[Patch net 1/3] net: move LOOPBACK_IFINDEX to include/net/flow.h

[Patch net 1/3] net: move LOOPBACK_IFINDEX to include/net/flow.h

[Cong Wang]

From: Cong Wang <cwang@twopensource.com>

1) It is mostly used by flowi_iif

2) Fix the following compile error if we use it in flow.h
by the patches latter:

In file included from include/linux/netfilter.h:277:0,
                 from include/net/netns/netfilter.h:5,
                 from include/net/net_namespace.h:21,
                 from include/linux/netdevice.h:43,
                 from include/linux/icmpv6.h:12,
                 from include/linux/ipv6.h:61,
                 from include/net/ipv6.h:16,
                 from include/linux/sunrpc/clnt.h:27,
                 from include/linux/nfs_fs.h:30,
                 from init/do_mounts.c:32:
include/net/flow.h: In function ‘flowi4_init_output’:
include/net/flow.h:84:32: error: ‘LOOPBACK_IFINDEX’ undeclared (first use in this function)

Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Julian Anastasov <ja@ssi.bg>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
---
 include/net/flow.h          | 8 ++++++++
 include/net/net_namespace.h | 9 +--------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/include/net/flow.h b/include/net/flow.h
index 64fd248..5401998 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -11,6 +11,14 @@
 #include <linux/in6.h>
 #include <linux/atomic.h>
 
+/*
+ * ifindex generation is per-net namespace, and loopback is
+ * always the 1st device in ns (see net_dev_init), thus any
+ * loopback device should get ifindex 1
+ */
+
+#define LOOPBACK_IFINDEX	1
+
 struct flowi_common {
 	int	flowic_oif;
 	int	flowic_iif;
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 79387f7..5f9eb26 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -9,6 +9,7 @@
 #include <linux/list.h>
 #include <linux/sysctl.h>
 
+#include <net/flow.h>
 #include <net/netns/core.h>
 #include <net/netns/mib.h>
 #include <net/netns/unix.h>
@@ -131,14 +132,6 @@ struct net {
 	atomic_t		fnhe_genid;
 };
 
-/*
- * ifindex generation is per-net namespace, and loopback is
- * always the 1st device in ns (see net_dev_init), thus any
- * loopback device should get ifindex 1
- */
-
-#define LOOPBACK_IFINDEX	1
-
 #include <linux/seq_file_net.h>
 
 /* Init's network namespace */
-- 
1.8.3.1

[Patch net 2/3] ipv4,fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif

[Cong Wang]

From: Cong Wang <cwang@twopensource.com>

As suggested by Julian:

	Simply, flowi4_iif must not contain 0, it does not
	look logical to ignore all ip rules with specified iif.

because in fib_rule_match() we do:

        if (rule->iifindex && (rule->iifindex != fl->flowi_iif))
                goto out;

flowi4_iif should be LOOPBACK_IFINDEX by default.

Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Julian Anastasov <ja@ssi.bg>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
---
 include/net/flow.h                | 2 +-
 net/ipv4/fib_frontend.c           | 2 +-
 net/ipv4/ipmr.c                   | 2 +-
 net/ipv4/netfilter/ipt_rpfilter.c | 5 +----
 net/ipv6/ip6mr.c                  | 2 +-
 5 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/include/net/flow.h b/include/net/flow.h
index 5401998..8109a15 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -88,7 +88,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
 				      __be16 dport, __be16 sport)
 {
 	fl4->flowi4_oif = oif;
-	fl4->flowi4_iif = 0;
+	fl4->flowi4_iif = LOOPBACK_IFINDEX;
 	fl4->flowi4_mark = mark;
 	fl4->flowi4_tos = tos;
 	fl4->flowi4_scope = scope;
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 1a629f8..255aa99 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -250,7 +250,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
 	bool dev_match;
 
 	fl4.flowi4_oif = 0;
-	fl4.flowi4_iif = oif;
+	fl4.flowi4_iif = oif ? : LOOPBACK_IFINDEX;
 	fl4.daddr = src;
 	fl4.saddr = dst;
 	fl4.flowi4_tos = tos;
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 2886357..d84dc8d 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -455,7 +455,7 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb, struct net_device *dev)
 	struct mr_table *mrt;
 	struct flowi4 fl4 = {
 		.flowi4_oif	= dev->ifindex,
-		.flowi4_iif	= skb->skb_iif,
+		.flowi4_iif	= skb->skb_iif ? : LOOPBACK_IFINDEX,
 		.flowi4_mark	= skb->mark,
 	};
 	int err;
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index c49dcd0..4bfaedf 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -89,11 +89,8 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	if (ipv4_is_multicast(iph->daddr)) {
 		if (ipv4_is_zeronet(iph->saddr))
 			return ipv4_is_local_multicast(iph->daddr) ^ invert;
-		flow.flowi4_iif = 0;
-	} else {
-		flow.flowi4_iif = LOOPBACK_IFINDEX;
 	}
-
+	flow.flowi4_iif = LOOPBACK_IFINDEX;
 	flow.daddr = iph->saddr;
 	flow.saddr = rpfilter_get_saddr(iph->daddr);
 	flow.flowi4_oif = 0;
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 8737400..8659067 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -700,7 +700,7 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
 	struct mr6_table *mrt;
 	struct flowi6 fl6 = {
 		.flowi6_oif	= dev->ifindex,
-		.flowi6_iif	= skb->skb_iif,
+		.flowi6_iif	= skb->skb_iif ? : LOOPBACK_IFINDEX,
 		.flowi6_mark	= skb->mark,
 	};
 	int err;
-- 
1.8.3.1

