Re: fwmark based routing stopped working in 2.6.32

From: Pascal Hambourg
Date: Fri Jan 29 2010 - 10:38:39 EST


Hello,

Nebojsa Trpkovic a écrit :
[...]
> I've checked, and my source route verification is turned off for these
> ifaces:
> ###################################################
> etc # sysctl net.ipv4.conf.default.rp_filter
> net.ipv4.conf.default.rp_filter = 1
> etc # sysctl net.ipv4.conf.eth2.rp_filter
> net.ipv4.conf.eth2.rp_filter = 0
> etc # sysctl net.ipv4.conf.eth3.rp_filter
> net.ipv4.conf.eth3.rp_filter = 0
> ###################################################
> changing that to "=1" doesn't solve the problem.
[...]
> any idea what could go wrong and why does my system discard packages
> from eth3 if they are not routed by main ruting table?
>
> any info on what could be changed between kernels 2.6.29 and 2.6.32
> regarding this issue?

If net.ipv4.conf.all.rp_filter=1, your issue may be related to the two
following changes.

=======================================================================
In 2.6.30 :
commit c1cf8422f0512c2b14f0d66bce34abb0645c888a
Author: Stephen Hemminger <shemminger@xxxxxxxxxx>
Date: Fri Feb 20 08:25:36 2009 +0000

ip: add loose reverse path filtering

Extend existing reverse path filter option to allow strict or loose
filtering. (See http://en.wikipedia.org/wiki/Reverse_path_filtering).

For compatibility with existing usage, the value 1 is chosen for
strict mode and 2 for loose mode.
=======================================================================
In 2.6.31 :
commit 27fed4175acf81ddd91d9a4ee2fd298981f60295
Author: Stephen Hemminger <shemminger@xxxxxxxxxx>
Date: Mon Jul 27 18:39:45 2009 -0700

ip: fix logic of reverse path filter sysctl

Even though reverse path filter was changed from simple boolean to
trinary control, the loose mode only works if both all and device are
configured because of this logic error.
=======================================================================

The first patch changed rp_filter from a boolean to an integer, and the
second patch changed the way the interface-specific value and the "all"
value are combined to produce a functional value from a logical AND to
an arithmetic MAX.

Before patches : functional value = interface AND all
After patches : functional value = MAX(interface, all)

So now if net.ipv4.conf.all.rp_filter=1, source validation is enabled on
all interfaces as their functional value is at least 1. You may either
set net.ipv4.conf.all.rp_filter to 0 (to disable it) or 2 (to enable
loose mode globally), or set net.ipv4.conf.$interface.rp_filter to 2 (to
enable loose mode on $interface).

I guess that the patch suggested by Dave Miller is related to another
(apparently incomplete) change that occured in 2.6.32 :

=======================================================================
commit b0c110ca8e89f2c9cd52ec7fb1b98c5b7aa78496
Author: jamal <hadi@xxxxxxxxxx>
Date: Sun Oct 18 02:12:33 2009 +0000

net: Fix RPF to work with policy routing

Policy routing is not looked up by mark on reverse path filtering.
This fixes it.
=======================================================================

IIUC, the purpose of this change is to allow to enable reverse path
filtering along with fwmark-based policy routing. I guess it works if
incoming packets have the same mark as outgoing packets, but I have not
tried it yet.
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html