From: Jack Ma <Jack.Ma@alliedtelesis.co.nz>
To: "dsa@cumulusnetworks.com" <dsa@cumulusnetworks.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Adding support for VRF traffic passed by mangle table
Date: Mon, 3 Apr 2017 02:57:46 +0000 [thread overview]
Message-ID: <1491188266363.26046@alliedtelesis.co.nz> (raw)
[-- Attachment #1: Type: text/plain, Size: 1747 bytes --]
Hi David,
I formatted a patch to support vrf flow passed by iptables(mangle table). And previously, we lost the flow.oif which would result in a routing look-up failure. This patch wraps vrf response flow with the correct master interface by using the skb->dev, which was set to the real ingress device.
Without this patch, VRF traffic permitted by firewall rules that changes nf_mark would be dropped while doing fib_lookup.
Kernel documentations suggested two way of fixing this:
<
[2] Iptables on ingress supports PREROUTING with skb->dev set to the real
ingress device and both INPUT and PREROUTING rules with skb->dev set to
the VRF device. For egress POSTROUTING and OUTPUT rules can be written
using either the VRF device or real egress device.
>
Could you please look at this patch and give me some feedback?
Thanks for your time and considerations.
Regards,
Jack
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c0cc6aa..07168d4 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -46,6 +46,14 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
fl4.flowi4_oif = l3mdev_master_ifindex(dev);
fl4.flowi4_mark = skb->mark;
fl4.flowi4_flags = flags;
+
+ /* Since we have already known this is vrf flow passed by
+ * mangle table, we wrap the oif with the master interface.
+ */
+ if (fl4.flowi4_oif == 0 && fl4.daddr && skb->dev &&
+ netif_index_is_l3_master(net, skb->dev->ifindex))
+ fl4.flowi4_oif = skb->dev->ifindex;
+
rt = ip_route_output_key(net, &fl4);
if (IS_ERR(rt))
return PTR_ERR(rt);
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: VRF_support.patch --]
[-- Type: text/x-patch; name="VRF_support.patch", Size: 64 bytes --]
0001-Wrap-vrf-traffic-passed-by-mangle-table-with-correct.patch
next reply other threads:[~2017-04-03 2:57 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-03 2:57 Jack Ma [this message]
2017-04-03 13:24 ` Adding support for VRF traffic passed by mangle table David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1491188266363.26046@alliedtelesis.co.nz \
--to=jack.ma@alliedtelesis.co.nz \
--cc=dsa@cumulusnetworks.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.