RFC: net 00/05: routing based send-to-self implementation

RFC: net 00/05: routing based send-to-self implementation

[Patrick McHardy]

These patches are yet another attempt at adding "send-to-self" functionality,
allowing to send packets between two local interfaces over the wire. Unlike
the approaches I've seen so far, this one is purely routing based.
Especially the oif classification should also be useful for different setups.

The patchset consists of three parts:

- the first three patches add oif classification to fib_rules. This can be
  used create special routing tables for sockets bound to an interface.

- the fourth patch changes IPv4 and IPv6 to allow to delete the local rule
  with priority 0. This allows to re-create it using a lower priority and
  insert new rules below it to force packets with a local destination out
  on the wire.

- the fifth patch adds a devinet sysctl to accept packets with local source
  addresses in fib_validate_source(). This one unfortunately seems to be
  necessary, I couldn't come up with a method based purely on adding more
  routes to fool fib_validate_source() into accepting those packets.

Usage example:

# move local routing rule to lower priority
ip rule add pref 1000 lookup local
ip rule del pref 0

# only reply to ARP requests for addresses configured on the device
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore

# configure device and force packets of bound sockets out on eth1
ip address add dev eth1 10.0.0.1/24
echo 1 > /proc/sys/net/ipv4/conf/eth1/accept_local
ip link set eth1 up
ip rule add pref 500 oif eth1 lookup 500
ip route add default dev eth1 table 500

# configure device and force packets of bound sockets out on eth2
ip address add dev eth2 10.0.0.2/24
echo 1 > /proc/sys/net/ipv4/conf/eth2/accept_local
ip link set eth2 up
ip rule add pref 501 oif eth2 lookup 501
ip route add default dev eth2 table 501

At this point both packets between sockets bound to eth1/eth2 will
go over the wire.

Comments welcome.


 Documentation/networking/ip-sysctl.txt |    6 +++
 include/linux/fib_rules.h              |    8 +++-
 include/linux/inetdevice.h             |    1 +
 include/linux/sysctl.h                 |    1 +
 include/net/fib_rules.h                |    9 +++-
 kernel/sysctl_check.c                  |    1 +
 net/core/fib_rules.c                   |   71 +++++++++++++++++++++++---------
 net/ipv4/devinet.c                     |    1 +
 net/ipv4/fib_frontend.c                |   11 +++--
 net/ipv4/fib_rules.c                   |    2 +-
 net/ipv6/fib6_rules.c                  |    2 +-
 11 files changed, 82 insertions(+), 31 deletions(-)

Patrick McHardy (5):
      net: fib_rules: rearrange struct fib_rule
      net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
      net: fib_rules: add oif classification
      net: fib_rules: allow to delete local rule
      ipv4: add sysctl to accept packets with local source addresses

net 01/05: fib_rules: rearrange struct fib_rule

[Patrick McHardy]

commit 0d9a871c9888ef8f7a08531beaa69220edf4bea3
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Nov 30 15:45:49 2009 +0100

    net: fib_rules: rearrange struct fib_rule
    
    The ifname member is only used to resolve interface names and is not needed
    during rule lookups. The target and ctarget members however are used during
    rule lookups and are currently located in a second cacheline.
    
    Move ifname further to the end to make sure both target and ctarget are
    located in the same cacheline as other members used during rule lookups.
    
    The layout on 64 bit changes from:
    
    struct fib_rule {
    	...
            u32                        table;                /*    56     4 */
            u8                         action;               /*    60     1 */
    
            /* XXX 3 bytes hole, try to pack */
    
            /* --- cacheline 1 boundary (64 bytes) --- */
            u32                        target;               /*    64     4 */
    
            /* XXX 4 bytes hole, try to pack */
    
            struct fib_rule *          ctarget;              /*    72     8 */
            struct rcu_head            rcu;                  /*    80    16 */
            struct net *               fr_net;               /*    96     8 */
    };
    
    to:
    
    struct fib_rule {
    	...
            u32                        table;                /*    40     4 */
            u8                         action;               /*    44     1 */
    
            /* XXX 3 bytes hole, try to pack */
    
            u32                        target;               /*    48     4 */
    
            /* XXX 4 bytes hole, try to pack */
    
            struct fib_rule *          ctarget;              /*    56     8 */
            /* --- cacheline 1 boundary (64 bytes) --- */
            char                       ifname[16];           /*    64    16 */
            struct rcu_head            rcu;                  /*    80    16 */
            struct net *               fr_net;               /*    96     8 */
    
    };
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 2cd707b..22fb323 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -11,7 +11,6 @@ struct fib_rule {
 	struct list_head	list;
 	atomic_t		refcnt;
 	int			ifindex;
-	char			ifname[IFNAMSIZ];
 	u32			mark;
 	u32			mark_mask;
 	u32			pref;
@@ -20,6 +19,7 @@ struct fib_rule {
 	u8			action;
 	u32			target;
 	struct fib_rule *	ctarget;
+	char			ifname[IFNAMSIZ];
 	struct rcu_head		rcu;
 	struct net *		fr_net;
 };

net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME

[Patrick McHardy]

commit dc4427ae3647195508b4df883050a9f0ef111165
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Nov 30 15:54:05 2009 +0100

    net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
    
    The next patch will add oif classification, rename interface related members
    and attributes to reflect that they're used for iif classification.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
index c7e5b70..e3c91af 100644
--- a/include/linux/fib_rules.h
+++ b/include/linux/fib_rules.h
@@ -8,7 +8,8 @@
 #define FIB_RULE_PERMANENT	0x00000001
 #define FIB_RULE_INVERT		0x00000002
 #define FIB_RULE_UNRESOLVED	0x00000004
-#define FIB_RULE_DEV_DETACHED	0x00000008
+#define FIB_RULE_IIF_DETACHED	0x00000008
+#define FIB_RULE_DEV_DETACHED	FIB_RULE_DEV_DETACHED
 
