* RFC: net 00/05: routing based send-to-self implementation
@ 2009-11-30 17:55 Patrick McHardy
2009-11-30 17:55 ` net 01/05: fib_rules: rearrange struct fib_rule Patrick McHardy
` (6 more replies)
0 siblings, 7 replies; 22+ messages in thread
From: Patrick McHardy @ 2009-11-30 17:55 UTC (permalink / raw)
To: netdev; +Cc: Patrick McHardy
These patches are yet another attempt at adding "send-to-self" functionality,
allowing to send packets between two local interfaces over the wire. Unlike
the approaches I've seen so far, this one is purely routing based.
Especially the oif classification should also be useful for different setups.
The patchset consists of three parts:
- the first three patches add oif classification to fib_rules. This can be
used create special routing tables for sockets bound to an interface.
- the fourth patch changes IPv4 and IPv6 to allow to delete the local rule
with priority 0. This allows to re-create it using a lower priority and
insert new rules below it to force packets with a local destination out
on the wire.
- the fifth patch adds a devinet sysctl to accept packets with local source
addresses in fib_validate_source(). This one unfortunately seems to be
necessary, I couldn't come up with a method based purely on adding more
routes to fool fib_validate_source() into accepting those packets.
Usage example:
# move local routing rule to lower priority
ip rule add pref 1000 lookup local
ip rule del pref 0
# only reply to ARP requests for addresses configured on the device
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
# configure device and force packets of bound sockets out on eth1
ip address add dev eth1 10.0.0.1/24
echo 1 > /proc/sys/net/ipv4/conf/eth1/accept_local
ip link set eth1 up
ip rule add pref 500 oif eth1 lookup 500
ip route add default dev eth1 table 500
# configure device and force packets of bound sockets out on eth2
ip address add dev eth2 10.0.0.2/24
echo 1 > /proc/sys/net/ipv4/conf/eth2/accept_local
ip link set eth2 up
ip rule add pref 501 oif eth2 lookup 501
ip route add default dev eth2 table 501
At this point both packets between sockets bound to eth1/eth2 will
go over the wire.
Comments welcome.
Documentation/networking/ip-sysctl.txt | 6 +++
include/linux/fib_rules.h | 8 +++-
include/linux/inetdevice.h | 1 +
include/linux/sysctl.h | 1 +
include/net/fib_rules.h | 9 +++-
kernel/sysctl_check.c | 1 +
net/core/fib_rules.c | 71 +++++++++++++++++++++++---------
net/ipv4/devinet.c | 1 +
net/ipv4/fib_frontend.c | 11 +++--
net/ipv4/fib_rules.c | 2 +-
net/ipv6/fib6_rules.c | 2 +-
11 files changed, 82 insertions(+), 31 deletions(-)
Patrick McHardy (5):
net: fib_rules: rearrange struct fib_rule
net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
net: fib_rules: add oif classification
net: fib_rules: allow to delete local rule
ipv4: add sysctl to accept packets with local source addresses
^ permalink raw reply [flat|nested] 22+ messages in thread
* net 01/05: fib_rules: rearrange struct fib_rule
2009-11-30 17:55 RFC: net 00/05: routing based send-to-self implementation Patrick McHardy
@ 2009-11-30 17:55 ` Patrick McHardy
2009-11-30 17:55 ` net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME Patrick McHardy
` (5 subsequent siblings)
6 siblings, 0 replies; 22+ messages in thread
From: Patrick McHardy @ 2009-11-30 17:55 UTC (permalink / raw)
To: netdev; +Cc: Patrick McHardy
commit 0d9a871c9888ef8f7a08531beaa69220edf4bea3
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Nov 30 15:45:49 2009 +0100
net: fib_rules: rearrange struct fib_rule
The ifname member is only used to resolve interface names and is not needed
during rule lookups. The target and ctarget members however are used during
rule lookups and are currently located in a second cacheline.
Move ifname further to the end to make sure both target and ctarget are
located in the same cacheline as other members used during rule lookups.
The layout on 64 bit changes from:
struct fib_rule {
...
u32 table; /* 56 4 */
u8 action; /* 60 1 */
/* XXX 3 bytes hole, try to pack */
/* --- cacheline 1 boundary (64 bytes) --- */
u32 target; /* 64 4 */
/* XXX 4 bytes hole, try to pack */
struct fib_rule * ctarget; /* 72 8 */
struct rcu_head rcu; /* 80 16 */
struct net * fr_net; /* 96 8 */
};
to:
struct fib_rule {
...
