[PATCH nf v2 0/2] netfilter: Fix/update mangled packet re-routing within VRF domains

[PATCH nf v2 0/2] netfilter: Fix/update mangled packet re-routing within VRF domains

[Martin Willi]

The first patch fixes re-routing of IPv6 packets mangled by Netfilter 
rules to consider the layer 3 VRF domain. The second patch updates both 
IPv4 and IPv6 re-routing to use the recently added l3mdev flow key instead
of abusing the oif flow key to select the L3 domain.

These patches have been explicitly split up to allow stable to pick up the
first patch as-is.

Changes in v2:
- Add a second patch to migrate IPv4/6 re-routing to l3mdev flow key

Martin Willi (2):
  netfilter: Update ip6_route_me_harder to consider L3 domain
  netfilter: Use l3mdev flow key when re-routing mangled packets

 net/ipv4/netfilter.c | 3 +--
 net/ipv6/netfilter.c | 9 +++++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

-- 
2.25.1

[PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain

[Martin Willi]

The commit referenced below fixed packet re-routing if Netfilter mangles
a routing key property of a packet and the packet is routed in a VRF L3
domain. The fix, however, addressed IPv4 re-routing, only.

This commit applies the same behavior for IPv6. While at it, untangle
the nested ternary operator to make the code more readable.

Fixes: 6d8b49c3a3a3 ("netfilter: Update ip_route_me_harder to consider L3 domain")
Cc: stable@vger.kernel.org
Signed-off-by: Martin Willi <martin@strongswan.org>
---
 net/ipv6/netfilter.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 1da332450d98..8ce60ab89015 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -24,14 +24,13 @@ int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff
 {
 	const struct ipv6hdr *iph = ipv6_hdr(skb);
 	struct sock *sk = sk_to_full_sk(sk_partial);
+	struct net_device *dev = skb_dst(skb)->dev;
 	struct flow_keys flkeys;
 	unsigned int hh_len;
 	struct dst_entry *dst;
 	int strict = (ipv6_addr_type(&iph->daddr) &
 		      (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
 	struct flowi6 fl6 = {
-		.flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
-			strict ? skb_dst(skb)->dev->ifindex : 0,
 		.flowi6_mark = skb->mark,
 		.flowi6_uid = sock_net_uid(net, sk),
 		.daddr = iph->daddr,
@@ -39,6 +38,13 @@ int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff
 	};
 	int err;
 
+	if (sk && sk->sk_bound_dev_if)
+		fl6.flowi6_oif = sk->sk_bound_dev_if;
+	else if (strict)
+		fl6.flowi6_oif = dev->ifindex;
+	else
+		fl6.flowi6_oif = l3mdev_master_ifindex(dev);
+
 	fib6_rules_early_flow_dissect(net, skb, &fl6, &flkeys);
 	dst = ip6_route_output(net, sk, &fl6);
 	err = dst->error;
-- 
2.25.1

[PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets

[Martin Willi]

Commit 40867d74c374 ("net: Add l3mdev index to flow struct and avoid oif
reset for port devices") introduces a flow key specific for layer 3
domains, such as a VRF master device. This allows for explicit VRF domain
selection instead of abusing the oif flow key.

Update ip[6]_route_me_harder() to make use of that new key when re-routing
mangled packets within VRFs instead of setting the flow oif, making it
consistent with other users.

