[PATCH] sit: allow encapsulated IPv6 traffic to be delivered locally

[PATCH] sit: allow encapsulated IPv6 traffic to be delivered locally

[Ignat Korchagin]

While experimenting with FOU encapsulation Amir noticed that encapsulated IPv6
traffic fails to be delivered, if the peer IP address is configured locally.

It can be easily verified by creating a sit interface like below:

$ sudo ip link add name fou_test type sit remote 127.0.0.1 encap fou encap-sport auto encap-dport 1111
$ sudo ip link set fou_test up

and sending some IPv4 and IPv6 traffic to it

$ ping -I fou_test -c 1 1.1.1.1
$ ping6 -I fou_test -c 1 fe80::d0b0:dfff:fe4c:fcbc

"tcpdump -i any udp dst port 1111" will confirm that only the first IPv4 ping
was encapsulated and attempted to be delivered.

This seems like a limitation: for example, in a cloud environment the "peer"
service may be arbitrarily scheduled on any server within the cluster, where all
nodes are trying to send encapsulated traffic. And the unlucky node will not be
able to. Moreover, delivering encapsulated IPv4 traffic locally is allowed.

But I may not have all the context about this restriction and this code predates
the observable git history.

Reported-by: Amir Razmjou <arazmjou@cloudflare.com>
Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
---
 net/ipv6/sit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index 8a3618a30632..72968d4188b9 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -956,7 +956,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
 		dst_cache_set_ip4(&tunnel->dst_cache, &rt->dst, fl4.saddr);
 	}
 
-	if (rt->rt_type != RTN_UNICAST) {
+	if (rt->rt_type != RTN_UNICAST && rt->rt_type != RTN_LOCAL) {
 		ip_rt_put(rt);
 		dev->stats.tx_carrier_errors++;
 		goto tx_error_icmp;
-- 
2.20.1

Re: [PATCH] sit: allow encapsulated IPv6 traffic to be delivered locally

[David Ahern]

On 1/7/22 5:38 AM, Ignat Korchagin wrote:
> While experimenting with FOU encapsulation Amir noticed that encapsulated IPv6
> traffic fails to be delivered, if the peer IP address is configured locally.
> 
> It can be easily verified by creating a sit interface like below:
> 
> $ sudo ip link add name fou_test type sit remote 127.0.0.1 encap fou encap-sport auto encap-dport 1111
> $ sudo ip link set fou_test up
> 
> and sending some IPv4 and IPv6 traffic to it
> 
> $ ping -I fou_test -c 1 1.1.1.1
> $ ping6 -I fou_test -c 1 fe80::d0b0:dfff:fe4c:fcbc
> 
> "tcpdump -i any udp dst port 1111" will confirm that only the first IPv4 ping
> was encapsulated and attempted to be delivered.
> 
> This seems like a limitation: for example, in a cloud environment the "peer"
> service may be arbitrarily scheduled on any server within the cluster, where all
> nodes are trying to send encapsulated traffic. And the unlucky node will not be
> able to. Moreover, delivering encapsulated IPv4 traffic locally is allowed.
> 
> But I may not have all the context about this restriction and this code predates
> the observable git history.
> 
> Reported-by: Amir Razmjou <arazmjou@cloudflare.com>
> Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
> ---
>  net/ipv6/sit.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
> index 8a3618a30632..72968d4188b9 100644
> --- a/net/ipv6/sit.c
> +++ b/net/ipv6/sit.c
> @@ -956,7 +956,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
>  		dst_cache_set_ip4(&tunnel->dst_cache, &rt->dst, fl4.saddr);
>  	}
>  
> -	if (rt->rt_type != RTN_UNICAST) {
> +	if (rt->rt_type != RTN_UNICAST && rt->rt_type != RTN_LOCAL) {
>  		ip_rt_put(rt);
>  		dev->stats.tx_carrier_errors++;
>  		goto tx_error_icmp;

Reviewed-by: David Ahern <dsahern@kernel.org>

Re: [PATCH] sit: allow encapsulated IPv6 traffic to be delivered locally

[Jakub Kicinski]

On Wed, 12 Jan 2022 12:59:37 -0700 David Ahern wrote:
> On 1/7/22 5:38 AM, Ignat Korchagin wrote:
> > While experimenting with FOU encapsulation Amir noticed that encapsulated IPv6
> > traffic fails to be delivered, if the peer IP address is configured locally.
> > 
> > It can be easily verified by creating a sit interface like below:
> > 
> > $ sudo ip link add name fou_test type sit remote 127.0.0.1 encap fou encap-sport auto encap-dport 1111
> > $ sudo ip link set fou_test up
> > 
> > and sending some IPv4 and IPv6 traffic to it
> > 
> > $ ping -I fou_test -c 1 1.1.1.1
> > $ ping6 -I fou_test -c 1 fe80::d0b0:dfff:fe4c:fcbc
> > 
> > "tcpdump -i any udp dst port 1111" will confirm that only the first IPv4 ping
> > was encapsulated and attempted to be delivered.
> > 
> > This seems like a limitation: for example, in a cloud environment the "peer"
> > service may be arbitrarily scheduled on any server within the cluster, where all
> > nodes are trying to send encapsulated traffic. And the unlucky node will not be
> > able to. Moreover, delivering encapsulated IPv4 traffic locally is allowed.
> > 
> > But I may not have all the context about this restriction and this code predates
> > the observable git history.
> > 
> > Reported-by: Amir Razmjou <arazmjou@cloudflare.com>
> > Signed-off-by: Ignat Korchagin <ignat@cloudflare.com>
> 
> Reviewed-by: David Ahern <dsahern@kernel.org>

Applied, thanks!