u32 table; /* 40 4 */
u8 action; /* 44 1 */
/* XXX 3 bytes hole, try to pack */
u32 target; /* 48 4 */
/* XXX 4 bytes hole, try to pack */
struct fib_rule * ctarget; /* 56 8 */
/* --- cacheline 1 boundary (64 bytes) --- */
char ifname[16]; /* 64 16 */
struct rcu_head rcu; /* 80 16 */
struct net * fr_net; /* 96 8 */
};
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 2cd707b..22fb323 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -11,7 +11,6 @@ struct fib_rule {
struct list_head list;
atomic_t refcnt;
int ifindex;
- char ifname[IFNAMSIZ];
u32 mark;
u32 mark_mask;
u32 pref;
@@ -20,6 +19,7 @@ struct fib_rule {
u8 action;
u32 target;
struct fib_rule * ctarget;
+ char ifname[IFNAMSIZ];
struct rcu_head rcu;
struct net * fr_net;
};
^ permalink raw reply related [flat|nested] 22+ messages in thread
* net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
2009-11-30 17:55 RFC: net 00/05: routing based send-to-self implementation Patrick McHardy
2009-11-30 17:55 ` net 01/05: fib_rules: rearrange struct fib_rule Patrick McHardy
@ 2009-11-30 17:55 ` Patrick McHardy
2009-11-30 20:21 ` Jarek Poplawski
2009-11-30 17:55 ` net 03/05: fib_rules: add oif classification Patrick McHardy
` (4 subsequent siblings)
6 siblings, 1 reply; 22+ messages in thread
From: Patrick McHardy @ 2009-11-30 17:55 UTC (permalink / raw)
To: netdev; +Cc: Patrick McHardy
commit dc4427ae3647195508b4df883050a9f0ef111165
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Nov 30 15:54:05 2009 +0100
net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
The next patch will add oif classification, rename interface related members
and attributes to reflect that they're used for iif classification.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
index c7e5b70..e3c91af 100644
--- a/include/linux/fib_rules.h
+++ b/include/linux/fib_rules.h
@@ -8,7 +8,8 @@
#define FIB_RULE_PERMANENT 0x00000001
#define FIB_RULE_INVERT 0x00000002
#define FIB_RULE_UNRESOLVED 0x00000004
-#define FIB_RULE_DEV_DETACHED 0x00000008
+#define FIB_RULE_IIF_DETACHED 0x00000008
+#define FIB_RULE_DEV_DETACHED FIB_RULE_DEV_DETACHED
/* try to find source address in routing lookups */
#define FIB_RULE_FIND_SADDR 0x00010000
@@ -31,7 +32,8 @@ enum {
FRA_UNSPEC,
FRA_DST, /* destination address */
FRA_SRC, /* source address */
- FRA_IFNAME, /* interface name */
+ FRA_IIFNAME, /* interface name */
+#define FRA_IFNAME FRA_IIFNAME
FRA_GOTO, /* target to jump to (FR_ACT_GOTO) */
FRA_UNUSED2,
FRA_PRIORITY, /* priority/preference */
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 22fb323..62bebcb 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -10,7 +10,7 @@
struct fib_rule {
struct list_head list;
atomic_t refcnt;
- int ifindex;
+ int iifindex;
u32 mark;
u32 mark_mask;
u32 pref;
@@ -19,7 +19,7 @@ struct fib_rule {
u8 action;
u32 target;
struct fib_rule * ctarget;
- char ifname[IFNAMSIZ];
+ char iifname[IFNAMSIZ];
struct rcu_head rcu;
struct net * fr_net;
};
@@ -67,7 +67,7 @@ struct fib_rules_ops {
};
#define FRA_GENERIC_POLICY \
- [FRA_IFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+ [FRA_IIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
[FRA_PRIORITY] = { .type = NLA_U32 }, \
[FRA_FWMARK] = { .type = NLA_U32 }, \
[FRA_FWMASK] = { .type = NLA_U32 }, \
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index bd30938..8e8028c 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -135,7 +135,7 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
{
int ret = 0;
- if (rule->ifindex && (rule->ifindex != fl->iif))
+ if (rule->iifindex && (rule->iifindex != fl->iif))
goto out;
if ((rule->mark ^ fl->mark) & rule->mark_mask)
@@ -248,14 +248,14 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
if (tb[FRA_PRIORITY])
rule->pref = nla_get_u32(tb[FRA_PRIORITY]);
- if (tb[FRA_IFNAME]) {
+ if (tb[FRA_IIFNAME]) {
struct net_device *dev;
- rule->ifindex = -1;
- nla_strlcpy(rule->ifname, tb[FRA_IFNAME], IFNAMSIZ);
- dev = __dev_get_by_name(net, rule->ifname);
+ rule->iifindex = -1;
+ nla_strlcpy(rule->iifname, tb[FRA_IIFNAME], IFNAMSIZ);
+ dev = __dev_get_by_name(net, rule->iifname);
if (dev)
- rule->ifindex = dev->ifindex;
+ rule->iifindex = dev->ifindex;
}
if (tb[FRA_FWMARK]) {
@@ -388,8 +388,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
(rule->pref != nla_get_u32(tb[FRA_PRIORITY])))
continue;
- if (tb[FRA_IFNAME] &&
- nla_strcmp(tb[FRA_IFNAME], rule->ifname))
+ if (tb[FRA_IIFNAME] &&
+ nla_strcmp(tb[FRA_IIFNAME], rule->iifname))
continue;
if (tb[FRA_FWMARK] &&
@@ -447,7 +447,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
struct fib_rule *rule)
{
size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
- + nla_total_size(IFNAMSIZ) /* FRA_IFNAME */
+ + nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */
+ nla_total_size(4) /* FRA_PRIORITY */
+ nla_total_size(4) /* FRA_TABLE */
+ nla_total_size(4) /* FRA_FWMARK */
@@ -481,11 +481,11 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
if (rule->action == FR_ACT_GOTO && rule->ctarget == NULL)
frh->flags |= FIB_RULE_UNRESOLVED;
- if (rule->ifname[0]) {
- NLA_PUT_STRING(skb, FRA_IFNAME, rule->ifname);
+ if (rule->iifname[0]) {
+ NLA_PUT_STRING(skb, FRA_IIFNAME, rule->iifname);
- if (rule->ifindex == -1)
- frh->flags |= FIB_RULE_DEV_DETACHED;
+ if (rule->iifindex == -1)
+ frh->flags |= FIB_RULE_IIF_DETACHED;
}
if (rule->pref)
@@ -600,9 +600,9 @@ static void attach_rules(struct list_head *rules, struct net_device *dev)
struct fib_rule *rule;
list_for_each_entry(rule, rules, list) {
- if (rule->ifindex == -1 &&
- strcmp(dev->name, rule->ifname) == 0)
- rule->ifindex = dev->ifindex;
+ if (rule->iifindex == -1 &&
+ strcmp(dev->name, rule->iifname) == 0)
+ rule->iifindex = dev->ifindex;
}
}
@@ -611,8 +611,8 @@ static void detach_rules(struct list_head *rules, struct net_device *dev)
struct fib_rule *rule;
list_for_each_entry(rule, rules, list)
- if (rule->ifindex == dev->ifindex)
- rule->ifindex = -1;
+ if (rule->iifindex == dev->ifindex)
+ rule->iifindex = -1;
}
^ permalink raw reply related [flat|nested] 22+ messages in thread
* net 03/05: fib_rules: add oif classification
2009-11-30 17:55 RFC: net 00/05: routing based send-to-self implementation Patrick McHardy
2009-11-30 17:55 ` net 01/05: fib_rules: rearrange struct fib_rule Patrick McHardy
2009-11-30 17:55 ` net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME Patrick McHardy
@ 2009-11-30 17:55 ` Patrick McHardy
2009-11-30 22:31 ` Jarek Poplawski
2009-11-30 17:55 ` net 04/05: fib_rules: allow to delete local rule Patrick McHardy
` (3 subsequent siblings)
6 siblings, 1 reply; 22+ messages in thread
From: Patrick McHardy @ 2009-11-30 17:55 UTC (permalink / raw)
To: netdev; +Cc: Patrick McHardy
commit b3fe9e6465a572e97dc1bb6222c1ec4224285817
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Nov 30 16:00:51 2009 +0100
net: fib_rules: add oif classification
Support routing table lookup based on the flow's oif. This is useful to
classify packets originating from sockets bound to interfaces differently.
