Re: [PATCH v3] net: netfilter: Fix rpfilter dropping vrf packets by mistake

From: linmiaohe
Date: Mon May 13 2019 - 09:27:26 EST

Next message: Jerome Brunet: "[PATCH/RFT] arm64: dts: meson: odroid-c2: add missing mmc modes"
Previous message: Grygorii Strashko: "[PATCH] net: ethernet: ti: netcp_ethss: fix build"
In reply to: Pablo Neira Ayuso: "Re: [PATCH v3] net: netfilter: Fix rpfilter dropping vrf packets by mistake"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2019/5/13 17:42, Pablo Neira Ayuso wrote:
> On Thu, Apr 25, 2019 at 09:43:53PM +0800, linmiaohe wrote:
>> From: Miaohe Lin <linmiaohe@xxxxxxxxxx>
>>
>> When firewalld is enabled with ipv4/ipv6 rpfilter, vrf
>> ipv4/ipv6 packets will be dropped because in device is
>> vrf but out device is an enslaved device. So failed with
>> the check of the rpfilter.
>>
>> Signed-off-by: Miaohe Lin <linmiaohe@xxxxxxxxxx>
>> ---
>> net/ipv4/netfilter/ipt_rpfilter.c | 1 +
>> net/ipv6/netfilter/ip6t_rpfilter.c | 10 +++++++++-
>> 2 files changed, 10 insertions(+), 1 deletion(-)
>>
>
> Suggestion: Could you just call l3mdev_master_ifindex_rcu() when
> invoking rpfilter_lookup_reverse6() ?
>
> diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
> index c3c6b09acdc4..ce64ff5d6fb6 100644
> --- a/net/ipv6/netfilter/ip6t_rpfilter.c
> +++ b/net/ipv6/netfilter/ip6t_rpfilter.c
> @@ -101,7 +101,8 @@ static bool rpfilter_mt(const struct sk_buff *skb,
> struct xt_action_param *par)
> if (unlikely(saddrtype == IPV6_ADDR_ANY))
> return true ^ invert; /* not routable: forward path will drop it */
>
> - return rpfilter_lookup_reverse6(xt_net(par), skb, xt_in(par),
> + return rpfilter_lookup_reverse6(xt_net(par), skb,
> + l3mdev_master_ifindex_rcu(xt_in(par)),
> info->flags) ^ invert;
> }
>
> .
> rpfilter_lookup_reverse6 requests struct net_device *dev as third argument, so
what you really mean is this ?
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index c3c6b09acdc4..ce64ff5d6fb6 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -101,7 +101,8 @@ static bool rpfilter_mt(const struct sk_buff *skb,
struct xt_action_param *par)
if (unlikely(saddrtype == IPV6_ADDR_ANY))
return true ^ invert; /* not routable: forward path will drop it */

- return rpfilter_lookup_reverse6(xt_net(par), skb, xt_in(par),
+ return rpfilter_lookup_reverse6(xt_net(par), skb,
+ l3mdev_master_dev_rcu(xt_in(par)) ? : xt_in(par),
info->flags) ^ invert;
}
I'am sorry but I tested this. It doesn't work. When flags with XT_RPFILTER_LOOSE set,
we need set fl6.flowi6_oif to complete fib lookup in an l3mdev domain. And we need
enslaved network device to compute rpfilter rather than l3 master device.
Many thanks for your suggestion.
Best regards.

Next message: Jerome Brunet: "[PATCH/RFT] arm64: dts: meson: odroid-c2: add missing mmc modes"
Previous message: Grygorii Strashko: "[PATCH] net: ethernet: ti: netcp_ethss: fix build"
In reply to: Pablo Neira Ayuso: "Re: [PATCH v3] net: netfilter: Fix rpfilter dropping vrf packets by mistake"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]