Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Subject: Re: [PATCH v4] net: netfilter: Fix rpfilter dropping vrf packets by
 mistake
To:     Miaohe Lin <linmiaohe@huawei.com>, pablo@netfilter.org,
        kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net,
        kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Cc:     mingfangsen@huawei.com
References: <1561712803-195184-1-git-send-email-linmiaohe@huawei.com>
From:   David Ahern <dsahern@gmail.com>
Message-ID: <4d8ff353-5bda-35b5-cdc2-ccf3fe8b97fa@gmail.com>
Date:   Fri, 28 Jun 2019 11:04:22 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:52.0)
 Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <1561712803-195184-1-git-send-email-linmiaohe@huawei.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

On 6/28/19 3:06 AM, Miaohe Lin wrote:
> diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
> index 6bcaf7357183..3c4a1772c15f 100644
> --- a/net/ipv6/netfilter/ip6t_rpfilter.c
> +++ b/net/ipv6/netfilter/ip6t_rpfilter.c
> @@ -55,6 +55,10 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
>  	if (rpfilter_addr_linklocal(&iph->saddr)) {
>  		lookup_flags |= RT6_LOOKUP_F_IFACE;
>  		fl6.flowi6_oif = dev->ifindex;
> +	/* Set flowi6_oif for vrf devices to lookup route in l3mdev domain. */
> +	} else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev)) {
> +		lookup_flags |= FLOWI_FLAG_SKIP_NH_OIF;

you don't need to set that flag here. It is done by the fib_rules code
as needed.