On 10/7/21 12:41 AM, Leonard Crestez wrote:
On 07.10.2021 04:14, David Ahern wrote:
On 10/6/21 11:48 AM, Leonard Crestez wrote:
@@ -1103,11 +1116,11 @@ static struct tcp_md5sig_key
*tcp_md5_do_lookup_exact(const struct sock *sk,
#endif
hlist_for_each_entry_rcu(key, &md5sig->head, node,
lockdep_sock_is_held(sk)) {
if (key->family != family)
continue;
- if (key->l3index && key->l3index != l3index)
+ if (key->l3index != l3index)
That seems like the bug fix there. The L3 reference needs to match for
new key and existing key. I think the same change is needed in
__tcp_md5_do_lookup.
Current behavior is that keys added without tcpm_ifindex will match
connections both inside and outside VRFs. Changing this might break real
applications, is it really OK to claim that this behavior was a bug all
along?
no.
It's been a few years. I need to refresh on the logic and that is not
going to happen before this weekend.