On Fri, Mar 25, 2022 at 08:13:55AM -0600, David Ahern wrote:
> On 3/24/22 11:19 AM, Stephen Suryaputra wrote:
> > Hello,
> > 
> > After upgrading to a kernel version that has commit 3c82a21f4320c ("net:
> > allow binding socket in a VRF when there's an unbound socket") several
> > of our applications don't work anymore. We are relying on the previous
> > behavior, i.e. when packets arrive on an l3mdev enslaved device, the
> > unbound sockets are matched.
> > 
> > I understand the use case for the commit but given that the previous
> > behavior has been there for quite some time since the VRF introduction,
> > should there be a configurable option to get the previous behavior? The
> > option could be having the default be the behavior achieved by the
> > commit.
> > 
> 
> I thought the behavior was controlled by the l3mdev sysctl knobs.

The addresses for Mike and Robert bounced. So, removing them from the
thread.

The problem is that our system uses a fallback rule to a vrf, e.g.:

1000:   from all lookup [l3mdev-table]
32765:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default
32768:  from all lookup 256

to force traffic to go out of the vrf-enslaved interface. When the host
with the vrf initiates tcp connection, the received SYN+ACK fails to
find a matching socket after the commit. See the traffic dump:

08:51:28.625806 IP 10.1.1.1.48076 > 10.1.1.2.1499: Flags [S], seq 2060777757, win 64240, options [mss 1460,sackOK,TS val 3307983770 ecr 0,nop,wscale 7], length 0
08:51:28.625831 IP 10.1.1.2.1499 > 10.1.1.1.48076: Flags [S.], seq 4017990855, ack 2060777758, win 65160, options [mss 1460,sackOK,TS val 1658979570 ecr 3307983770,nop,wscale 7], length 0
08:51:28.625837 IP 10.1.1.1.48076 > 10.1.1.2.1499: Flags [R], seq 2060777758, win 0, length 0

The reproducer script is attached.

Thanks,

Stephen.