Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1722270pxb; Thu, 4 Nov 2021 07:22:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz5WCgvacjn+hToAJU0mlrzZF5kQ0yzCfFS2fzrN8qIrvroPSdfwNAq4YDDRENbeoa2yL3F X-Received: by 2002:a17:906:6b1a:: with SMTP id q26mr61081515ejr.185.1636035734933; Thu, 04 Nov 2021 07:22:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1636035734; cv=none; d=google.com; s=arc-20160816; b=fUexfujTDL/znJwrOLvPUN+EPCOgzJG8UDfQQx9oFziCIDsfzSWBHPZXV2yRp98yGr TI4EJaN9L6HLSkmehbId/LwBM3Rz+MyIFCNRsl0LSMpnxSQrj2+QJz3obAdOqO3bhftL /Ff3gHhGayYV8FW9+4DjEhYb31bweGSlLWaIO5mNfZbLyJOBHw6YhytfzEy4mS/Un3ou XWQb0F/0lqfo1BNbUfYQKrUMvkw6kUUSdHKCVQUP22Y0T9ggdSYJzRVjmqfgqnBb8oIQ xTbR9yTQmVJLW4eLj1LEGH6ubO9LKm9BDM1i1TE87FRlFdXiTOimu/KofREk6qqatpMj /Ang== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=tuGskh4fJPawQmA+Y1VmsZJyaT996kkVytipWfJxz3s=; b=gnqLutH7MpRyb5mUsfY1qIP5zmu2BZBWsU13YREprgO3yKdOmywqLw2lMVBWy/NM+O jdDS8UhUTTrwgtT8E9+jM7BM3vL7HNrWkl6GxotT97KTMvF4Cz9v+BOz4xoIRfPGY6H6 f6BR6v7uJxlZxmPJMxMfdmviGlqonb+EEAjeqeQuYZUHgcvxYspRTFR8xJ+HE9uHGsWt menXd4NvhBwKwfk+iyJifnwS4K+ENy1zU8vM+Yxe0za+BbyWscel5j0wVd7RPOKyEASQ x96BiFOjyEFpi7g0S3q+VUC8qevUxIDVxHnUNef3g+cF08UW7mpQ9LFffqTAP175DBvE 96OQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bbRs+mpD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id oz42si10621936ejc.717.2021.11.04.07.21.50; Thu, 04 Nov 2021 07:22:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bbRs+mpD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231684AbhKDOTS (ORCPT + 99 others); Thu, 4 Nov 2021 10:19:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:47326 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232273AbhKDOS0 (ORCPT ); Thu, 4 Nov 2021 10:18:26 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8A63D6125F; Thu, 4 Nov 2021 14:15:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1636035348; bh=N0y4rS1DDgqbbp5+Z0uwF3gYozQthM2oj4WDws68m5I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bbRs+mpDs7g4RdGlLckuwK+IB5cdeshfziHiPhDgqfUEP4+Vl4rVThlIZk5J9Ir7V VG1QsYjHDC12HRKrcLOzKsVvuLAkkMOmJxW4fTacEM03NgAe/QujHDmaLFgW56dBui Fx3MwuB/6aouikvtrRwwkqXtWWl666mfutLqPqvg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eugene Crosser , David Ahern , "David S. Miller" , Florian Westphal Subject: [PATCH 5.4 2/9] vrf: Revert "Reset skb conntrack connection..." Date: Thu, 4 Nov 2021 15:12:55 +0100 Message-Id: <20211104141158.465457859@linuxfoundation.org> X-Mailer: git-send-email 2.33.1 In-Reply-To: <20211104141158.384397574@linuxfoundation.org> References: <20211104141158.384397574@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eugene Crosser commit 55161e67d44fdd23900be166a81e996abd6e3be9 upstream. This reverts commit 09e856d54bda5f288ef8437a90ab2b9b3eab83d1. When an interface is enslaved in a VRF, prerouting conntrack hook is called twice: once in the context of the original input interface, and once in the context of the VRF interface. If no special precausions are taken, this leads to creation of two conntrack entries instead of one, and breaks SNAT. Commit above was intended to avoid creation of extra conntrack entries when input interface is enslaved in a VRF. It did so by resetting conntrack related data associated with the skb when it enters VRF context. However it breaks netfilter operation. Imagine a use case when