| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Sep 2020 19:50:02 -0400
From: Stephen Suryaputra <ssuryaextr@...il.com>
To: David Ahern <dsahern@...il.com>
Cc: netdev@...r.kernel.org
Subject: Re: ip rule iif oif and vrf
On Tue, Sep 22, 2020 at 09:39:36AM -0600, David Ahern wrote:
> >
> > We have a use case where there are multiple user VRFs being leak routed
> > to and from tunnels that are on the core VRF. Traffic from user VRF to a
> > tunnel can be done the normal way by specifying the netdev directly on
> > the route entry on the user VRF route table:
> >
> > ip route add <prefix> via <tunnel_end_point_addr> dev <tunnel_netdev>
> >
> > But traffic received on the tunnel must be leak routed directly to the
> > respective a specific user VRF because multiple user VRFs can have
> > duplicate address spaces. I am thinking of using ip rule but when the
> > iif is an enslaved device, the rule doesn't get matched because the
> > ifindex in the skb is the master.
> >
> > My question is: is this a bug, or is there anything else that can be
> > done to make sure that traffic from a tunnel being routed directly to a
> > user VRF? If it is the later, I can work on a patch.
> >
Is there a better way to implement this use case? Seems that it's a
common one for VRFs.
>
> Might be a side effect of the skb dev change. I would like to remove
> that but it is going to be challenge at this point.
>
> take a look at:
> perf record -a -e fib:* -g
> <packets through the tunnel>
> <Ctrl-C>
> perf script
>
> What does it say for the lookups - input arguments, table, etc?
>
> Any chance you can re-recreate this using namespaces as the different nodes?
I have a reproducer using namespaces attached in this email (gre_setup.sh).
A ping is initiated from h0:
ip netns exec h0 ping -c 1 11.0.0.2
As I have seen on our target platform, the iif is the VRF device. In
this case it is the core VRF. Thus, the ip rule with iif equals to the
GRE tunnel doesn't get hit.
This is I think is the relevant perf script output. All the outputs are
in the attached perf_script.txt.
ksoftirqd/0 9 [000] 2933.555444: fib:fib_table_lookup: table 100 oif 0 iif 6 proto 0 10.0.0.2/0 -> 11.0.0.2/0 tos 0 scope 0 flags 4 ==> dev - gw 0.0.0.0/:: err -113
ffffffffbda04f2e fib_table_lookup+0x4ce ([kernel.kallsyms])
ffffffffbda04f2e fib_table_lookup+0x4ce ([kernel.kallsyms])
ffffffffbda0fbd6 fib4_rule_action+0x66 ([kernel.kallsyms])
ffffffffbd96cde3 fib_rules_lookup+0x133 ([kernel.kallsyms])
ffffffffbda0f6ea __fib_lookup+0x6a ([kernel.kallsyms])
ffffffffbd9ac4de ip_route_input_slow+0x98e ([kernel.kallsyms])
ffffffffbd9ac81a ip_route_input_rcu+0x15a ([kernel.kallsyms])
ffffffffbd9ac978 ip_route_input_noref+0x28 ([kernel.kallsyms])
ffffffffbd9aec0b ip_rcv_finish_core.isra.0+0x6b ([kernel.kallsyms])
ffffffffbd9aefcb ip_rcv_finish+0x6b ([kernel.kallsyms])
ffffffffbd9af9fc ip_rcv+0xbc ([kernel.kallsyms])
ffffffffbd935d78 __netif_receive_skb_one_core+0x88 ([kernel.kallsyms])
ffffffffbd935dc8 __netif_receive_skb+0x18 ([kernel.kallsyms])
ffffffffbd935e55 netif_receive_skb_internal+0x45 ([kernel.kallsyms])
ffffffffbd9378af napi_gro_receive+0xff ([kernel.kallsyms])
ffffffffbd989bce gro_cell_poll+0x5e ([kernel.kallsyms])
ffffffffbd936eda net_rx_action+0x13a ([kernel.kallsyms])
ffffffffbde000e1 __softirqentry_text_start+0xe1 ([kernel.kallsyms])
ffffffffbd0a809b run_ksoftirqd+0x2b ([kernel.kallsyms])
ffffffffbd0cf420 smpboot_thread_fn+0xd0 ([kernel.kallsyms])
ffffffffbd0c84a4 kthread+0x104 ([kernel.kallsyms])
ffffffffbdc00202 ret_from_fork+0x22 ([kernel.kallsyms])
The r1 namespace has these netdevs:
sudo ip netns exec r1 ip link show
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: gre0@...E: <NOARP> mtu 1476 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
3: gretap0@...E: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
4: erspan0@...E: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: vrf_r1t: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether ba:76:0d:e4:3b:93 brd ff:ff:ff:ff:ff:ff
6: vrf_r1c: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 82:90:68:d3:e1:ff brd ff:ff:ff:ff:ff:ff
7: gre10@..._r1c: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 65511 qdisc noqueue master vrf_r1c state UNKNOWN mode DEFAULT group default qlen 1000
link/gre 1.1.1.2 peer 1.1.1.1
26: r1_v10@...7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vrf_r1c state UP mode DEFAULT group default qlen 1000
link/ether 12:00:73:33:bc:f2 brd ff:ff:ff:ff:ff:ff link-netns r0
29: r1_v11@...8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master vrf_r1t state UP mode DEFAULT group default qlen 1000
link/ether 8a:ff:65:ff:ba:58 brd ff:ff:ff:ff:ff:ff link-netns h1
The iif when the fib is being looked up is the vrf_r1c (6). There is
another error in the perf_script where the iif is the lo device and the
oif is vrf_r1c.
ping 4343 [000] 2933.554428: fib:fib_table_lookup: table 100 oif 6 iif 1 proto 1 10.0.0.2/0 -> 11.0.0.2/0 tos 0 scope 0 flags 4 ==> dev - gw 0.0.0.0/:: err -113
Thanks.
Download attachment "gre_setup.sh" of type "application/x-sh" (4054 bytes)
View attachment "perf_script.txt" of type "text/plain" (43085 bytes)
Powered by blists - more mailing lists