[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <094b7376-f796-71b6-7a81-28866b0f882b@huawei.com>
Date: Wed, 24 Apr 2019 15:27:30 +0800
From: linmiaohe <linmiaohe@...wei.com>
To: <pablo@...filter.org>, <kadlec@...ckhole.kfki.hu>, <fw@...len.de>,
<davem@...emloft.net>, <kuznet@....inr.ac.ru>,
<yoshfuji@...ux-ipv6.org>, <netfilter-devel@...r.kernel.org>,
<coreteam@...filter.org>, <netdev@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
CC: Mingfangsen <mingfangsen@...wei.com>
Subject: [PATCH] net: netfilter: Fix ipv6 rp_filter dropping vrf packets by
mistake
From: Miaohe Lin <linmiaohe@...wei.com>
When firewall is enabled with rp_filter, vrf ipv6 packets
will be dropped because in device is vrf but out device
is an enslaved device. So rt->rt6i_idev->dev != dev and
maybe return false in func rpfilter_lookup_reverse6.
Here is the out message when I ping the peer:
ip vrf exec vrf1 ping 2013::2 -c 1
1 packets transmitted, 0 received, 100% packet loss, time 0ms
The drop info in /var/log/message:
Apr 24 14:59:45 localhost kernel: [81316.158259] rpfilter_DROP: IN=vrf1
OUT= MAC=52:54:00:9e:dd:c1:52:54:00:4f:81:38:86:dd
SRC=2013:0000:0000:0000:0000:0000:0000:0002
DST=2013:0000:0000:0000:0000:0000:0000:0001 LEN=104 TC=0 HOPLIMIT=64
FLOWLBL=1032942 PROTO=ICMPv6 TYPE=129 CODE=0 ID=14943 SEQ=1
Signed-off-by: Miaohe Lin <linmiaohe@...wei.com>
---
net/ipv6/netfilter/ip6t_rpfilter.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index c3c6b09acdc4..5cbc91f53736 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -73,6 +73,12 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
goto out;
}
+ if (netif_is_l3_master(dev)) {
+ dev = __dev_get_by_index(dev_net(dev), IP6CB(skb)->iif);
+ if (!dev)
+ goto out;
+ }
+
if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE))
ret = true;
out:
--
2.19.1
Powered by blists - more mailing lists