 /* try to find source address in routing lookups */
 #define FIB_RULE_FIND_SADDR	0x00010000
@@ -31,7 +32,8 @@ enum {
 	FRA_UNSPEC,
 	FRA_DST,	/* destination address */
 	FRA_SRC,	/* source address */
-	FRA_IFNAME,	/* interface name */
+	FRA_IIFNAME,	/* interface name */
+#define FRA_IFNAME	FRA_IIFNAME
 	FRA_GOTO,	/* target to jump to (FR_ACT_GOTO) */
 	FRA_UNUSED2,
 	FRA_PRIORITY,	/* priority/preference */
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 22fb323..62bebcb 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -10,7 +10,7 @@
 struct fib_rule {
 	struct list_head	list;
 	atomic_t		refcnt;
-	int			ifindex;
+	int			iifindex;
 	u32			mark;
 	u32			mark_mask;
 	u32			pref;
@@ -19,7 +19,7 @@ struct fib_rule {
 	u8			action;
 	u32			target;
 	struct fib_rule *	ctarget;
-	char			ifname[IFNAMSIZ];
+	char			iifname[IFNAMSIZ];
 	struct rcu_head		rcu;
 	struct net *		fr_net;
 };
@@ -67,7 +67,7 @@ struct fib_rules_ops {
 };
 
 #define FRA_GENERIC_POLICY \
-	[FRA_IFNAME]	= { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+	[FRA_IIFNAME]	= { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
 	[FRA_PRIORITY]	= { .type = NLA_U32 }, \
 	[FRA_FWMARK]	= { .type = NLA_U32 }, \
 	[FRA_FWMASK]	= { .type = NLA_U32 }, \
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index bd30938..8e8028c 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -135,7 +135,7 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
 {
 	int ret = 0;
 
-	if (rule->ifindex && (rule->ifindex != fl->iif))
+	if (rule->iifindex && (rule->iifindex != fl->iif))
 		goto out;
 
 	if ((rule->mark ^ fl->mark) & rule->mark_mask)
@@ -248,14 +248,14 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 	if (tb[FRA_PRIORITY])
 		rule->pref = nla_get_u32(tb[FRA_PRIORITY]);
 
-	if (tb[FRA_IFNAME]) {
+	if (tb[FRA_IIFNAME]) {
 		struct net_device *dev;
 
-		rule->ifindex = -1;
-		nla_strlcpy(rule->ifname, tb[FRA_IFNAME], IFNAMSIZ);
-		dev = __dev_get_by_name(net, rule->ifname);
+		rule->iifindex = -1;
+		nla_strlcpy(rule->iifname, tb[FRA_IIFNAME], IFNAMSIZ);
+		dev = __dev_get_by_name(net, rule->iifname);
 		if (dev)
-			rule->ifindex = dev->ifindex;
+			rule->iifindex = dev->ifindex;
 	}
 
 	if (tb[FRA_FWMARK]) {
@@ -388,8 +388,8 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 		    (rule->pref != nla_get_u32(tb[FRA_PRIORITY])))
 			continue;
 
-		if (tb[FRA_IFNAME] &&
-		    nla_strcmp(tb[FRA_IFNAME], rule->ifname))
+		if (tb[FRA_IIFNAME] &&
+		    nla_strcmp(tb[FRA_IIFNAME], rule->iifname))
 			continue;
 
 		if (tb[FRA_FWMARK] &&
@@ -447,7 +447,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
 					 struct fib_rule *rule)
 {
 	size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
-			 + nla_total_size(IFNAMSIZ) /* FRA_IFNAME */
+			 + nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */
 			 + nla_total_size(4) /* FRA_PRIORITY */
 			 + nla_total_size(4) /* FRA_TABLE */
 			 + nla_total_size(4) /* FRA_FWMARK */
@@ -481,11 +481,11 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
 	if (rule->action == FR_ACT_GOTO && rule->ctarget == NULL)
 		frh->flags |= FIB_RULE_UNRESOLVED;
 
-	if (rule->ifname[0]) {
-		NLA_PUT_STRING(skb, FRA_IFNAME, rule->ifname);
+	if (rule->iifname[0]) {
+		NLA_PUT_STRING(skb, FRA_IIFNAME, rule->iifname);
 
-		if (rule->ifindex == -1)
-			frh->flags |= FIB_RULE_DEV_DETACHED;
+		if (rule->iifindex == -1)
+			frh->flags |= FIB_RULE_IIF_DETACHED;
 	}
 
 	if (rule->pref)
@@ -600,9 +600,9 @@ static void attach_rules(struct list_head *rules, struct net_device *dev)
 	struct fib_rule *rule;
 
 	list_for_each_entry(rule, rules, list) {
-		if (rule->ifindex == -1 &&
-		    strcmp(dev->name, rule->ifname) == 0)
-			rule->ifindex = dev->ifindex;
+		if (rule->iifindex == -1 &&
+		    strcmp(dev->name, rule->iifname) == 0)
+			rule->iifindex = dev->ifindex;
 	}
 }
 
