lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 26 Aug 2014 21:32:12 +0530
From:	Tushar Shinde <mtk.tushar@...il.com>
To:	netdev@...r.kernel.org
Subject: IPv6 Policy based routing not working.

Hello NetDev,

I am facing problem where if ipv6 route (outside to current subnet) is
reachable only if route is present in main table. Policy based routes
are not working.

Following is my setup,

eth0   inet6 2001:1::10/120 scope global
eth1   inet6 2001:1::11/120 scope global
2001:1::1 is gateway
2.6.32-431.11.2.el6.x86_64 kernel (I tried on 3.x also)

[root@...6node1 ~]# ip -6 route show tab 1
2001:1::/120 dev eth0  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:1::1 dev eth0  metric 1024  mtu 1500 advmss 1440
hoplimit 4294967295
[root@...6node1 ~]#
[root@...6node1 ~]# ip -6 route show tab 2
2001:1::/120 dev eth1  metric 1024  mtu 1500 advmss 1440 hoplimit 4294967295
default via 2001:1::1 dev eth1  metric 1024  mtu 1500 advmss 1440
hoplimit 4294967295
[root@...6node1 ~]#
[root@...6node1 ~]# ip -6 rule show
0:    from all lookup local
16383:    from 2001:1::10 lookup 1
16383:    from 2001:1::11 lookup 2
32766:    from all lookup main
[root@...6node1 ~]#

If I add default vai eth0 only ip of eth0 is reachable from outside or
eth1 dont work. In above setup default route is not present.

But default entry in "table" is never getting used to resolve route

[root@...6node1 ~]# ping6 -I eth0 2001:2::20
connect: Network is unreachable
[root@...6node1 ~]#
[root@...6node1 ~]# ping6 -I eth1 2001:2::20
connect: Network is unreachable
[root@...6node1 ~]#


To dig further I added printks and found fib6_rule_match function
return 1 only for table 255 and 254 rest all tables are skipped from
search.

fib6_rule_match
if (r->src.plen) {
                if (flags & RT6_LOOKUP_F_HAS_SADDR) {
                        if (!ipv6_prefix_equal(&fl->fl6_src, &r->src.addr,
                                               r->src.plen)) {
                                printk(KERN_ALERT "TS: %s:%d ret 0\n",
__func__, __LINE__);
                                return 0;
                        }
                } else if (!(r->common.flags & FIB_RULE_FIND_SADDR)) {
                        printk(KERN_ALERT "TS: %s:%d ret 0\n",
__func__, __LINE__);
           >>>             return 0;
                }
}

In case of above ping code returns from FIB_RULE_FIND_SADDR check as
pointed above.

In above case flags is 1, that is RT6_LOOKUP_F_IFACE.
Do I need to pass any extra option to ping?

Same routing table works in case of IPv4 setup without any problem.
Is policy based routing supported in ipv6?


Thank you,
Tushar
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