The route cache already includes the oif and needs no changes.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
index e3c91af..05c9bbe 100644
--- a/include/linux/fib_rules.h
+++ b/include/linux/fib_rules.h
@@ -10,6 +10,7 @@
#define FIB_RULE_UNRESOLVED 0x00000004
#define FIB_RULE_IIF_DETACHED 0x00000008
#define FIB_RULE_DEV_DETACHED FIB_RULE_DEV_DETACHED
+#define FIB_RULE_OIF_DETACHED 0x00000010
/* try to find source address in routing lookups */
#define FIB_RULE_FIND_SADDR 0x00010000
@@ -47,6 +48,7 @@ enum {
FRA_UNUSED8,
FRA_TABLE, /* Extended table id */
FRA_FWMASK, /* mask for netfilter mark */
+ FRA_OIFNAME,
__FRA_MAX
};
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 62bebcb..d4e875a 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -11,6 +11,7 @@ struct fib_rule {
struct list_head list;
atomic_t refcnt;
int iifindex;
+ int oifindex;
u32 mark;
u32 mark_mask;
u32 pref;
@@ -20,6 +21,7 @@ struct fib_rule {
u32 target;
struct fib_rule * ctarget;
char iifname[IFNAMSIZ];
+ char oifname[IFNAMSIZ];
struct rcu_head rcu;
struct net * fr_net;
};
@@ -68,6 +70,7 @@ struct fib_rules_ops {
#define FRA_GENERIC_POLICY \
[FRA_IIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+ [FRA_OIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
[FRA_PRIORITY] = { .type = NLA_U32 }, \
[FRA_FWMARK] = { .type = NLA_U32 }, \
[FRA_FWMASK] = { .type = NLA_U32 }, \
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 8e8028c..d1a70ad 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -138,6 +138,9 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
if (rule->iifindex && (rule->iifindex != fl->iif))
goto out;
+ if (rule->oifindex && (rule->oifindex != fl->oif))
+ goto out;
+
if ((rule->mark ^ fl->mark) & rule->mark_mask)
goto out;
@@ -258,6 +261,16 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
rule->iifindex = dev->ifindex;
}
+ if (tb[FRA_OIFNAME]) {
+ struct net_device *dev;
+
+ rule->oifindex = -1;
+ nla_strlcpy(rule->oifname, tb[FRA_OIFNAME], IFNAMSIZ);
+ dev = __dev_get_by_name(net, rule->oifname);
+ if (dev)
+ rule->oifindex = dev->ifindex;
+ }
+
if (tb[FRA_FWMARK]) {
rule->mark = nla_get_u32(tb[FRA_FWMARK]);
if (rule->mark)
@@ -392,6 +405,10 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
nla_strcmp(tb[FRA_IIFNAME], rule->iifname))
continue;
+ if (tb[FRA_OIFNAME] &&
+ nla_strcmp(tb[FRA_OIFNAME], rule->oifname))
+ continue;
+
if (tb[FRA_FWMARK] &&
(rule->mark != nla_get_u32(tb[FRA_FWMARK])))
continue;
@@ -448,6 +465,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
{
size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
+ nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */
+ + nla_total_size(IFNAMSIZ) /* FRA_OIFNAME */
+ nla_total_size(4) /* FRA_PRIORITY */
+ nla_total_size(4) /* FRA_TABLE */
+ nla_total_size(4) /* FRA_FWMARK */
@@ -488,6 +506,13 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
frh->flags |= FIB_RULE_IIF_DETACHED;
}
+ if (rule->oifname[0]) {
+ NLA_PUT_STRING(skb, FRA_OIFNAME, rule->oifname);
+
+ if (rule->oifindex == -1)
+ frh->flags |= FIB_RULE_OIF_DETACHED;
+ }
+
if (rule->pref)
NLA_PUT_U32(skb, FRA_PRIORITY, rule->pref);
@@ -603,6 +628,9 @@ static void attach_rules(struct list_head *rules, struct net_device *dev)
if (rule->iifindex == -1 &&
strcmp(dev->name, rule->iifname) == 0)
rule->iifindex = dev->ifindex;
+ if (rule->oifindex == -1 &&
+ strcmp(dev->name, rule->oifname) == 0)
+ rule->oifindex = dev->ifindex;
}
}
@@ -610,9 +638,12 @@ static void detach_rules(struct list_head *rules, struct net_device *dev)
{
struct fib_rule *rule;
- list_for_each_entry(rule, rules, list)
+ list_for_each_entry(rule, rules, list) {
if (rule->iifindex == dev->ifindex)
rule->iifindex = -1;
+ if (rule->oifindex == dev->ifindex)
+ rule->oifindex = -1;
+ }
}
^ permalink raw reply related [flat|nested] 22+ messages in thread
* net 04/05: fib_rules: allow to delete local rule
2009-11-30 17:55 RFC: net 00/05: routing based send-to-self implementation Patrick McHardy
` (2 preceding siblings ...)
2009-11-30 17:55 ` net 03/05: fib_rules: add oif classification Patrick McHardy
@ 2009-11-30 17:55 ` Patrick McHardy
2009-12-01 13:23 ` jamal
2009-11-30 17:55 ` ipv4 05/05: add sysctl to accept packets with local source addresses Patrick McHardy
` (2 subsequent siblings)
6 siblings, 1 reply; 22+ messages in thread
From: Patrick McHardy @ 2009-11-30 17:55 UTC (permalink / raw)
To: netdev; +Cc: Patrick McHardy
commit ca1ba96aaa05cc0a2a7f172990e7787354c8b7b9
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Nov 30 16:05:51 2009 +0100
net: fib_rules: allow to delete local rule
Allow to delete the local rule and recreate it with a lower priority. This
can be used to force packets with a local destination out on the wire instead
of routing them to loopback. Additionally this patch allows to recreate rules
with a priority of 0.
