| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e5083883-27c7-e210-0f94-d8177264bd84@huawei.com>
Date: Mon, 13 May 2019 21:25:09 +0800
From: linmiaohe <linmiaohe@...wei.com>
To: Pablo Neira Ayuso <pablo@...filter.org>
CC: <kadlec@...ckhole.kfki.hu>, <fw@...len.de>, <davem@...emloft.net>,
<kuznet@....inr.ac.ru>, <yoshfuji@...ux-ipv6.org>,
<netfilter-devel@...r.kernel.org>, <coreteam@...filter.org>,
<netdev@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<dsahern@...il.com>, Mingfangsen <mingfangsen@...wei.com>
Subject: Re: [PATCH v3] net: netfilter: Fix rpfilter dropping vrf packets by
mistake
On 2019/5/13 17:42, Pablo Neira Ayuso wrote:
> On Thu, Apr 25, 2019 at 09:43:53PM +0800, linmiaohe wrote:
>> From: Miaohe Lin <linmiaohe@...wei.com>
>>
>> When firewalld is enabled with ipv4/ipv6 rpfilter, vrf
>> ipv4/ipv6 packets will be dropped because in device is
>> vrf but out device is an enslaved device. So failed with
>> the check of the rpfilter.
>>
>> Signed-off-by: Miaohe Lin <linmiaohe@...wei.com>
>> ---
>> net/ipv4/netfilter/ipt_rpfilter.c | 1 +
>> net/ipv6/netfilter/ip6t_rpfilter.c | 10 +++++++++-
>> 2 files changed, 10 insertions(+), 1 deletion(-)
>>
>
> Suggestion: Could you just call l3mdev_master_ifindex_rcu() when
> invoking rpfilter_lookup_reverse6() ?
>
> diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
> index c3c6b09acdc4..ce64ff5d6fb6 100644
> --- a/net/ipv6/netfilter/ip6t_rpfilter.c
> +++ b/net/ipv6/netfilter/ip6t_rpfilter.c
> @@ -101,7 +101,8 @@ static bool rpfilter_mt(const struct sk_buff *skb,
> struct xt_action_param *par)
> if (unlikely(saddrtype == IPV6_ADDR_ANY))
> return true ^ invert; /* not routable: forward path will drop it */
>
> - return rpfilter_lookup_reverse6(xt_net(par), skb, xt_in(par),
> + return rpfilter_lookup_reverse6(xt_net(par), skb,
> + l3mdev_master_ifindex_rcu(xt_in(par)),
> info->flags) ^ invert;
> }
>
> .
> rpfilter_lookup_reverse6 requests struct net_device *dev as third argument, so
what you really mean is this ?
diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
index c3c6b09acdc4..ce64ff5d6fb6 100644
--- a/net/ipv6/netfilter/ip6t_rpfilter.c
+++ b/net/ipv6/netfilter/ip6t_rpfilter.c
@@ -101,7 +101,8 @@ static bool rpfilter_mt(const struct sk_buff *skb,
struct xt_action_param *par)
if (unlikely(saddrtype == IPV6_ADDR_ANY))
return true ^ invert; /* not routable: forward path will drop it */
- return rpfilter_lookup_reverse6(xt_net(par), skb, xt_in(par),
+ return rpfilter_lookup_reverse6(xt_net(par), skb,
+ l3mdev_master_dev_rcu(xt_in(par)) ? : xt_in(par),
info->flags) ^ invert;
}
I'am sorry but I tested this. It doesn't work. When flags with XT_RPFILTER_LOOSE set,
we need set fl6.flowi6_oif to complete fib lookup in an l3mdev domain. And we need
enslaved network device to compute rpfilter rather than l3 master device.
Many thanks for your suggestion.
Best regards.
Powered by blists - more mailing lists