Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2711356pxv;
        Sun, 11 Jul 2021 23:29:43 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw+rQGR5TrtrjYMdVg9hs/MrsRCUEaYfYo2wN2rWylMUxdJth3cDUKn0+YSmEDNPvq7rBQI
X-Received: by 2002:a17:906:5957:: with SMTP id g23mr20873390ejr.484.1626071383419;
        Sun, 11 Jul 2021 23:29:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626071383; cv=none;
        d=google.com; s=arc-20160816;
        b=SnlwUcHq0C9PFT6UxbC1zxBcVMoXPU0or5HVvcgkaxV0xoJApgAJeC4XRnS5U4TpQ1
         dnzEcKWaYDVzwETb0pXXzV/3SePxdYNB+zHh+EswWjqUw0AKOKvdSHMAhVRzS+VgG+vS
         bmUmVvR5SQjKK7b1E8PACXV6ZgK4pwRF0E0nEkPio9PAVx/++uozNDZ7cj/ri+gDZvlo
         nngcWdVk+Sips4rETESSiIwzzSM8wa8iiY+RjWzty0jAgc+t95BqU8KHKit2+VlAxQw3
         AFkhue/zpdzKRO9b1dYROGaK6xgVKKBLQsqrem8Q1A3Ats9jEA9r8zRCBhFcscVNU7eu
         qNFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=6qnfoiBHbqgq/pEqFby8Ty/1JZ0Rxtnnw//FH52p48k=;
        b=pQ+5aPQfwoLfgVWfBRW6FDnvBdx2OYcZQioZ3CxvsNelaPc0iEp+OC5Jm6uIZukRiR
         lJUM6limpRgDq09nAinXFAUQ9ya3f8Y4Lru0QuMXj4Z2g5v0ykrl4+/3L6dNYH1ducKz
         Fg/ZKQGakWPgWL/6L+NiRoA0lqKj6ljwEKE/8iMJatz3PfBDB7Ocf0Kaexw83N2StMaX
         V1qL21sYsF9Lyd4sTqDh7S8OB+utwr8Cbaj9R5SPIuVF9ml5rnfbM2q3ehqJwo1Zw7eM
         0yIsa/1MpRPFUDdj0bF8rKSLgVY8aDq/NSDa1awKmg33IDr6e8BiBsiWZtRY+byt5W/O
         LS9A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GUzLgLHN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g13si10230623edp.307.2021.07.11.23.29.20;
        Sun, 11 Jul 2021 23:29:43 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GUzLgLHN;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236405AbhGLGaK (ORCPT <rfc822;maloy021189ju@gmail.com>
        + 99 others); Mon, 12 Jul 2021 02:30:10 -0400
Received: from mail.kernel.org ([198.145.29.99]:45380 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S234624AbhGLGZs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Jul 2021 02:25:48 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id D813A61166;
        Mon, 12 Jul 2021 06:22:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1626070971;
        bh=zlVpLTkVXuzNoRT7UI2AGInBoRy86eFky6JVdtKniOc=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=GUzLgLHNvr5UDAMPyuArGfVndClAYTMNdbf+UU2eXjdPprwJ7UVRV/Jh1XeiMT1zq
         R8MH4IwTRBvaRY08svHSQwdUmex50iWssH2c+Kz7jvbmCSRm0pUyg94STNwSHmk94J
         M0s5Tr2WOe/JWf1B0fckAEXPnz27VjZs0qseqNoA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Stephen Suryaputra <ssuryaextr@gmail.com>,
        Paolo Abeni <pabeni@redhat.com>,
        Antoine Tenart <atenart@kernel.org>,
        David Ahern <dsahern@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 220/348] vrf: do not push non-ND strict packets with a source LLA through packet taps again
Date:   Mon, 12 Jul 2021 08:10:04 +0200
Message-Id: <20210712060730.829641179@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210712060659.886176320@linuxfoundation.org>
References: <20210712060659.886176320@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Antoine Tenart <atenart@kernel.org>

[ Upstream commit 603113c514e95c3350598bc3cccbd03af7ea4ab2 ]

Non-ND strict packets with a source LLA go through the packet taps
again, while non-ND strict packets with other source addresses do not,
and we can see a clone of those packets on the vrf interface (we should
not). This is due to a series of changes:

Commit 6f12fa775530[1] made non-ND strict packets not being pushed again
in the packet taps. This changed with commit 205704c618af[2] for those
packets having a source LLA, as they need a lookup with the orig_iif.

The issue now is those packets do not skip the 'vrf_ip6_rcv' function to
the end (as the ones without a source LLA) and go through the check to
call packet taps again. This check was changed by commit 6f12fa775530[1]
and do not exclude non-strict packets anymore. Packets matching
'need_strict && !is_ndisc && is_ll_src' are now being sent through the
packet taps again. This can be seen by dumping packets on the vrf
interface.

Fix this by having the same code path for all non-ND strict packets and
selectively lookup with the orig_iif for those with a source LLA. This
has the effect to revert to the pre-205704c618af[2] condition, which
should also be easier to maintain.

[1] 6f12fa775530 ("vrf: mark skb for multicast or link-local as enslaved to VRF")
[2] 205704c618af ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict")

Fixes: 205704c618af ("vrf: packets with lladdr src needs dst at input with orig_iif when needs strict")
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Antoine Tenart <atenart@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/vrf.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 1267786d2931..f08ed52d51f3 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -1035,22 +1035,22 @@ static struct sk_buff *vrf_ip6_rcv(struct net_device *vrf_dev,
 	int orig_iif = skb->skb_iif;
 	bool need_strict = rt6_need_strict(&ipv6_hdr(skb)->daddr);
 	bool is_ndisc = ipv6_ndisc_frame(skb);
-	bool is_ll_src;
 
 	/* loopback, multicast & non-ND link-local traffic; do not push through
 	 * packet taps again. Reset pkt_type for upper layers to process skb.
-	 * for packets with lladdr src, however, skip so that the dst can be
-	 * determine at input using original ifindex in the case that daddr
-	 * needs strict
+	 * For strict packets with a source LLA, determine the dst using the
+	 * original ifindex.
 	 */
-	is_ll_src = ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL;
-	if (skb->pkt_type == PACKET_LOOPBACK ||
-	    (need_strict && !is_ndisc && !is_ll_src)) {
+	if (skb->pkt_type == PACKET_LOOPBACK || (need_strict && !is_ndisc)) {
 		skb->dev = vrf_dev;
 		skb->skb_iif = vrf_dev->ifindex;
 		IP6CB(skb)->flags |= IP6SKB_L3SLAVE;
+
 		if (skb->pkt_type == PACKET_LOOPBACK)
 			skb->pkt_type = PACKET_HOST;
+		else if (ipv6_addr_type(&ipv6_hdr(skb)->saddr) & IPV6_ADDR_LINKLOCAL)
+			vrf_ip6_input_dst(skb, vrf_dev, orig_iif);
+
 		goto out;
 	}
 
-- 
2.30.2