Combined with the previous patch to allow oif classification, a socket can
be bound to the desired interface and packets routed to the wire like this:
# move local rule to lower priority
ip rule add pref 1000 lookup local
ip rule del pref 0
# route packets of sockets bound to eth0 to the wire independant
# of the destination address
ip rule add pref 100 oif eth0 lookup 100
ip route add default dev eth0 lookup 100
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index d1a70ad..ef0e7d9 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -287,7 +287,7 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
rule->flags = frh->flags;
rule->table = frh_get_table(frh, tb);
- if (!rule->pref && ops->default_pref)
+ if (!tb[FRA_PRIORITY] && ops->default_pref)
rule->pref = ops->default_pref(ops);
err = -EINVAL;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 835262c..1239ed2 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -284,7 +284,7 @@ static int fib_default_rules_init(struct fib_rules_ops *ops)
{
int err;
- err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, FIB_RULE_PERMANENT);
+ err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, 0);
if (err < 0)
return err;
err = fib_default_rule_add(ops, 0x7FFE, RT_TABLE_MAIN, 0);
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index 00a7a5e..3b38f49 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -276,7 +276,7 @@ static int fib6_rules_net_init(struct net *net)
INIT_LIST_HEAD(&net->ipv6.fib6_rules_ops->rules_list);
err = fib_default_rule_add(net->ipv6.fib6_rules_ops, 0,
- RT6_TABLE_LOCAL, FIB_RULE_PERMANENT);
+ RT6_TABLE_LOCAL, 0);
if (err)
goto out_fib6_rules_ops;
^ permalink raw reply related [flat|nested] 22+ messages in thread
* ipv4 05/05: add sysctl to accept packets with local source addresses
2009-11-30 17:55 RFC: net 00/05: routing based send-to-self implementation Patrick McHardy
` (3 preceding siblings ...)
2009-11-30 17:55 ` net 04/05: fib_rules: allow to delete local rule Patrick McHardy
@ 2009-11-30 17:55 ` Patrick McHardy
2009-11-30 19:32 ` RFC: net 00/05: routing based send-to-self implementation Eric W. Biederman
2009-12-03 6:32 ` David Miller
6 siblings, 0 replies; 22+ messages in thread
From: Patrick McHardy @ 2009-11-30 17:55 UTC (permalink / raw)
To: netdev; +Cc: Patrick McHardy
commit 35924708110a98ac8407deaef95194ff9d0375d2
Author: Patrick McHardy <kaber@trash.net>
Date: Mon Nov 30 17:48:03 2009 +0100
ipv4: add sysctl to accept packets with local source addresses
Change fib_validate_source() to accept packets with a local source address when
the "accept_local" sysctl is set for the incoming inet device. Combined with the
previous patches, this allows to communicate between multiple local interfaces
over the wire.
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index a0e134d..b319d4f 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -723,6 +723,12 @@ accept_source_route - BOOLEAN
default TRUE (router)
FALSE (host)
+accept_local - BOOLEAN
+ Accept packets with local source addresses. In combination with
+ suitable routing, this can be used to direct packets between two
+ local interfaces over the wire and have them accepted properly.
+ default FALSE
+
rp_filter - INTEGER
0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index eecfa55..699e85c 100644
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -83,6 +83,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
#define IN_DEV_RPFILTER(in_dev) IN_DEV_MAXCONF((in_dev), RP_FILTER)
#define IN_DEV_SOURCE_ROUTE(in_dev) IN_DEV_ANDCONF((in_dev), \
ACCEPT_SOURCE_ROUTE)
+#define IN_DEV_ACCEPT_LOCAL(in_dev) IN_DEV_ORCONF((in_dev), ACCEPT_LOCAL)
#define IN_DEV_BOOTP_RELAY(in_dev) IN_DEV_ANDCONF((in_dev), BOOTP_RELAY)
#define IN_DEV_LOG_MARTIANS(in_dev) IN_DEV_ORCONF((in_dev), LOG_MARTIANS)
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 1e4743e..9f047d7 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -490,6 +490,7 @@ enum
NET_IPV4_CONF_PROMOTE_SECONDARIES=20,
NET_IPV4_CONF_ARP_ACCEPT=21,
NET_IPV4_CONF_ARP_NOTIFY=22,
+ NET_IPV4_CONF_ACCEPT_LOCAL=23,
__NET_IPV4_CONF_MAX
};
diff --git a/kernel/sysctl_check.c b/kernel/sysctl_check.c
index b6e7aae..f1d676e 100644
--- a/kernel/sysctl_check.c
+++ b/kernel/sysctl_check.c
@@ -220,6 +220,7 @@ static const struct trans_ctl_table trans_net_ipv4_conf_vars_table[] = {
{ NET_IPV4_CONF_PROMOTE_SECONDARIES, "promote_secondaries" },
{ NET_IPV4_CONF_ARP_ACCEPT, "arp_accept" },
{ NET_IPV4_CONF_ARP_NOTIFY, "arp_notify" },
+ { NET_IPV4_CONF_ACCEPT_LOCAL, "accept_local" },
{}
};
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index c100709..e312661 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1468,6 +1468,7 @@ static struct devinet_sysctl_table {
DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"),
DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
"accept_source_route"),
+ DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 6c1e56a..32ea949 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -241,16 +241,17 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
.iif = oif };
struct fib_result res;
- int no_addr, rpf;
+ int no_addr, rpf, accept_local;
int ret;
struct net *net;
- no_addr = rpf = 0;
+ no_addr = rpf = accept_local = 0;
rcu_read_lock();
in_dev = __in_dev_get_rcu(dev);
if (in_dev) {
no_addr = in_dev->ifa_list == NULL;
rpf = IN_DEV_RPFILTER(in_dev);
+ accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
}
rcu_read_unlock();
@@ -260,8 +261,10 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
net = dev_net(dev);
if (fib_lookup(net, &fl, &res))
goto last_resort;
- if (res.type != RTN_UNICAST)
- goto e_inval_res;
+ if (res.type != RTN_UNICAST) {
+ if (res.type != RTN_LOCAL || !accept_local)
+ goto e_inval_res;
+ }
*spec_dst = FIB_RES_PREFSRC(res);
fib_combine_itag(itag, &res);
#ifdef CONFIG_IP_ROUTE_MULTIPATH
^ permalink raw reply related [flat|nested] 22+ messages in thread
* Re: RFC: net 00/05: routing based send-to-self implementation
2009-11-30 17:55 RFC: net 00/05: routing based send-to-self implementation Patrick McHardy
` (4 preceding siblings ...)