[Patch net 3/3] ipv4,fib: pass 0 instead of LOOPBACK_IFINDEX to fib_validate_source()

[Cong Wang]

From: Cong Wang <cwang@twopensource.com>

In my special case, when a packet is redirected from veth0 to lo,
its skb->dev->ifindex would be LOOPBACK_IFINDEX. Meanwhile we
pass the hard-coded LOOPBACK_IFINDEX to fib_validate_source()
in ip_route_input_slow(). This would cause the following check
in fib_validate_source() fail:

            (dev->ifindex != oif || !IN_DEV_TX_REDIRECTS(idev))

when rp_filter is disabeld on loopback. As suggested by Julian,
the caller should pass 0 here so that we will not end up by
calling __fib_validate_source().

Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Julian Anastasov <ja@ssi.bg>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
---
 net/ipv4/route.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 20a59c3..93d4921 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1700,8 +1700,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
 
 	if (res.type == RTN_LOCAL) {
 		err = fib_validate_source(skb, saddr, daddr, tos,
-					  LOOPBACK_IFINDEX,
-					  dev, in_dev, &itag);
+					  0, dev, in_dev, &itag);
 		if (err < 0)
 			goto martian_source_keep_err;
 		goto local_input;
-- 
1.8.3.1

Re: [Patch net 1/3] net: move LOOPBACK_IFINDEX to include/net/flow.h

[David Miller]

Cong, first of all, I'd like you to combine patches #1 and #2.

Also, Julian made it clear that several other changes needed happen
besides the single fib_validate_source() call site you are modifying
in patch #3.

He also said, for example, that the flow4_iif assignment in
__fib_validate_source() needs adjusting as well.

He furthermore said that other assignments of zero to flow4_iif
in netfilter and elsewhere must be adjusted as well.

Please also provide a proper 0/N patch posting next time explaining
exactly what the series does and why it is necessary.

Re: [Patch net 1/3] net: move LOOPBACK_IFINDEX to include/net/flow.h

[Cong Wang]

On Tue, Apr 15, 2014 at 12:06 PM, David Miller <davem@davemloft.net> wrote:
>
> Cong, first of all, I'd like you to combine patches #1 and #2.
>

OK, whatever you prefer...I have no strong opinion here.

> Also, Julian made it clear that several other changes needed happen
> besides the single fib_validate_source() call site you are modifying
> in patch #3.
>
> He also said, for example, that the flow4_iif assignment in
> __fib_validate_source() needs adjusting as well.
>
> He furthermore said that other assignments of zero to flow4_iif
> in netfilter and elsewhere must be adjusted as well.

I believe I did in patch #2, or I still miss anything?

>
> Please also provide a proper 0/N patch posting next time explaining
> exactly what the series does and why it is necessary.

OK, will do, I thought per-patch description is enough.

Thanks.

Re: [Patch net 2/3] ipv4,fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif

[Julian Anastasov]

	Hello,

On Mon, 14 Apr 2014, Cong Wang wrote:

> From: Cong Wang <cwang@twopensource.com>
> 
> flowi4_iif should be LOOPBACK_IFINDEX by default.

	Looks good to me, you included all needed changes
into the 3 patches. After checking all fib_lookup() callers
I see one remaining place to be fixed, if we want to be
pedantic: fib_check_nh() needs a LOOPBACK_IFINDEX for fl4.

Regards

--
Julian Anastasov <ja@ssi.bg>

Re: [Patch net 2/3] ipv4,fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif

[Cong Wang]

On Tue, Apr 15, 2014 at 1:26 PM, Julian Anastasov <ja@ssi.bg> wrote:
>
>         Hello,
>
> On Mon, 14 Apr 2014, Cong Wang wrote:
>
>> From: Cong Wang <cwang@twopensource.com>
>>
>> flowi4_iif should be LOOPBACK_IFINDEX by default.
>
>         Looks good to me, you included all needed changes
> into the 3 patches. After checking all fib_lookup() callers
> I see one remaining place to be fixed, if we want to be
> pedantic: fib_check_nh() needs a LOOPBACK_IFINDEX for fl4.
>

I will add it too. Thanks a lot!