| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Sep 2020 09:39:36 -0600 From: David Ahern <dsahern@...il.com> To: Stephen Suryaputra <ssuryaextr@...il.com>, netdev@...r.kernel.org Subject: Re: ip rule iif oif and vrf On 9/22/20 7:11 AM, Stephen Suryaputra wrote: > Hi, > > We have a use case where there are multiple user VRFs being leak routed > to and from tunnels that are on the core VRF. Traffic from user VRF to a > tunnel can be done the normal way by specifying the netdev directly on > the route entry on the user VRF route table: > > ip route add <prefix> via <tunnel_end_point_addr> dev <tunnel_netdev> > > But traffic received on the tunnel must be leak routed directly to the > respective a specific user VRF because multiple user VRFs can have > duplicate address spaces. I am thinking of using ip rule but when the > iif is an enslaved device, the rule doesn't get matched because the > ifindex in the skb is the master. > > My question is: is this a bug, or is there anything else that can be > done to make sure that traffic from a tunnel being routed directly to a > user VRF? If it is the later, I can work on a patch. > Might be a side effect of the skb dev change. I would like to remove that but it is going to be challenge at this point. take a look at: perf record -a -e fib:* -g <packets through the tunnel> <Ctrl-C> perf script What does it say for the lookups - input arguments, table, etc? Any chance you can re-recreate this using namespaces as the different nodes?
Powered by blists - more mailing lists