2009-11-30 17:55 ` ipv4 05/05: add sysctl to accept packets with local source addresses Patrick McHardy
@ 2009-11-30 19:32 ` Eric W. Biederman
2009-11-30 19:37 ` Ben Greear
2009-12-03 6:32 ` David Miller
6 siblings, 1 reply; 22+ messages in thread
From: Eric W. Biederman @ 2009-11-30 19:32 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netdev
Patrick McHardy <kaber@trash.net> writes:
> These patches are yet another attempt at adding "send-to-self" functionality,
> allowing to send packets between two local interfaces over the wire. Unlike
> the approaches I've seen so far, this one is purely routing based.
> Especially the oif classification should also be useful for different setups.
Why not put each physical interface in a different network namespace?
That should work with no changes today.
Eric
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: RFC: net 00/05: routing based send-to-self implementation
2009-11-30 19:32 ` RFC: net 00/05: routing based send-to-self implementation Eric W. Biederman
@ 2009-11-30 19:37 ` Ben Greear
2009-11-30 20:04 ` Benjamin LaHaise
0 siblings, 1 reply; 22+ messages in thread
From: Ben Greear @ 2009-11-30 19:37 UTC (permalink / raw)
To: Eric W. Biederman; +Cc: Patrick McHardy, netdev
On 11/30/2009 11:32 AM, Eric W. Biederman wrote:
> Patrick McHardy<kaber@trash.net> writes:
>
>> These patches are yet another attempt at adding "send-to-self" functionality,
>> allowing to send packets between two local interfaces over the wire. Unlike
>> the approaches I've seen so far, this one is purely routing based.
>> Especially the oif classification should also be useful for different setups.
>
> Why not put each physical interface in a different network namespace?
> That should work with no changes today.
This doesn't work if you want to have one application manage lots of interfaces
and send traffic between these interfaces. Certainly there are use-cases that
can use multiple name-spaces, but it's nice to have the option not to use them
as well.
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: RFC: net 00/05: routing based send-to-self implementation
2009-11-30 19:37 ` Ben Greear
@ 2009-11-30 20:04 ` Benjamin LaHaise
2009-11-30 20:15 ` Patrick McHardy
2009-11-30 20:15 ` Ben Greear
0 siblings, 2 replies; 22+ messages in thread
From: Benjamin LaHaise @ 2009-11-30 20:04 UTC (permalink / raw)
To: Ben Greear; +Cc: Eric W. Biederman, Patrick McHardy, netdev
On Mon, Nov 30, 2009 at 11:37:31AM -0800, Ben Greear wrote:
> This doesn't work if you want to have one application manage lots of
> interfaces and send traffic between these interfaces. Certainly there are
> use-cases that can use multiple name-spaces, but it's nice to have the
> option not to use them as well.
Actually, it's quite doable from within one application. An application
I recently adapted to make use of multiple network namespaces within a single
process by way of pthreads and unshare(CLONE_NEWNET). The scheme I used
is to just open the socket in a new namespace in a thread. Since the
file descriptor table is still shared, it's easy to send/receive data from
any other thread, regardless of which virtual network namespace it's in.
All told, setting up virtual routers with namespaces is pretty easy.
-ben
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: RFC: net 00/05: routing based send-to-self implementation
2009-11-30 20:04 ` Benjamin LaHaise
@ 2009-11-30 20:15 ` Patrick McHardy
2009-11-30 20:15 ` Ben Greear
1 sibling, 0 replies; 22+ messages in thread
From: Patrick McHardy @ 2009-11-30 20:15 UTC (permalink / raw)
To: Benjamin LaHaise; +Cc: Ben Greear, Eric W. Biederman, netdev
Benjamin LaHaise wrote:
> On Mon, Nov 30, 2009 at 11:37:31AM -0800, Ben Greear wrote:
>> This doesn't work if you want to have one application manage lots of
>> interfaces and send traffic between these interfaces. Certainly there are
>> use-cases that can use multiple name-spaces, but it's nice to have the
>> option not to use them as well.
>
> Actually, it's quite doable from within one application. An application
> I recently adapted to make use of multiple network namespaces within a single
> process by way of pthreads and unshare(CLONE_NEWNET). The scheme I used
> is to just open the socket in a new namespace in a thread. Since the
> file descriptor table is still shared, it's easy to send/receive data from
> any other thread, regardless of which virtual network namespace it's in.
> All told, setting up virtual routers with namespaces is pretty easy.
Yes, that works for creating sockets. Its gets more complicated
though if you want to change network configuration of those devices
once created and moved to a different namespace. Besides that you
might have to replicate your other configuration, like iptables rules,
routing rules and routes, xfrm policies etc.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: RFC: net 00/05: routing based send-to-self implementation
2009-11-30 20:04 ` Benjamin LaHaise
2009-11-30 20:15 ` Patrick McHardy
@ 2009-11-30 20:15 ` Ben Greear
2009-11-30 20:23 ` Benjamin LaHaise
1 sibling, 1 reply; 22+ messages in thread
From: Ben Greear @ 2009-11-30 20:15 UTC (permalink / raw)
To: Benjamin LaHaise; +Cc: Eric W. Biederman, Patrick McHardy, netdev
On 11/30/2009 12:04 PM, Benjamin LaHaise wrote:
> On Mon, Nov 30, 2009 at 11:37:31AM -0800, Ben Greear wrote:
>> This doesn't work if you want to have one application manage lots of
>> interfaces and send traffic between these interfaces. Certainly there are
>> use-cases that can use multiple name-spaces, but it's nice to have the
>> option not to use them as well.
>
> Actually, it's quite doable from within one application. An application
> I recently adapted to make use of multiple network namespaces within a single
> process by way of pthreads and unshare(CLONE_NEWNET). The scheme I used
> is to just open the socket in a new namespace in a thread. Since the
> file descriptor table is still shared, it's easy to send/receive data from
> any other thread, regardless of which virtual network namespace it's in.
> All told, setting up virtual routers with namespaces is pretty easy.
That still sounds more complicated than the proposed routing table changes,
at least for my application. Since I also want to gather stats, set/watch routes,
etc, on each network device, would I have to keep a thread and netlink socket
running in each name-space in order to see the various devices?
