lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 22 Sep 2020 09:39:36 -0600
From:   David Ahern <>
To:     Stephen Suryaputra <>,
Subject: Re: ip rule iif oif and vrf

On 9/22/20 7:11 AM, Stephen Suryaputra wrote:
> Hi,
> We have a use case where there are multiple user VRFs being leak routed
> to and from tunnels that are on the core VRF. Traffic from user VRF to a
> tunnel can be done the normal way by specifying the netdev directly on
> the route entry on the user VRF route table:
> ip route add <prefix> via <tunnel_end_point_addr> dev <tunnel_netdev>
> But traffic received on the tunnel must be leak routed directly to the
> respective a specific user VRF because multiple user VRFs can have
> duplicate address spaces. I am thinking of using ip rule but when the
> iif is an enslaved device, the rule doesn't get matched because the
> ifindex in the skb is the master.
> My question is: is this a bug, or is there anything else that can be
> done to make sure that traffic from a tunnel being routed directly to a
> user VRF? If it is the later, I can work on a patch.

Might be a side effect of the skb dev change. I would like to remove
that but it is going to be challenge at this point.

take a look at:
perf record -a -e fib:* -g
<packets through the tunnel>
perf script

What does it say for the lookups - input arguments, table, etc?

Any chance you can re-recreate this using namespaces as the different nodes?

Powered by blists - more mailing lists