@@ -611,8 +611,8 @@ static void detach_rules(struct list_head *rules, struct net_device *dev)
 	struct fib_rule *rule;
 
 	list_for_each_entry(rule, rules, list)
-		if (rule->ifindex == dev->ifindex)
-			rule->ifindex = -1;
+		if (rule->iifindex == dev->ifindex)
+			rule->iifindex = -1;
 }
 
 

net 03/05: fib_rules: add oif classification

[Patrick McHardy]

commit b3fe9e6465a572e97dc1bb6222c1ec4224285817
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Nov 30 16:00:51 2009 +0100

    net: fib_rules: add oif classification
    
    Support routing table lookup based on the flow's oif. This is useful to
    classify packets originating from sockets bound to interfaces differently.
    
    The route cache already includes the oif and needs no changes.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
index e3c91af..05c9bbe 100644
--- a/include/linux/fib_rules.h
+++ b/include/linux/fib_rules.h
@@ -10,6 +10,7 @@
 #define FIB_RULE_UNRESOLVED	0x00000004
 #define FIB_RULE_IIF_DETACHED	0x00000008
 #define FIB_RULE_DEV_DETACHED	FIB_RULE_DEV_DETACHED
+#define FIB_RULE_OIF_DETACHED	0x00000010
 
 /* try to find source address in routing lookups */
 #define FIB_RULE_FIND_SADDR	0x00010000
@@ -47,6 +48,7 @@ enum {
 	FRA_UNUSED8,
 	FRA_TABLE,	/* Extended table id */
 	FRA_FWMASK,	/* mask for netfilter mark */
+	FRA_OIFNAME,
 	__FRA_MAX
 };
 
diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 62bebcb..d4e875a 100644
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -11,6 +11,7 @@ struct fib_rule {
 	struct list_head	list;
 	atomic_t		refcnt;
 	int			iifindex;
+	int			oifindex;
 	u32			mark;
 	u32			mark_mask;
 	u32			pref;
@@ -20,6 +21,7 @@ struct fib_rule {
 	u32			target;
 	struct fib_rule *	ctarget;
 	char			iifname[IFNAMSIZ];
+	char			oifname[IFNAMSIZ];
 	struct rcu_head		rcu;
 	struct net *		fr_net;
 };
@@ -68,6 +70,7 @@ struct fib_rules_ops {
 
 #define FRA_GENERIC_POLICY \
 	[FRA_IIFNAME]	= { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
+	[FRA_OIFNAME]	= { .type = NLA_STRING, .len = IFNAMSIZ - 1 }, \
 	[FRA_PRIORITY]	= { .type = NLA_U32 }, \
 	[FRA_FWMARK]	= { .type = NLA_U32 }, \
 	[FRA_FWMASK]	= { .type = NLA_U32 }, \
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 8e8028c..d1a70ad 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -138,6 +138,9 @@ static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
 	if (rule->iifindex && (rule->iifindex != fl->iif))
 		goto out;
 
+	if (rule->oifindex && (rule->oifindex != fl->oif))
+		goto out;
+
 	if ((rule->mark ^ fl->mark) & rule->mark_mask)
 		goto out;
 
@@ -258,6 +261,16 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 			rule->iifindex = dev->ifindex;
 	}
 
+	if (tb[FRA_OIFNAME]) {
+		struct net_device *dev;
+
+		rule->oifindex = -1;
+		nla_strlcpy(rule->oifname, tb[FRA_OIFNAME], IFNAMSIZ);
+		dev = __dev_get_by_name(net, rule->oifname);
+		if (dev)
+			rule->oifindex = dev->ifindex;
+	}
+
 	if (tb[FRA_FWMARK]) {
 		rule->mark = nla_get_u32(tb[FRA_FWMARK]);
 		if (rule->mark)
@@ -392,6 +405,10 @@ static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 		    nla_strcmp(tb[FRA_IIFNAME], rule->iifname))
 			continue;
 
+		if (tb[FRA_OIFNAME] &&
+		    nla_strcmp(tb[FRA_OIFNAME], rule->oifname))
+			continue;
+
 		if (tb[FRA_FWMARK] &&
 		    (rule->mark != nla_get_u32(tb[FRA_FWMARK])))
 			continue;
@@ -448,6 +465,7 @@ static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
 {
 	size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
 			 + nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */
+			 + nla_total_size(IFNAMSIZ) /* FRA_OIFNAME */
 			 + nla_total_size(4) /* FRA_PRIORITY */
 			 + nla_total_size(4) /* FRA_TABLE */
 			 + nla_total_size(4) /* FRA_FWMARK */
@@ -488,6 +506,13 @@ static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
 			frh->flags |= FIB_RULE_IIF_DETACHED;
 	}
 
+	if (rule->oifname[0]) {
+		NLA_PUT_STRING(skb, FRA_OIFNAME, rule->oifname);
+
+		if (rule->oifindex == -1)
+			frh->flags |= FIB_RULE_OIF_DETACHED;
+	}
+
 	if (rule->pref)
 		NLA_PUT_U32(skb, FRA_PRIORITY, rule->pref);
 
