2017-03-03 12:12     ` Pablo Neira Ayuso
2017-03-03 13:22       ` Alin Năstac
  -- strict thread matches above, loose matches on Subject: below --
2017-03-01 13:00 Alin Nastac

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.