conntrack zone must be assigned based on the original input interface, rather than VRF interface (that would make original interfaces indistinguishable). One could create netfilter rules similar to these: chain rawprerouting { type filter hook prerouting priority raw; iif realiface1 ct zone set 1 return iif realiface2 ct zone set 2 return } This works before the mentioned commit, but not after: zone assignment is "forgotten", and any subsequent NAT or filtering that is dependent on the conntrack zone does not work. Here is a reproducer script that demonstrates the difference in behaviour. ========== #!/bin/sh # This script demonstrates unexpected change of nftables behaviour # caused by commit 09e856d54bda5f28 ""vrf: Reset skb conntrack # connection on VRF rcv" # https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=09e856d54bda5f288ef8437a90ab2b9b3eab83d1 # # Before the commit, it was possible to assign conntrack zone to a # packet (or mark it for `notracking`) in the prerouting chanin, raw # priority, based on the `iif` (interface from which the packet # arrived). # After the change, # if the interface is enslaved in a VRF, such # assignment is lost. Instead, assignment based on the `iif` matching # the VRF master interface is honored. Thus it is impossible to # distinguish packets based on the original interface. # # This script demonstrates this change of behaviour: conntrack zone 1 # or 2 is assigned depending on the match with the original interface # or the vrf master interface. It can be observed that conntrack entry # appears in different zone in the kernel versions before and after # the commit. IPIN=172.30.30.1 IPOUT=172.30.30.2 PFXL=30 ip li sh vein >/dev/null 2>&1 && ip li del vein ip li sh tvrf >/dev/null 2>&1 && ip li del tvrf nft list table testct >/dev/null 2>&1 && nft delete table testct ip li add vein type veth peer veout ip li add tvrf type vrf table 9876 ip li set veout master tvrf ip li set vein up ip li set veout up ip li set tvrf up /sbin/sysctl -w net.ipv4.conf.veout.accept_local=1 /sbin/sysctl -w net.ipv4.conf.veout.rp_filter=0 ip addr add $IPIN/$PFXL dev vein ip addr add $IPOUT/$PFXL dev veout nft -f - <<__END__ table testct { chain rawpre { type filter hook prerouting priority raw; iif { veout, tvrf } meta nftrace set 1 iif veout ct zone set 1 return iif tvrf ct zone set 2 return notrack } chain rawout { type filter hook output priority raw; notrack } } __END__ uname -rv conntrack -F ping -W 1 -c 1 -I vein $IPOUT conntrack -L Signed-off-by: Eugene Crosser Acked-by: David Ahern Signed-off-by: David S. Miller Cc: Florian Westphal Signed-off-by: Greg Kroah-Hartman --- drivers/net/vrf.c | 4 ---- 1 file changed, 4 deletions(-) --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c @@ -1036,8 +1036,6 @@ static struct sk_buff *vrf_ip6_rcv(struc bool need_strict = rt6_need_strict(&ipv6_hdr(skb)->daddr); bool is_ndisc = ipv6_ndisc_frame(skb); - nf_reset_ct(skb); - /* loopback, multicast & non-ND link-local traffic; do not push through * packet taps again. Reset pkt_type for upper layers to process skb. * For strict packets with a source LLA, determine the dst using the @@ -1094,8 +1092,6 @@ static struct sk_buff *vrf_ip_rcv(struct skb->skb_iif = vrf_dev->ifindex; IPCB(skb)->flags |= IPSKB_L3SLAVE; - nf_reset_ct(skb); - if (ipv4_is_multicast(ip_hdr(skb)->daddr)) goto out;