Signed-off-by: Martin Willi <martin@strongswan.org>
---
 net/ipv4/netfilter.c | 3 +--
 net/ipv6/netfilter.c | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index aff707988e23..bd135165482a 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -45,8 +45,7 @@ int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, un
 	fl4.saddr = saddr;
 	fl4.flowi4_tos = RT_TOS(iph->tos);
 	fl4.flowi4_oif = sk ? sk->sk_bound_dev_if : 0;
-	if (!fl4.flowi4_oif)
-		fl4.flowi4_oif = l3mdev_master_ifindex(dev);
+	fl4.flowi4_l3mdev = l3mdev_master_ifindex(dev);
 	fl4.flowi4_mark = skb->mark;
 	fl4.flowi4_flags = flags;
 	fib4_rules_early_flow_dissect(net, skb, &fl4, &flkeys);
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c
index 8ce60ab89015..857713d7a38a 100644
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
@@ -31,6 +31,7 @@ int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff
 	int strict = (ipv6_addr_type(&iph->daddr) &
 		      (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
 	struct flowi6 fl6 = {
+		.flowi6_l3mdev = l3mdev_master_ifindex(dev),
 		.flowi6_mark = skb->mark,
 		.flowi6_uid = sock_net_uid(net, sk),
 		.daddr = iph->daddr,
@@ -42,8 +43,6 @@ int ip6_route_me_harder(struct net *net, struct sock *sk_partial, struct sk_buff
 		fl6.flowi6_oif = sk->sk_bound_dev_if;
 	else if (strict)
 		fl6.flowi6_oif = dev->ifindex;
-	else
-		fl6.flowi6_oif = l3mdev_master_ifindex(dev);
 
 	fib6_rules_early_flow_dissect(net, skb, &fl6, &flkeys);
 	dst = ip6_route_output(net, sk, &fl6);
-- 
2.25.1

Re: [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain

[David Ahern]

On 4/19/22 7:47 AM, Martin Willi wrote:
> The commit referenced below fixed packet re-routing if Netfilter mangles
> a routing key property of a packet and the packet is routed in a VRF L3
> domain. The fix, however, addressed IPv4 re-routing, only.
> 
> This commit applies the same behavior for IPv6. While at it, untangle
> the nested ternary operator to make the code more readable.
> 
> Fixes: 6d8b49c3a3a3 ("netfilter: Update ip_route_me_harder to consider L3 domain")
> Cc: stable@vger.kernel.org
> Signed-off-by: Martin Willi <martin@strongswan.org>
> ---
>  net/ipv6/netfilter.c | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 

Reviewed-by: David Ahern <dsahern@kernel.org>

Re: [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets

[David Ahern]

On 4/19/22 7:47 AM, Martin Willi wrote:
> Commit 40867d74c374 ("net: Add l3mdev index to flow struct and avoid oif
> reset for port devices") introduces a flow key specific for layer 3
> domains, such as a VRF master device. This allows for explicit VRF domain
> selection instead of abusing the oif flow key.
> 
> Update ip[6]_route_me_harder() to make use of that new key when re-routing
> mangled packets within VRFs instead of setting the flow oif, making it
> consistent with other users.
> 
> Signed-off-by: Martin Willi <martin@strongswan.org>
> ---
>  net/ipv4/netfilter.c | 3 +--
>  net/ipv6/netfilter.c | 3 +--
>  2 files changed, 2 insertions(+), 4 deletions(-)
> 
>

This one will go to -next

Reviewed-by: David Ahern <dsahern@kernel.org>

Re: [PATCH nf v2 1/2] netfilter: Update ip6_route_me_harder to consider L3 domain

[Pablo Neira Ayuso]

On Tue, Apr 19, 2022 at 03:47:00PM +0200, Martin Willi wrote:
> The commit referenced below fixed packet re-routing if Netfilter mangles
> a routing key property of a packet and the packet is routed in a VRF L3
> domain. The fix, however, addressed IPv4 re-routing, only.
> 
> This commit applies the same behavior for IPv6. While at it, untangle
> the nested ternary operator to make the code more readable.

Applied to nf.git

Re: [PATCH nf v2 2/2] netfilter: Use l3mdev flow key when re-routing mangled packets

[Pablo Neira Ayuso]

On Tue, Apr 19, 2022 at 03:47:01PM +0200, Martin Willi wrote:
> Commit 40867d74c374 ("net: Add l3mdev index to flow struct and avoid oif
> reset for port devices") introduces a flow key specific for layer 3
> domains, such as a VRF master device. This allows for explicit VRF domain
> selection instead of abusing the oif flow key.
> 
> Update ip[6]_route_me_harder() to make use of that new key when re-routing
> mangled packets within VRFs instead of setting the flow oif, making it
> consistent with other users.

Applied to nf-next