Thanks,
Ben
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
2009-11-30 17:55 ` net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME Patrick McHardy
@ 2009-11-30 20:21 ` Jarek Poplawski
2009-11-30 20:23 ` Patrick McHardy
0 siblings, 1 reply; 22+ messages in thread
From: Jarek Poplawski @ 2009-11-30 20:21 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netdev
Patrick McHardy wrote, On 11/30/2009 06:55 PM:
> commit dc4427ae3647195508b4df883050a9f0ef111165
> Author: Patrick McHardy <kaber@trash.net>
> Date: Mon Nov 30 15:54:05 2009 +0100
>
> net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
>
> The next patch will add oif classification, rename interface related members
> and attributes to reflect that they're used for iif classification.
>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
>
> diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
> index c7e5b70..e3c91af 100644
> --- a/include/linux/fib_rules.h
> +++ b/include/linux/fib_rules.h
> @@ -8,7 +8,8 @@
> #define FIB_RULE_PERMANENT 0x00000001
> #define FIB_RULE_INVERT 0x00000002
> #define FIB_RULE_UNRESOLVED 0x00000004
> -#define FIB_RULE_DEV_DETACHED 0x00000008
> +#define FIB_RULE_IIF_DETACHED 0x00000008
> +#define FIB_RULE_DEV_DETACHED FIB_RULE_DEV_DETACHED
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Is it some trick?
Jarek P.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
2009-11-30 20:21 ` Jarek Poplawski
@ 2009-11-30 20:23 ` Patrick McHardy
0 siblings, 0 replies; 22+ messages in thread
From: Patrick McHardy @ 2009-11-30 20:23 UTC (permalink / raw)
To: Jarek Poplawski; +Cc: netdev
Jarek Poplawski wrote:
> Patrick McHardy wrote, On 11/30/2009 06:55 PM:
>
>> commit dc4427ae3647195508b4df883050a9f0ef111165
>> Author: Patrick McHardy <kaber@trash.net>
>> Date: Mon Nov 30 15:54:05 2009 +0100
>>
>> net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
>>
>> The next patch will add oif classification, rename interface related members
>> and attributes to reflect that they're used for iif classification.
>>
>> Signed-off-by: Patrick McHardy <kaber@trash.net>
>>
>> diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
>> index c7e5b70..e3c91af 100644
>> --- a/include/linux/fib_rules.h
>> +++ b/include/linux/fib_rules.h
>> @@ -8,7 +8,8 @@
>> #define FIB_RULE_PERMANENT 0x00000001
>> #define FIB_RULE_INVERT 0x00000002
>> #define FIB_RULE_UNRESOLVED 0x00000004
>> -#define FIB_RULE_DEV_DETACHED 0x00000008
>> +#define FIB_RULE_IIF_DETACHED 0x00000008
>> +#define FIB_RULE_DEV_DETACHED FIB_RULE_DEV_DETACHED
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Is it some trick?
D'oh, thanks for catching this :) I'll fix that up for the next
submission.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: RFC: net 00/05: routing based send-to-self implementation
2009-11-30 20:15 ` Ben Greear
@ 2009-11-30 20:23 ` Benjamin LaHaise
0 siblings, 0 replies; 22+ messages in thread
From: Benjamin LaHaise @ 2009-11-30 20:23 UTC (permalink / raw)
To: Ben Greear; +Cc: Eric W. Biederman, Patrick McHardy, netdev
On Mon, Nov 30, 2009 at 12:15:41PM -0800, Ben Greear wrote:
> That still sounds more complicated than the proposed routing table changes,
True. I agree that being able to accept self-addressed packets via a
sysctl can be useful.
> at least for my application. Since I also want to gather stats, set/watch
> routes,
> etc, on each network device, would I have to keep a thread and netlink
> socket
> running in each name-space in order to see the various devices?
Yes. My l2tp daemon is still single threaded internally, so it uses an
rpc through the threads to open UDP, netlink and L2TP sockets, then manages
everything from the main event loop. The thread has to be kept around to
keep the namespace's task id alive in case one wants to move anything in/out
of the namespace.
-ben
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: net 03/05: fib_rules: add oif classification
2009-11-30 17:55 ` net 03/05: fib_rules: add oif classification Patrick McHardy
@ 2009-11-30 22:31 ` Jarek Poplawski
2009-12-01 9:32 ` Patrick McHardy
0 siblings, 1 reply; 22+ messages in thread
From: Jarek Poplawski @ 2009-11-30 22:31 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netdev
Patrick McHardy wrote, On 11/30/2009 06:55 PM:
> commit b3fe9e6465a572e97dc1bb6222c1ec4224285817
> Author: Patrick McHardy <kaber@trash.net>
> Date: Mon Nov 30 16:00:51 2009 +0100
>
> net: fib_rules: add oif classification
...
> diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
> index 62bebcb..d4e875a 100644
> --- a/include/net/fib_rules.h
> +++ b/include/net/fib_rules.h
> @@ -11,6 +11,7 @@ struct fib_rule {
> struct list_head list;
> atomic_t refcnt;
> int iifindex;
> + int oifindex;
Doesn't it "break" the cacheline fix from 01/05?
Jarek P.
> u32 mark;
> u32 mark_mask;
> u32 pref;
> @@ -20,6 +21,7 @@ struct fib_rule {
> u32 target;
> struct fib_rule * ctarget;
> char iifname[IFNAMSIZ];
> + char oifname[IFNAMSIZ];
> struct rcu_head rcu;
> struct net * fr_net;
> };
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: net 03/05: fib_rules: add oif classification
2009-11-30 22:31 ` Jarek Poplawski
@ 2009-12-01 9:32 ` Patrick McHardy
2009-12-01 9:48 ` Jarek Poplawski
0 siblings, 1 reply; 22+ messages in thread
From: Patrick McHardy @ 2009-12-01 9:32 UTC (permalink / raw)
To: Jarek Poplawski; +Cc: netdev
Jarek Poplawski wrote:
> Patrick McHardy wrote, On 11/30/2009 06:55 PM:
>
>> diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
>> index 62bebcb..d4e875a 100644
>> --- a/include/net/fib_rules.h
>> +++ b/include/net/fib_rules.h
>> @@ -11,6 +11,7 @@ struct fib_rule {
>> struct list_head list;
>> atomic_t refcnt;
>> int iifindex;
>> + int oifindex;
>>
>
> Doesn't it "break" the cacheline fix from 01/05?