@@ -603,6 +628,9 @@ static void attach_rules(struct list_head *rules, struct net_device *dev)
 		if (rule->iifindex == -1 &&
 		    strcmp(dev->name, rule->iifname) == 0)
 			rule->iifindex = dev->ifindex;
+		if (rule->oifindex == -1 &&
+		    strcmp(dev->name, rule->oifname) == 0)
+			rule->oifindex = dev->ifindex;
 	}
 }
 
@@ -610,9 +638,12 @@ static void detach_rules(struct list_head *rules, struct net_device *dev)
 {
 	struct fib_rule *rule;
 
-	list_for_each_entry(rule, rules, list)
+	list_for_each_entry(rule, rules, list) {
 		if (rule->iifindex == dev->ifindex)
 			rule->iifindex = -1;
+		if (rule->oifindex == dev->ifindex)
+			rule->oifindex = -1;
+	}
 }
 
 

net 04/05: fib_rules: allow to delete local rule

[Patrick McHardy]

commit ca1ba96aaa05cc0a2a7f172990e7787354c8b7b9
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Nov 30 16:05:51 2009 +0100

    net: fib_rules: allow to delete local rule
    
    Allow to delete the local rule and recreate it with a lower priority. This
    can be used to force packets with a local destination out on the wire instead
    of routing them to loopback. Additionally this patch allows to recreate rules
    with a priority of 0.
    
    Combined with the previous patch to allow oif classification, a socket can
    be bound to the desired interface and packets routed to the wire like this:
    
    # move local rule to lower priority
    ip rule add pref 1000 lookup local
    ip rule del pref 0
    
    # route packets of sockets bound to eth0 to the wire independant
    # of the destination address
    ip rule add pref 100 oif eth0 lookup 100
    ip route add default dev eth0 lookup 100
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index d1a70ad..ef0e7d9 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -287,7 +287,7 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 	rule->flags = frh->flags;
 	rule->table = frh_get_table(frh, tb);
 
-	if (!rule->pref && ops->default_pref)
+	if (!tb[FRA_PRIORITY] && ops->default_pref)
 		rule->pref = ops->default_pref(ops);
 
 	err = -EINVAL;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 835262c..1239ed2 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -284,7 +284,7 @@ static int fib_default_rules_init(struct fib_rules_ops *ops)
 {
 	int err;
 
-	err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, FIB_RULE_PERMANENT);
+	err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, 0);
 	if (err < 0)
 		return err;
 	err = fib_default_rule_add(ops, 0x7FFE, RT_TABLE_MAIN, 0);
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index 00a7a5e..3b38f49 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -276,7 +276,7 @@ static int fib6_rules_net_init(struct net *net)
 	INIT_LIST_HEAD(&net->ipv6.fib6_rules_ops->rules_list);
 
 	err = fib_default_rule_add(net->ipv6.fib6_rules_ops, 0,
-				   RT6_TABLE_LOCAL, FIB_RULE_PERMANENT);
+				   RT6_TABLE_LOCAL, 0);
 	if (err)
 		goto out_fib6_rules_ops;
 

ipv4 05/05: add sysctl to accept packets with local source addresses

[Patrick McHardy]

commit 35924708110a98ac8407deaef95194ff9d0375d2
Author: Patrick McHardy <kaber@trash.net>
Date:   Mon Nov 30 17:48:03 2009 +0100

    ipv4: add sysctl to accept packets with local source addresses
    
    Change fib_validate_source() to accept packets with a local source address when
    the "accept_local" sysctl is set for the incoming inet device. Combined with the
    previous patches, this allows to communicate between multiple local interfaces
    over the wire.
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt
index a0e134d..b319d4f 100644
--- a/Documentation/networking/ip-sysctl.txt
+++ b/Documentation/networking/ip-sysctl.txt
@@ -723,6 +723,12 @@ accept_source_route - BOOLEAN
 	default TRUE (router)
 		FALSE (host)
 
+accept_local - BOOLEAN
+	Accept packets with local source addresses. In combination with
+	suitable routing, this can be used to direct packets between two
+	local interfaces over the wire and have them accepted properly.
+	default FALSE
+
 rp_filter - INTEGER
 	0 - No source validation.
 	1 - Strict mode as defined in RFC3704 Strict Reverse Path
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index eecfa55..699e85c 100644
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -83,6 +83,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
 #define IN_DEV_RPFILTER(in_dev)		IN_DEV_MAXCONF((in_dev), RP_FILTER)
 #define IN_DEV_SOURCE_ROUTE(in_dev)	IN_DEV_ANDCONF((in_dev), \
 						       ACCEPT_SOURCE_ROUTE)
+#define IN_DEV_ACCEPT_LOCAL(in_dev)	IN_DEV_ORCONF((in_dev), ACCEPT_LOCAL)
 #define IN_DEV_BOOTP_RELAY(in_dev)	IN_DEV_ANDCONF((in_dev), BOOTP_RELAY)
 
