From: David Ahern <dsahern@gmail.com>
To: Hangbin Liu <liuhangbin@gmail.com>, netdev@vger.kernel.org
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
Roopa Prabhu <roopa@cumulusnetworks.com>
Subject: Re: [PATCHv3 net] ipv6: no need to return rt->dst.error if it is prohibit entry
Date: Wed, 26 Jul 2017 11:09:39 -0600 [thread overview]
Message-ID: <07c66e6f-5b78-3317-18c6-bd2f955d5f90@gmail.com> (raw)
In-Reply-To: <1501060829-11928-1-git-send-email-liuhangbin@gmail.com>
On 7/26/17 3:20 AM, Hangbin Liu wrote:
> After commit 18c3a61c4264 ("net: ipv6: RTM_GETROUTE: return matched fib
> result when requested"). When we get a prohibit ertry, we will return
> -EACCES directly.
>
> Before:
Do you mean "Before commit 18c3a61c4264?"
> + ip netns exec client ip -6 route get 2003::1
> prohibit 2003::1 dev lo table unspec proto kernel src 2001::1 metric
> 4294967295 error -13
>
> After:
And "After commit 18c3a61c4264?"
> + ip netns exec server ip -6 route get 2002::1
> RTNETLINK answers: Permission denied
>
> Fix this by add prohibit and blk hole check.
>
> At the same time, after commit
> 2f460933f58e ("ipv6: initialize route null entry in addrconf_init()") and
> 242d3a49a2a1 ("ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf")
> We will init rt6i_idev correctly. So we could dump ip6_null_entry
> (unreachable route entry) safely now.
>
> Fixes: 18c3a61c4264 ("net: ipv6: RTM_GETROUTE: return matched fib...")
> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
> ---
> net/ipv6/route.c | 13 ++++++-------
> 1 file changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index 4d30c96..b05da74 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -3637,13 +3637,12 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
> dst = ip6_route_lookup(net, &fl6, 0);
>
> rt = container_of(dst, struct rt6_info, dst);
> - if (rt->dst.error) {
> - err = rt->dst.error;
> - ip6_rt_put(rt);
> - goto errout;
> - }
> -
> - if (rt == net->ipv6.ip6_null_entry) {
> + if (rt->dst.error &&
> +#ifdef CONFIG_IPV6_MULTIPLE_TABLES
> + rt != net->ipv6.ip6_prohibit_entry &&
> + rt != net->ipv6.ip6_blk_hole_entry &&
> +#endif
> + rt != net->ipv6.ip6_null_entry) {
> err = rt->dst.error;
> ip6_rt_put(rt);
> goto errout;
>
This is what I see with your patch:
# ip -6 ro ls vrf red
2001:db8:1::/120 dev eth1 proto kernel metric 256 pref medium
prohibit 5000::/120 dev lo metric 1024 error -13 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
ff00::/8 dev eth1 metric 256 pref medium
unreachable default dev lo metric 8192 error -113 pref medium
ie., I added a prohibit route for 5000:/120
and then running:
# ip -6 ro get vrf red 5000::1
RTNETLINK answers: Permission denied
Which is the behavior without your patch.
Now if I delete just the first bit:
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 4d30c96a819d..8fc52de40175 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3637,12 +3637,6 @@ static int inet6_rtm_getroute(struct sk_buff
*in_skb, struct nlmsghdr *nlh,
dst = ip6_route_lookup(net, &fl6, 0);
rt = container_of(dst, struct rt6_info, dst);
- if (rt->dst.error) {
- err = rt->dst.error;
- ip6_rt_put(rt);
- goto errout;
- }
-
if (rt == net->ipv6.ip6_null_entry) {
err = rt->dst.error;
ip6_rt_put(rt);
Then I get:
# ip -6 ro get vrf red 5000::1
prohibit 5000::1 from :: dev lo table red src 2001:db8::2 metric 1024
error -13 pref medium
which seems to be your objective.
I don't understand why you are focused on the built-in null and prohibit
route entries. When I add a default unreachable or prohibit route those
are different rt6_info entries. Take a look at ip6_route_info_create.
next prev parent reply other threads:[~2017-07-26 17:09 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-20 14:51 [PATCH net] ipv6: no need to return rt->dst.error if it is not null entry Hangbin Liu
2017-07-20 15:06 ` Hangbin Liu
2017-07-20 15:23 ` Hangbin Liu
2017-07-21 15:53 ` David Ahern
2017-07-21 18:42 ` Cong Wang
2017-07-21 21:53 ` Roopa Prabhu
2017-07-23 4:54 ` Roopa Prabhu
2017-07-24 3:09 ` Hangbin Liu
2017-07-24 19:57 ` Cong Wang
2017-07-25 0:08 ` Hangbin Liu
2017-07-25 3:28 ` David Ahern
2017-07-25 7:32 ` Hangbin Liu
2017-07-26 17:18 ` David Ahern
2017-07-26 18:27 ` Roopa Prabhu
2017-07-26 18:49 ` David Ahern
2017-07-26 18:55 ` Roopa Prabhu
2017-07-26 19:00 ` David Ahern
2017-07-26 19:38 ` Roopa Prabhu
2017-07-27 16:08 ` Hangbin Liu
2017-07-28 4:56 ` Cong Wang
2017-07-28 11:04 ` Hangbin Liu
2017-07-28 15:10 ` David Ahern
2017-07-28 17:13 ` Roopa Prabhu
2017-07-28 17:39 ` David Ahern
2017-07-28 19:52 ` Roopa Prabhu
2017-07-29 14:41 ` David Ahern
2017-07-31 18:37 ` Cong Wang
2017-07-31 18:40 ` David Ahern
2017-07-25 17:49 ` Cong Wang
2017-07-26 9:18 ` Hangbin Liu
2017-07-21 3:47 ` [PATCHv2 net] ipv6: should not return rt->dst.error if it is prohibit or blk hole entry Hangbin Liu
2017-07-21 15:29 ` kbuild test robot
2017-07-21 16:34 ` kbuild test robot
2017-07-23 4:55 ` [PATCH net] ipv6: no need to return rt->dst.error if it is not null entry Roopa Prabhu
2017-07-24 2:28 ` Hangbin Liu
2017-07-26 9:20 ` [PATCHv3 net] ipv6: no need to return rt->dst.error if it is prohibit entry Hangbin Liu
2017-07-26 17:09 ` David Ahern [this message]
2017-07-26 18:48 ` David Ahern
2017-07-27 13:48 ` Hangbin Liu
2017-07-27 16:25 ` [PATCHv4 net] ipv6: no need to check rt->dst.error when get route info Hangbin Liu
2017-07-27 18:03 ` David Ahern
2017-07-28 17:23 ` David Ahern
2017-07-27 19:52 ` Roopa Prabhu
2017-07-31 23:22 ` David Miller
2017-07-31 23:34 ` David Ahern
2017-07-31 23:39 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=07c66e6f-5b78-3317-18c6-bd2f955d5f90@gmail.com \
--to=dsahern@gmail.com \
--cc=liuhangbin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=roopa@cumulusnetworks.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.