No, there's a 4 byte hole which is plugged by this:
struct fib_rule {
struct list_head list; /* 0 16 */
atomic_t refcnt; /* 16 4 */
int iifindex; /* 20 4 */
int oifindex; /* 24 4 */
u32 mark; /* 28 4 */
u32 mark_mask; /* 32 4 */
u32 pref; /* 36 4 */
u32 flags; /* 40 4 */
u32 table; /* 44 4 */
u8 action; /* 48 1 */
/* XXX 3 bytes hole, try to pack */
u32 target; /* 52 4 */
struct fib_rule * ctarget; /* 56 8 */
/* --- cacheline 1 boundary (64 bytes) --- */
char iifname[16]; /* 64 16 */
char oifname[16]; /* 80 16 */
struct rcu_head rcu; /* 96 16 */
struct net * fr_net; /* 112 8 */
/* size: 120, cachelines: 2 */
/* sum members: 117, holes: 1, sum holes: 3 */
/* last cacheline: 56 bytes */
}; /* definitions: 1 */
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: net 03/05: fib_rules: add oif classification
2009-12-01 9:32 ` Patrick McHardy
@ 2009-12-01 9:48 ` Jarek Poplawski
0 siblings, 0 replies; 22+ messages in thread
From: Jarek Poplawski @ 2009-12-01 9:48 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netdev
On Tue, Dec 01, 2009 at 10:32:40AM +0100, Patrick McHardy wrote:
> Jarek Poplawski wrote:
> > Patrick McHardy wrote, On 11/30/2009 06:55 PM:
> >
> >> diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
> >> index 62bebcb..d4e875a 100644
> >> --- a/include/net/fib_rules.h
> >> +++ b/include/net/fib_rules.h
> >> @@ -11,6 +11,7 @@ struct fib_rule {
> >> struct list_head list;
> >> atomic_t refcnt;
> >> int iifindex;
> >> + int oifindex;
> >>
> >
> > Doesn't it "break" the cacheline fix from 01/05?
>
> No, there's a 4 byte hole which is plugged by this:
>
Right, I missed it, sorry.
Jarek P.
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: net 04/05: fib_rules: allow to delete local rule
2009-11-30 17:55 ` net 04/05: fib_rules: allow to delete local rule Patrick McHardy
@ 2009-12-01 13:23 ` jamal
2009-12-01 17:12 ` Alexey Kuznetsov
0 siblings, 1 reply; 22+ messages in thread
From: jamal @ 2009-12-01 13:23 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netdev, kuznet, robert
Nice. I recall there was a lot of sentiment against this back
when - in particular from Alexey. I cant remember the details
neither can i think off top of my head why this would be bad
other than allowing people to shoot their big toe without
knowing it.
CCing Robert and Alexey. Mass quoting to provide context for
both Alexey and Robert.
cheers,
jamal
On Mon, 2009-11-30 at 18:55 +0100, Patrick McHardy wrote:
> commit ca1ba96aaa05cc0a2a7f172990e7787354c8b7b9
> Author: Patrick McHardy <kaber@trash.net>
> Date: Mon Nov 30 16:05:51 2009 +0100
>
> net: fib_rules: allow to delete local rule
>
> Allow to delete the local rule and recreate it with a lower priority. This
> can be used to force packets with a local destination out on the wire instead
> of routing them to loopback. Additionally this patch allows to recreate rules
> with a priority of 0.
>
> Combined with the previous patch to allow oif classification, a socket can
> be bound to the desired interface and packets routed to the wire like this:
>
> # move local rule to lower priority
> ip rule add pref 1000 lookup local
> ip rule del pref 0
>
> # route packets of sockets bound to eth0 to the wire independant
> # of the destination address
> ip rule add pref 100 oif eth0 lookup 100
> ip route add default dev eth0 lookup 100
>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
>
> diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
> index d1a70ad..ef0e7d9 100644
> --- a/net/core/fib_rules.c
> +++ b/net/core/fib_rules.c
> @@ -287,7 +287,7 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
> rule->flags = frh->flags;
> rule->table = frh_get_table(frh, tb);
>
> - if (!rule->pref && ops->default_pref)
> + if (!tb[FRA_PRIORITY] && ops->default_pref)
> rule->pref = ops->default_pref(ops);
>
> err = -EINVAL;
> diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
> index 835262c..1239ed2 100644
> --- a/net/ipv4/fib_rules.c
> +++ b/net/ipv4/fib_rules.c
> @@ -284,7 +284,7 @@ static int fib_default_rules_init(struct fib_rules_ops *ops)
> {
> int err;
>
> - err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, FIB_RULE_PERMANENT);
> + err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, 0);
> if (err < 0)
> return err;
> err = fib_default_rule_add(ops, 0x7FFE, RT_TABLE_MAIN, 0);
> diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
> index 00a7a5e..3b38f49 100644
> --- a/net/ipv6/fib6_rules.c
> +++ b/net/ipv6/fib6_rules.c
> @@ -276,7 +276,7 @@ static int fib6_rules_net_init(struct net *net)
> INIT_LIST_HEAD(&net->ipv6.fib6_rules_ops->rules_list);
>
> err = fib_default_rule_add(net->ipv6.fib6_rules_ops, 0,
> - RT6_TABLE_LOCAL, FIB_RULE_PERMANENT);
> + RT6_TABLE_LOCAL, 0);
> if (err)
> goto out_fib6_rules_ops;
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: net 04/05: fib_rules: allow to delete local rule
2009-12-01 13:23 ` jamal
@ 2009-12-01 17:12 ` Alexey Kuznetsov
2009-12-01 17:38 ` Patrick McHardy
0 siblings, 1 reply; 22+ messages in thread
From: Alexey Kuznetsov @ 2009-12-01 17:12 UTC (permalink / raw)
To: jamal; +Cc: Patrick McHardy, netdev, robert
Hello!
> Nice. I recall there was a lot of sentiment against this back
> when - in particular from Alexey. I cant remember the details
Indeed, I refused to do this.
Sometimes, we have to determine that an address is local in a context
where we do not have information to form a proper request to rule database.