 #define IN_DEV_LOG_MARTIANS(in_dev)	IN_DEV_ORCONF((in_dev), LOG_MARTIANS)
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 1e4743e..9f047d7 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -490,6 +490,7 @@ enum
 	NET_IPV4_CONF_PROMOTE_SECONDARIES=20,
 	NET_IPV4_CONF_ARP_ACCEPT=21,
 	NET_IPV4_CONF_ARP_NOTIFY=22,
+	NET_IPV4_CONF_ACCEPT_LOCAL=23,
 	__NET_IPV4_CONF_MAX
 };
 
diff --git a/kernel/sysctl_check.c b/kernel/sysctl_check.c
index b6e7aae..f1d676e 100644
--- a/kernel/sysctl_check.c
+++ b/kernel/sysctl_check.c
@@ -220,6 +220,7 @@ static const struct trans_ctl_table trans_net_ipv4_conf_vars_table[] = {
 	{ NET_IPV4_CONF_PROMOTE_SECONDARIES,	"promote_secondaries" },
 	{ NET_IPV4_CONF_ARP_ACCEPT,		"arp_accept" },
 	{ NET_IPV4_CONF_ARP_NOTIFY,		"arp_notify" },
+	{ NET_IPV4_CONF_ACCEPT_LOCAL,		"accept_local" },
 	{}
 };
 
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index c100709..e312661 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -1468,6 +1468,7 @@ static struct devinet_sysctl_table {
 		DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"),
 		DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE,
 					"accept_source_route"),
+		DEVINET_SYSCTL_RW_ENTRY(ACCEPT_LOCAL, "accept_local"),
 		DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"),
 		DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"),
 		DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"),
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 6c1e56a..32ea949 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -241,16 +241,17 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
 			    .iif = oif };
 
 	struct fib_result res;
-	int no_addr, rpf;
+	int no_addr, rpf, accept_local;
 	int ret;
 	struct net *net;
 
-	no_addr = rpf = 0;
+	no_addr = rpf = accept_local = 0;
 	rcu_read_lock();
 	in_dev = __in_dev_get_rcu(dev);
 	if (in_dev) {
 		no_addr = in_dev->ifa_list == NULL;
 		rpf = IN_DEV_RPFILTER(in_dev);
+		accept_local = IN_DEV_ACCEPT_LOCAL(in_dev);
 	}
 	rcu_read_unlock();
 
@@ -260,8 +261,10 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif,
 	net = dev_net(dev);
 	if (fib_lookup(net, &fl, &res))
 		goto last_resort;
-	if (res.type != RTN_UNICAST)
-		goto e_inval_res;
+	if (res.type != RTN_UNICAST) {
+		if (res.type != RTN_LOCAL || !accept_local)
+			goto e_inval_res;
+	}
 	*spec_dst = FIB_RES_PREFSRC(res);
 	fib_combine_itag(itag, &res);
 #ifdef CONFIG_IP_ROUTE_MULTIPATH

Re: RFC: net 00/05: routing based send-to-self implementation

[Eric W. Biederman]

Patrick McHardy <kaber@trash.net> writes:

> These patches are yet another attempt at adding "send-to-self" functionality,
> allowing to send packets between two local interfaces over the wire. Unlike
> the approaches I've seen so far, this one is purely routing based.
> Especially the oif classification should also be useful for different setups.

Why not put each physical interface in a different network namespace?
That should work with no changes today.

Eric

Re: RFC: net 00/05: routing based send-to-self implementation

[Ben Greear]

On 11/30/2009 11:32 AM, Eric W. Biederman wrote:
> Patrick McHardy<kaber@trash.net>  writes:
>
>> These patches are yet another attempt at adding "send-to-self" functionality,
>> allowing to send packets between two local interfaces over the wire. Unlike
>> the approaches I've seen so far, this one is purely routing based.
>> Especially the oif classification should also be useful for different setups.
>
> Why not put each physical interface in a different network namespace?
> That should work with no changes today.

This doesn't work if you want to have one application manage lots of interfaces
and send traffic between these interfaces.  Certainly there are use-cases that
can use multiple name-spaces, but it's nice to have the option not to use them
as well.

Thanks,
Ben

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

Re: RFC: net 00/05: routing based send-to-self implementation

[Benjamin LaHaise]

On Mon, Nov 30, 2009 at 11:37:31AM -0800, Ben Greear wrote:
> This doesn't work if you want to have one application manage lots of 
> interfaces and send traffic between these interfaces.  Certainly there are 
> use-cases that can use multiple name-spaces, but it's nice to have the 
> option not to use them as well.

Actually, it's quite doable from within one application.  An application 
I recently adapted to make use of multiple network namespaces within a single 
process by way of pthreads and unshare(CLONE_NEWNET).  The scheme I used 
is to just open the socket in a new namespace in a thread.  Since the 
file descriptor table is still shared, it's easy to send/receive data from 
any other thread, regardless of which virtual network namespace it's in.  
All told, setting up virtual routers with namespaces is pretty easy.

		-ben

Re: RFC: net 00/05: routing based send-to-self implementation

[Patrick McHardy]

Benjamin LaHaise wrote:
> On Mon, Nov 30, 2009 at 11:37:31AM -0800, Ben Greear wrote:
>> This doesn't work if you want to have one application manage lots of 
>> interfaces and send traffic between these interfaces.  Certainly there are 
>> use-cases that can use multiple name-spaces, but it's nice to have the 
>> option not to use them as well.
> 
> Actually, it's quite doable from within one application.  An application 
> I recently adapted to make use of multiple network namespaces within a single 
> process by way of pthreads and unshare(CLONE_NEWNET).  The scheme I used 
> is to just open the socket in a new namespace in a thread.  Since the 
> file descriptor table is still shared, it's easy to send/receive data from 
> any other thread, regardless of which virtual network namespace it's in.  
> All told, setting up virtual routers with namespaces is pretty easy.

