From patchwork Tue Jun 11 08:56:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Miaohe Lin X-Patchwork-Id: 1113594 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=huawei.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45NP5R10Vhz9s6w for ; Tue, 11 Jun 2019 18:57:15 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404804AbfFKI5L (ORCPT ); Tue, 11 Jun 2019 04:57:11 -0400 Received: from szxga08-in.huawei.com ([45.249.212.255]:55828 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2403860AbfFKI5L (ORCPT ); Tue, 11 Jun 2019 04:57:11 -0400 Received: from DGGEMM403-HUB.china.huawei.com (unknown [172.30.72.57]) by Forcepoint Email with ESMTP id 34A3A1C63823ED2928D3; Tue, 11 Jun 2019 16:57:08 +0800 (CST) Received: from dggeme714-chm.china.huawei.com (10.1.199.110) by DGGEMM403-HUB.china.huawei.com (10.3.20.211) with Microsoft SMTP Server (TLS) id 14.3.439.0; Tue, 11 Jun 2019 16:56:58 +0800 Received: from dggeme763-chm.china.huawei.com (10.3.19.109) by dggeme714-chm.china.huawei.com (10.1.199.110) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Tue, 11 Jun 2019 16:56:57 +0800 Received: from dggeme763-chm.china.huawei.com ([10.6.66.36]) by dggeme763-chm.china.huawei.com ([10.6.66.36]) with mapi id 15.01.1591.008; Tue, 11 Jun 2019 16:56:57 +0800 From: linmiaohe To: "pablo@netfilter.org" , "kadlec@blackhole.kfki.hu" , "fw@strlen.de" , "davem@davemloft.net" , "kuznet@ms2.inr.ac.ru" , "yoshfuji@linux-ipv6.org" , "netfilter-devel@vger.kernel.org" , "coreteam@netfilter.org" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "dsahern@gmail.com" CC: Mingfangsen Subject: =?utf-8?b?562U5aSNOiBbUEFUQ0ggdjNdIG5ldDogbmV0ZmlsdGVyOiBGaXgg?= =?utf-8?q?rpfilter_dropping_vrf_packets_by_mistake?= Thread-Topic: [PATCH v3] net: netfilter: Fix rpfilter dropping vrf packets by mistake Thread-Index: AQHU+20EJBRdmfpcd0eT0vsD259sj6aWb9Ew Date: Tue, 11 Jun 2019 08:56:57 +0000 Message-ID: References: <212e4feb-39de-2627-9948-bbb117ff4d4e@huawei.com> In-Reply-To: <212e4feb-39de-2627-9948-bbb117ff4d4e@huawei.com> Accept-Language: en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.184.189.20] MIME-Version: 1.0 X-CFilter-Loop: Reflected Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Friendly ping. -----邮件原件----- 发件人: linux-kernel-owner@vger.kernel.org [mailto:linux-kernel-owner@vger.kernel.org] 代表 linmiaohe 发送时间: 2019年4月25日 21:44 收件人: pablo@netfilter.org; kadlec@blackhole.kfki.hu; fw@strlen.de; davem@davemloft.net; kuznet@ms2.inr.ac.ru; yoshfuji@linux-ipv6.org; netfilter-devel@vger.kernel.org; coreteam@netfilter.org; netdev@vger.kernel.org; linux-kernel@vger.kernel.org; dsahern@gmail.com 抄送: Mingfangsen 主题: [PATCH v3] net: netfilter: Fix rpfilter dropping vrf packets by mistake From: Miaohe Lin When firewalld is enabled with ipv4/ipv6 rpfilter, vrf ipv4/ipv6 packets will be dropped because in device is vrf but out device is an enslaved device. So failed with the check of the rpfilter. Signed-off-by: Miaohe Lin --- net/ipv4/netfilter/ipt_rpfilter.c | 1 + net/ipv6/netfilter/ip6t_rpfilter.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) goto out; } + if (netif_is_l3_master(dev)) { + dev = dev_get_by_index_rcu(dev_net(dev), IP6CB(skb)->iif); + if (!dev) + goto out; + } + if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE)) ret = true; out: -- 2.19.1 diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c index 0b10d8812828..6e07cd0ecbec 100644 --- a/net/ipv4/netfilter/ipt_rpfilter.c +++ b/net/ipv4/netfilter/ipt_rpfilter.c @@ -81,6 +81,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; flow.flowi4_tos = RT_TOS(iph->tos); flow.flowi4_scope = RT_SCOPE_UNIVERSE; + flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par)); return rpfilter_lookup_reverse(xt_net(par), &flow, xt_in(par), info->flags) ^ invert; } diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c index c3c6b09acdc4..a28c81322148 100644 --- a/net/ipv6/netfilter/ip6t_rpfilter.c +++ b/net/ipv6/netfilter/ip6t_rpfilter.c @@ -58,7 +58,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, if (rpfilter_addr_linklocal(&iph->saddr)) { lookup_flags |= RT6_LOOKUP_F_IFACE; fl6.flowi6_oif = dev->ifindex; - } else if ((flags & XT_RPFILTER_LOOSE) == 0) + } else if (((flags & XT_RPFILTER_LOOSE) == 0) || + (netif_is_l3_master(dev)) || + (netif_is_l3_slave(dev))) fl6.flowi6_oif = dev->ifindex; rt = (void *)ip6_route_lookup(net, &fl6, skb, lookup_flags); @@ -73,6 +75,12 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,