In this case we do direct lookup in fixed table, which is designated
to contain local routes. So that rule 0 was hardwired to lookup in the
same table.
Frankly, it will work provided we do not require too much of self-consistency.
Those days I could not stand this, but it is not illegal.
Alexey
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: net 04/05: fib_rules: allow to delete local rule
2009-12-01 17:12 ` Alexey Kuznetsov
@ 2009-12-01 17:38 ` Patrick McHardy
0 siblings, 0 replies; 22+ messages in thread
From: Patrick McHardy @ 2009-12-01 17:38 UTC (permalink / raw)
To: Alexey Kuznetsov; +Cc: jamal, netdev, robert
Alexey Kuznetsov wrote:
> Hello!
>
>> Nice. I recall there was a lot of sentiment against this back
>> when - in particular from Alexey. I cant remember the details
>
> Indeed, I refused to do this.
>
> Sometimes, we have to determine that an address is local in a context
> where we do not have information to form a proper request to rule database.
> In this case we do direct lookup in fixed table, which is designated
> to contain local routes. So that rule 0 was hardwired to lookup in the
> same table.
Yes, you have to carefully set up your rules preceeding the local
rule when using this. Using marks or oif should work fine without
affecting the cases where we just need some information like the
device or addresses.
> Frankly, it will work provided we do not require too much of self-consistency.
> Those days I could not stand this, but it is not illegal.
In fact, you should already be able to do this by moving the
contents of the local table to a different one :)
^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: RFC: net 00/05: routing based send-to-self implementation
2009-11-30 17:55 RFC: net 00/05: routing based send-to-self implementation Patrick McHardy
` (5 preceding siblings ...)
2009-11-30 19:32 ` RFC: net 00/05: routing based send-to-self implementation Eric W. Biederman
@ 2009-12-03 6:32 ` David Miller
6 siblings, 0 replies; 22+ messages in thread
From: David Miller @ 2009-12-03 6:32 UTC (permalink / raw)
To: kaber; +Cc: netdev
I'm fine with these changes. Feel free to formally send a refreshed
set with the macro problems in patch #2 fixed etc.
Thanks.
^ permalink raw reply [flat|nested] 22+ messages in thread
* net 04/05: fib_rules: allow to delete local rule
2009-12-03 11:25 Patrick McHardy
@ 2009-12-03 11:25 ` Patrick McHardy
0 siblings, 0 replies; 22+ messages in thread
From: Patrick McHardy @ 2009-12-03 11:25 UTC (permalink / raw)
To: davem; +Cc: netdev, Patrick McHardy
commit d124356ce314fff22a047ea334379d5105b2d834
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Dec 3 12:16:35 2009 +0100
net: fib_rules: allow to delete local rule
Allow to delete the local rule and recreate it with a higher priority. This
can be used to force packets with a local destination out on the wire instead
of routing them to loopback. Additionally this patch allows to recreate rules
with a priority of 0.
Combined with the previous patch to allow oif classification, a socket can
be bound to the desired interface and packets routed to the wire like this:
# move local rule to lower priority
ip rule add pref 1000 lookup local
ip rule del pref 0
# route packets of sockets bound to eth0 to the wire independant
# of the destination address
ip rule add pref 100 oif eth0 lookup 100
ip route add default dev eth0 table 100
Signed-off-by: Patrick McHardy <kaber@trash.net>
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index d1a70ad..ef0e7d9 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -287,7 +287,7 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
rule->flags = frh->flags;
rule->table = frh_get_table(frh, tb);
- if (!rule->pref && ops->default_pref)
+ if (!tb[FRA_PRIORITY] && ops->default_pref)
rule->pref = ops->default_pref(ops);
err = -EINVAL;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 835262c..1239ed2 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -284,7 +284,7 @@ static int fib_default_rules_init(struct fib_rules_ops *ops)
{
int err;
- err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, FIB_RULE_PERMANENT);
+ err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, 0);
if (err < 0)
return err;
err = fib_default_rule_add(ops, 0x7FFE, RT_TABLE_MAIN, 0);
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index 00a7a5e..3b38f49 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -276,7 +276,7 @@ static int fib6_rules_net_init(struct net *net)
INIT_LIST_HEAD(&net->ipv6.fib6_rules_ops->rules_list);
err = fib_default_rule_add(net->ipv6.fib6_rules_ops, 0,
- RT6_TABLE_LOCAL, FIB_RULE_PERMANENT);
+ RT6_TABLE_LOCAL, 0);
if (err)
goto out_fib6_rules_ops;
^ permalink raw reply related [flat|nested] 22+ messages in thread
end of thread, other threads:[~2009-12-03 11:25 UTC | newest]
Thread overview: 22+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-11-30 17:55 RFC: net 00/05: routing based send-to-self implementation Patrick McHardy
2009-11-30 17:55 ` net 01/05: fib_rules: rearrange struct fib_rule Patrick McHardy
2009-11-30 17:55 ` net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME Patrick McHardy
2009-11-30 20:21 ` Jarek Poplawski
2009-11-30 20:23 ` Patrick McHardy
2009-11-30 17:55 ` net 03/05: fib_rules: add oif classification Patrick McHardy
2009-11-30 22:31 ` Jarek Poplawski
2009-12-01 9:32 ` Patrick McHardy
2009-12-01 9:48 ` Jarek Poplawski
2009-11-30 17:55 ` net 04/05: fib_rules: allow to delete local rule Patrick McHardy
2009-12-01 13:23 ` jamal
2009-12-01 17:12 ` Alexey Kuznetsov
2009-12-01 17:38 ` Patrick McHardy
2009-11-30 17:55 ` ipv4 05/05: add sysctl to accept packets with local source addresses Patrick McHardy
2009-11-30 19:32 ` RFC: net 00/05: routing based send-to-self implementation Eric W. Biederman
2009-11-30 19:37 ` Ben Greear
2009-11-30 20:04 ` Benjamin LaHaise
2009-11-30 20:15 ` Patrick McHardy
2009-11-30 20:15 ` Ben Greear
2009-11-30 20:23 ` Benjamin LaHaise
2009-12-03 6:32 ` David Miller
2009-12-03 11:25 Patrick McHardy
2009-12-03 11:25 ` net 04/05: fib_rules: allow to delete local rule Patrick McHardy
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.