Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1888673yba; Thu, 25 Apr 2019 07:19:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqysoB7SSg4tD1n9eGglEdcrGyrumXMzbyBXkqe460/Z1hKLelkVYm2snl9aUPIIwm7NI3PB X-Received: by 2002:a65:44c6:: with SMTP id g6mr36839990pgs.157.1556201992890; Thu, 25 Apr 2019 07:19:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556201992; cv=none; d=google.com; s=arc-20160816; b=NfsN6e5OotahjSB7GlsWD5fBHTpX3424Xwdde6iv/jspTPfl4/18ea6KHC9yF65qPi nkqnARD4ZsX81BVT/ou8RGol1FLNgjkVSrFSAM8xpyoCDYwu/XeVCoT3OvFeBI2kcyhn bORkX+9F3wNUQxpITsuBn/Zre+whU1aRjkphA6IP4uRZjJBNKT6GiuUs+JC30mxOQTVD CTjVbi3usPqNKBS9kV+eiFJFoaE3hCSGIuHDOmwFL33xUGWxH6n6Q5roFX1ERIle7o0R saffx5vA/8JOh5onGD+9JRgVZdg6yov/v5KgZ1U4hDv2Meb0XqOGCIvUnpTd/4QPn65t etfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:mime-version:user-agent:date:message-id:subject :from:cc:to; bh=lUJIJFJCDgnNTapzhictuW93zS+HpuBNRR/YODypk4c=; b=sKZ83i4QERWygAErtP1gZlOowhDd85QX2ZTsZaN7AhZp5Nrk7Z9l/AlhxFLjqAMK2m P26PRp10j7cCkU4U3NfO/rQX6KiE9N9TkOXmIulkWJAyRuM8hkLDWEYKamZuqLyetRnK tLtmybPxlVgQJEr2lue5Hq/TKXjmPL1RltgB02Lemm5n4dj6SYBdTzNQX/zFCzlpDPhs pJ2KIrDjRLKaKh906/nfXZ7ykG5VEYTSrunO1iPQvHKXuqUy7RP8gn9PlP6gYDriy/VG a1mDHXNRvpqarZDWKK9h/B4dCgNeVhV9kAr6Jb6NmOi9fhaF63/vOoL/7YrFdVDYZqCS LN6A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h3si4324486pgg.83.2019.04.25.07.19.36; Thu, 25 Apr 2019 07:19:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728227AbfDYNoR (ORCPT + 99 others); Thu, 25 Apr 2019 09:44:17 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:7132 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725900AbfDYNoP (ORCPT ); Thu, 25 Apr 2019 09:44:15 -0400 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 77AAD680724757E101C1; Thu, 25 Apr 2019 21:44:12 +0800 (CST) Received: from [127.0.0.1] (10.184.189.20) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.439.0; Thu, 25 Apr 2019 21:44:02 +0800 To: , , , , , , , , , , CC: Mingfangsen From: linmiaohe Subject: [PATCH v3] net: netfilter: Fix rpfilter dropping vrf packets by mistake Message-ID: <212e4feb-39de-2627-9948-bbb117ff4d4e@huawei.com> Date: Thu, 25 Apr 2019 21:43:53 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.184.189.20] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Miaohe Lin When firewalld is enabled with ipv4/ipv6 rpfilter, vrf ipv4/ipv6 packets will be dropped because in device is vrf but out device is an enslaved device. So failed with the check of the rpfilter. Signed-off-by: Miaohe Lin --- net/ipv4/netfilter/ipt_rpfilter.c | 1 + net/ipv6/netfilter/ip6t_rpfilter.c | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c index 0b10d8812828..6e07cd0ecbec 100644 --- a/net/ipv4/netfilter/ipt_rpfilter.c +++ b/net/ipv4/netfilter/ipt_rpfilter.c @@ -81,6 +81,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par) flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; flow.flowi4_tos = RT_TOS(iph->tos); flow.flowi4_scope = RT_SCOPE_UNIVERSE; + flow.flowi4_oif = l3mdev_master_ifindex_rcu(xt_in(par)); return rpfilter_lookup_reverse(xt_net(par), &flow, xt_in(par), info->flags) ^ invert; } diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c index c3c6b09acdc4..a28c81322148 100644 --- a/net/ipv6/netfilter/ip6t_rpfilter.c +++ b/net/ipv6/netfilter/ip6t_rpfilter.c @@ -58,7 +58,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, if (rpfilter_addr_linklocal(&iph->saddr)) { lookup_flags |= RT6_LOOKUP_F_IFACE; fl6.flowi6_oif = dev->ifindex; - } else if ((flags & XT_RPFILTER_LOOSE) == 0) + } else if (((flags & XT_RPFILTER_LOOSE) == 0) || + (netif_is_l3_master(dev)) || + (netif_is_l3_slave(dev))) fl6.flowi6_oif = dev->ifindex; rt = (void *)ip6_route_lookup(net, &fl6, skb, lookup_flags); @@ -73,6 +75,12 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, goto out; } + if (netif_is_l3_master(dev)) { + dev = dev_get_by_index_rcu(dev_net(dev), IP6CB(skb)->iif); + if (!dev) + goto out; + } + if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE)) ret = true; out: -- 2.19.1