Yes, that works for creating sockets. Its gets more complicated
though if you want to change network configuration of those devices
once created and moved to a different namespace. Besides that you
might have to replicate your other configuration, like iptables rules,
routing rules and routes, xfrm policies etc.

Re: RFC: net 00/05: routing based send-to-self implementation

[Ben Greear]

On 11/30/2009 12:04 PM, Benjamin LaHaise wrote:
> On Mon, Nov 30, 2009 at 11:37:31AM -0800, Ben Greear wrote:
>> This doesn't work if you want to have one application manage lots of
>> interfaces and send traffic between these interfaces.  Certainly there are
>> use-cases that can use multiple name-spaces, but it's nice to have the
>> option not to use them as well.
>
> Actually, it's quite doable from within one application.  An application
> I recently adapted to make use of multiple network namespaces within a single
> process by way of pthreads and unshare(CLONE_NEWNET).  The scheme I used
> is to just open the socket in a new namespace in a thread.  Since the
> file descriptor table is still shared, it's easy to send/receive data from
> any other thread, regardless of which virtual network namespace it's in.
> All told, setting up virtual routers with namespaces is pretty easy.

That still sounds more complicated than the proposed routing table changes,
at least for my application.  Since I also want to gather stats, set/watch routes,
etc, on each network device, would I have to keep a thread and netlink socket
running in each name-space in order to see the various devices?

Thanks,
Ben

-- 
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc  http://www.candelatech.com

Re: net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME

[Jarek Poplawski]

Patrick McHardy wrote, On 11/30/2009 06:55 PM:

> commit dc4427ae3647195508b4df883050a9f0ef111165
> Author: Patrick McHardy <kaber@trash.net>
> Date:   Mon Nov 30 15:54:05 2009 +0100
> 
>     net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
>     
>     The next patch will add oif classification, rename interface related members
>     and attributes to reflect that they're used for iif classification.
>     
>     Signed-off-by: Patrick McHardy <kaber@trash.net>
> 
> diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
> index c7e5b70..e3c91af 100644
> --- a/include/linux/fib_rules.h
> +++ b/include/linux/fib_rules.h
> @@ -8,7 +8,8 @@
>  #define FIB_RULE_PERMANENT	0x00000001
>  #define FIB_RULE_INVERT		0x00000002
>  #define FIB_RULE_UNRESOLVED	0x00000004
> -#define FIB_RULE_DEV_DETACHED	0x00000008
> +#define FIB_RULE_IIF_DETACHED	0x00000008
> +#define FIB_RULE_DEV_DETACHED	FIB_RULE_DEV_DETACHED

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Is it some trick?

Jarek P.

Re: net 02/05: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME

[Patrick McHardy]

Jarek Poplawski wrote:
> Patrick McHardy wrote, On 11/30/2009 06:55 PM:
> 
>> commit dc4427ae3647195508b4df883050a9f0ef111165
>> Author: Patrick McHardy <kaber@trash.net>
>> Date:   Mon Nov 30 15:54:05 2009 +0100
>>
>>     net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
>>     
>>     The next patch will add oif classification, rename interface related members
>>     and attributes to reflect that they're used for iif classification.
>>     
>>     Signed-off-by: Patrick McHardy <kaber@trash.net>
>>
>> diff --git a/include/linux/fib_rules.h b/include/linux/fib_rules.h
>> index c7e5b70..e3c91af 100644
>> --- a/include/linux/fib_rules.h
>> +++ b/include/linux/fib_rules.h
>> @@ -8,7 +8,8 @@
>>  #define FIB_RULE_PERMANENT	0x00000001
>>  #define FIB_RULE_INVERT		0x00000002
>>  #define FIB_RULE_UNRESOLVED	0x00000004
>> -#define FIB_RULE_DEV_DETACHED	0x00000008
>> +#define FIB_RULE_IIF_DETACHED	0x00000008
>> +#define FIB_RULE_DEV_DETACHED	FIB_RULE_DEV_DETACHED
> 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Is it some trick?

D'oh, thanks for catching this :) I'll fix that up for the next
submission.

Re: RFC: net 00/05: routing based send-to-self implementation

[Benjamin LaHaise]

On Mon, Nov 30, 2009 at 12:15:41PM -0800, Ben Greear wrote:
> That still sounds more complicated than the proposed routing table changes,

True.  I agree that being able to accept self-addressed packets via a 
sysctl can be useful.

> at least for my application.  Since I also want to gather stats, set/watch 
> routes,
> etc, on each network device, would I have to keep a thread and netlink 
> socket
> running in each name-space in order to see the various devices?

Yes.  My l2tp daemon is still single threaded internally, so it uses an 
rpc through the threads to open UDP, netlink and L2TP sockets, then manages 
everything from the main event loop.  The thread has to be kept around to 
keep the namespace's task id alive in case one wants to move anything in/out 
of the namespace.

		-ben

Re: net 03/05: fib_rules: add oif classification

[Jarek Poplawski]

Patrick McHardy wrote, On 11/30/2009 06:55 PM:

> commit b3fe9e6465a572e97dc1bb6222c1ec4224285817
> Author: Patrick McHardy <kaber@trash.net>
> Date:   Mon Nov 30 16:00:51 2009 +0100
> 
>     net: fib_rules: add oif classification

...

> diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
> index 62bebcb..d4e875a 100644
> --- a/include/net/fib_rules.h
> +++ b/include/net/fib_rules.h
> @@ -11,6 +11,7 @@ struct fib_rule {
>  	struct list_head	list;
>  	atomic_t		refcnt;
>  	int			iifindex;
> +	int			oifindex;

Doesn't it "break" the cacheline fix from 01/05?

Jarek P.

>  	u32			mark;
>  	u32			mark_mask;
>  	u32			pref;
> @@ -20,6 +21,7 @@ struct fib_rule {
>  	u32			target;
>  	struct fib_rule *	ctarget;
>  	char			iifname[IFNAMSIZ];
> +	char			oifname[IFNAMSIZ];
>  	struct rcu_head		rcu;
>  	struct net *		fr_net;
>  };

Re: net 03/05: fib_rules: add oif classification

[Patrick McHardy]

Jarek Poplawski wrote:
> Patrick McHardy wrote, On 11/30/2009 06:55 PM:
>   
>> diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
>> index 62bebcb..d4e875a 100644
>> --- a/include/net/fib_rules.h
>> +++ b/include/net/fib_rules.h
>> @@ -11,6 +11,7 @@ struct fib_rule {
>>  	struct list_head	list;
>>  	atomic_t		refcnt;
>>  	int			iifindex;
>> +	int			oifindex;
>>     
>
> Doesn't it "break" the cacheline fix from 01/05?

No, there's a 4 byte hole which is plugged by this:

struct fib_rule {
        struct list_head           list;                 /*     0    16 */
        atomic_t                   refcnt;               /*    16     4 */
        int                        iifindex;             /*    20     4 */
        int                        oifindex;             /*    24     4 */
        u32                        mark;                 /*    28     4 */
        u32                        mark_mask;            /*    32     4 */
        u32                        pref;                 /*    36     4 */
        u32                        flags;                /*    40     4 */
        u32                        table;                /*    44     4 */
        u8                         action;               /*    48     1 */

        /* XXX 3 bytes hole, try to pack */

        u32                        target;               /*    52     4 */
        struct fib_rule *          ctarget;              /*    56     8 */
        /* --- cacheline 1 boundary (64 bytes) --- */
        char                       iifname[16];          /*    64    16 */
        char                       oifname[16];          /*    80    16 */
        struct rcu_head            rcu;                  /*    96    16 */
        struct net *               fr_net;               /*   112     8 */
        /* size: 120, cachelines: 2 */
        /* sum members: 117, holes: 1, sum holes: 3 */
        /* last cacheline: 56 bytes */
};      /* definitions: 1 */

Re: net 03/05: fib_rules: add oif classification

[Jarek Poplawski]

On Tue, Dec 01, 2009 at 10:32:40AM +0100, Patrick McHardy wrote:
> Jarek Poplawski wrote:
> > Patrick McHardy wrote, On 11/30/2009 06:55 PM:
> >   
> >> diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
> >> index 62bebcb..d4e875a 100644
> >> --- a/include/net/fib_rules.h
> >> +++ b/include/net/fib_rules.h
> >> @@ -11,6 +11,7 @@ struct fib_rule {
> >>  	struct list_head	list;
> >>  	atomic_t		refcnt;
> >>  	int			iifindex;
> >> +	int			oifindex;
> >>     
> >
> > Doesn't it "break" the cacheline fix from 01/05?
> 
> No, there's a 4 byte hole which is plugged by this:
> 

Right, I missed it, sorry.

Jarek P.

Re: net 04/05: fib_rules: allow to delete local rule

[jamal]

Nice. I recall there was a lot of sentiment against this back
when - in particular from Alexey. I cant remember the details
neither can i think off top of my head why this would be bad
other than allowing people to shoot their big toe without
knowing it.
CCing Robert and Alexey. Mass quoting to provide context for 
both Alexey and Robert.

cheers,
jamal


On Mon, 2009-11-30 at 18:55 +0100, Patrick McHardy wrote:
> commit ca1ba96aaa05cc0a2a7f172990e7787354c8b7b9
> Author: Patrick McHardy <kaber@trash.net>
> Date:   Mon Nov 30 16:05:51 2009 +0100
> 
>     net: fib_rules: allow to delete local rule
>     
>     Allow to delete the local rule and recreate it with a lower priority. This
>     can be used to force packets with a local destination out on the wire instead
>     of routing them to loopback. Additionally this patch allows to recreate rules
>     with a priority of 0.
>     
>     Combined with the previous patch to allow oif classification, a socket can
>     be bound to the desired interface and packets routed to the wire like this:
>     
>     # move local rule to lower priority
>     ip rule add pref 1000 lookup local
>     ip rule del pref 0
>     
>     # route packets of sockets bound to eth0 to the wire independant
>     # of the destination address
>     ip rule add pref 100 oif eth0 lookup 100
>     ip route add default dev eth0 lookup 100
>     
>     Signed-off-by: Patrick McHardy <kaber@trash.net>
> 
> diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
> index d1a70ad..ef0e7d9 100644
> --- a/net/core/fib_rules.c
> +++ b/net/core/fib_rules.c
> @@ -287,7 +287,7 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
>  	rule->flags = frh->flags;
>  	rule->table = frh_get_table(frh, tb);
>  
> -	if (!rule->pref && ops->default_pref)
> +	if (!tb[FRA_PRIORITY] && ops->default_pref)
>  		rule->pref = ops->default_pref(ops);
>  
>  	err = -EINVAL;
> diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
> index 835262c..1239ed2 100644
> --- a/net/ipv4/fib_rules.c
> +++ b/net/ipv4/fib_rules.c
> @@ -284,7 +284,7 @@ static int fib_default_rules_init(struct fib_rules_ops *ops)
>  {
>  	int err;
>  
> -	err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, FIB_RULE_PERMANENT);
> +	err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, 0);
>  	if (err < 0)
>  		return err;
>  	err = fib_default_rule_add(ops, 0x7FFE, RT_TABLE_MAIN, 0);
> diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
> index 00a7a5e..3b38f49 100644
> --- a/net/ipv6/fib6_rules.c
> +++ b/net/ipv6/fib6_rules.c
> @@ -276,7 +276,7 @@ static int fib6_rules_net_init(struct net *net)
>  	INIT_LIST_HEAD(&net->ipv6.fib6_rules_ops->rules_list);
>  
>  	err = fib_default_rule_add(net->ipv6.fib6_rules_ops, 0,
> -				   RT6_TABLE_LOCAL, FIB_RULE_PERMANENT);
> +				   RT6_TABLE_LOCAL, 0);
>  	if (err)
>  		goto out_fib6_rules_ops;
>  
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: net 04/05: fib_rules: allow to delete local rule

