* Adding support for VRF traffic passed by mangle table
@ 2017-04-03 2:57 Jack Ma
2017-04-03 13:24 ` David Ahern
0 siblings, 1 reply; 2+ messages in thread
From: Jack Ma @ 2017-04-03 2:57 UTC (permalink / raw)
To: dsa; +Cc: netdev
[-- Attachment #1: Type: text/plain, Size: 1747 bytes --]
Hi David,
I formatted a patch to support vrf flow passed by iptables(mangle table). And previously, we lost the flow.oif which would result in a routing look-up failure. This patch wraps vrf response flow with the correct master interface by using the skb->dev, which was set to the real ingress device.
Without this patch, VRF traffic permitted by firewall rules that changes nf_mark would be dropped while doing fib_lookup.
Kernel documentations suggested two way of fixing this:
<
[2] Iptables on ingress supports PREROUTING with skb->dev set to the real
ingress device and both INPUT and PREROUTING rules with skb->dev set to
the VRF device. For egress POSTROUTING and OUTPUT rules can be written
using either the VRF device or real egress device.
>
Could you please look at this patch and give me some feedback?
Thanks for your time and considerations.
Regards,
Jack
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c0cc6aa..07168d4 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -46,6 +46,14 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
fl4.flowi4_oif = l3mdev_master_ifindex(dev);
fl4.flowi4_mark = skb->mark;
fl4.flowi4_flags = flags;
+
+ /* Since we have already known this is vrf flow passed by
+ * mangle table, we wrap the oif with the master interface.
+ */
+ if (fl4.flowi4_oif == 0 && fl4.daddr && skb->dev &&
+ netif_index_is_l3_master(net, skb->dev->ifindex))
+ fl4.flowi4_oif = skb->dev->ifindex;
+
rt = ip_route_output_key(net, &fl4);
if (IS_ERR(rt))
return PTR_ERR(rt);
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: VRF_support.patch --]
[-- Type: text/x-patch; name="VRF_support.patch", Size: 64 bytes --]
0001-Wrap-vrf-traffic-passed-by-mangle-table-with-correct.patch
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: Adding support for VRF traffic passed by mangle table
2017-04-03 2:57 Adding support for VRF traffic passed by mangle table Jack Ma
@ 2017-04-03 13:24 ` David Ahern
0 siblings, 0 replies; 2+ messages in thread
From: David Ahern @ 2017-04-03 13:24 UTC (permalink / raw)
To: Jack Ma; +Cc: netdev, Florian Westphal, Pablo Neira Ayuso
On 4/2/17 10:57 PM, Jack Ma wrote:
> diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
> index c0cc6aa..07168d4 100644
> --- a/net/ipv4/netfilter.c
> +++ b/net/ipv4/netfilter.c
> @@ -46,6 +46,14 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
> fl4.flowi4_oif = l3mdev_master_ifindex(dev);
How does the above line (which is part of this block:
fl4.flowi4_oif = sk ? sk->sk_bound_dev_if : 0;
if (!fl4.flowi4_oif)
fl4.flowi4_oif = l3mdev_master_ifindex(dev);
) not work? The dst should be set on the skb at this point and the
device would reference the VRF.
> fl4.flowi4_mark = skb->mark;
> fl4.flowi4_flags = flags;
> +
> + /* Since we have already known this is vrf flow passed by
> + * mangle table, we wrap the oif with the master interface.
> + */
> + if (fl4.flowi4_oif == 0 && fl4.daddr && skb->dev &&
> + netif_index_is_l3_master(net, skb->dev->ifindex))
> + fl4.flowi4_oif = skb->dev->ifindex;
> +
> rt = ip_route_output_key(net, &fl4);
> if (IS_ERR(rt))
> return PTR_ERR(rt);
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-04-03 13:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-03 2:57 Adding support for VRF traffic passed by mangle table Jack Ma
2017-04-03 13:24 ` David Ahern
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.