[Alexey Kuznetsov]

Hello!

> Nice. I recall there was a lot of sentiment against this back
> when - in particular from Alexey. I cant remember the details

Indeed, I refused to do this.

Sometimes, we have to determine that an address is local in a context
where we do not have information to form a proper request to rule database.
In this case we do direct lookup in fixed table, which is designated
to contain local routes. So that rule 0 was hardwired to lookup in the
same table.

Frankly, it will work provided we do not require too much of self-consistency.
Those days I could not stand this, but it is not illegal.

Alexey

Re: net 04/05: fib_rules: allow to delete local rule

[Patrick McHardy]

Alexey Kuznetsov wrote:
> Hello!
> 
>> Nice. I recall there was a lot of sentiment against this back
>> when - in particular from Alexey. I cant remember the details
> 
> Indeed, I refused to do this.
> 
> Sometimes, we have to determine that an address is local in a context
> where we do not have information to form a proper request to rule database.
> In this case we do direct lookup in fixed table, which is designated
> to contain local routes. So that rule 0 was hardwired to lookup in the
> same table.

Yes, you have to carefully set up your rules preceeding the local
rule when using this. Using marks or oif should work fine without
affecting the cases where we just need some information like the
device or addresses.

> Frankly, it will work provided we do not require too much of self-consistency.
> Those days I could not stand this, but it is not illegal.

In fact, you should already be able to do this by moving the
contents of the local table to a different one :)

Re: RFC: net 00/05: routing based send-to-self implementation

[David Miller]

I'm fine with these changes.  Feel free to formally send a refreshed
set with the macro problems in patch #2 fixed etc.

Thanks.

net 04/05: fib_rules: allow to delete local rule

[Patrick McHardy]

commit d124356ce314fff22a047ea334379d5105b2d834
Author: Patrick McHardy <kaber@trash.net>
Date:   Thu Dec 3 12:16:35 2009 +0100

    net: fib_rules: allow to delete local rule
    
    Allow to delete the local rule and recreate it with a higher priority. This
    can be used to force packets with a local destination out on the wire instead
    of routing them to loopback. Additionally this patch allows to recreate rules
    with a priority of 0.
    
    Combined with the previous patch to allow oif classification, a socket can
    be bound to the desired interface and packets routed to the wire like this:
    
    # move local rule to lower priority
    ip rule add pref 1000 lookup local
    ip rule del pref 0
    
    # route packets of sockets bound to eth0 to the wire independant
    # of the destination address
    ip rule add pref 100 oif eth0 lookup 100
    ip route add default dev eth0 table 100
    
    Signed-off-by: Patrick McHardy <kaber@trash.net>

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index d1a70ad..ef0e7d9 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -287,7 +287,7 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 	rule->flags = frh->flags;
 	rule->table = frh_get_table(frh, tb);
 
-	if (!rule->pref && ops->default_pref)
+	if (!tb[FRA_PRIORITY] && ops->default_pref)
 		rule->pref = ops->default_pref(ops);
 
 	err = -EINVAL;
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 835262c..1239ed2 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -284,7 +284,7 @@ static int fib_default_rules_init(struct fib_rules_ops *ops)
 {
 	int err;
 
-	err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, FIB_RULE_PERMANENT);
+	err = fib_default_rule_add(ops, 0, RT_TABLE_LOCAL, 0);
 	if (err < 0)
 		return err;
 	err = fib_default_rule_add(ops, 0x7FFE, RT_TABLE_MAIN, 0);
diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index 00a7a5e..3b38f49 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -276,7 +276,7 @@ static int fib6_rules_net_init(struct net *net)
 	INIT_LIST_HEAD(&net->ipv6.fib6_rules_ops->rules_list);
 
 	err = fib_default_rule_add(net->ipv6.fib6_rules_ops, 0,
-				   RT6_TABLE_LOCAL, FIB_RULE_PERMANENT);
+				   RT6_TABLE_LOCAL, 0);
 	if (err)
 		goto out_fib6_rules_ops;