Message ID | 1488376043-31976-1-git-send-email-alin.nastac@gmail.com |
---|---|
State | Superseded |
Delegated to: | Pablo Neira |
Headers | show |
On Wed, Mar 01, 2017 at 02:47:23PM +0100, Alin Nastac wrote: > Link-local and multicast packets must keep their original oif after > ip6_route_me_harder is called. Out of curiosity, how does the setup you use look like to trigger this problem? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Mar 3, 2017 at 12:39 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Wed, Mar 01, 2017 at 02:47:23PM +0100, Alin Nastac wrote: >> Link-local and multicast packets must keep their original oif after >> ip6_route_me_harder is called. > > Out of curiosity, how does the setup you use look like to trigger this > problem? ICMPv6 RA/NS/NA are marked by a -j MARK iptables rule (the mark value is used to set the QoS queue). Because skb->mark value changed, ip6t_mangle_out will call ip6_route_me_harder. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Mar 03, 2017 at 12:56:50PM +0100, Alin Năstac wrote: > On Fri, Mar 3, 2017 at 12:39 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > On Wed, Mar 01, 2017 at 02:47:23PM +0100, Alin Nastac wrote: > >> Link-local and multicast packets must keep their original oif after > >> ip6_route_me_harder is called. > > > > Out of curiosity, how does the setup you use look like to trigger this > > problem? > > ICMPv6 RA/NS/NA are marked by a -j MARK iptables rule (the mark value > is used to set the QoS queue). > Because skb->mark value changed, ip6t_mangle_out will call ip6_route_me_harder. That sounds quite standard. Did this broke after kernel upgrade? I'm trying to guess if the problem is somewhere else... -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Mar 3, 2017 at 1:12 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Fri, Mar 03, 2017 at 12:56:50PM +0100, Alin Năstac wrote: >> On Fri, Mar 3, 2017 at 12:39 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote: >> > On Wed, Mar 01, 2017 at 02:47:23PM +0100, Alin Nastac wrote: >> >> Link-local and multicast packets must keep their original oif after >> >> ip6_route_me_harder is called. >> > >> > Out of curiosity, how does the setup you use look like to trigger this >> > problem? >> >> ICMPv6 RA/NS/NA are marked by a -j MARK iptables rule (the mark value >> is used to set the QoS queue). >> Because skb->mark value changed, ip6t_mangle_out will call ip6_route_me_harder. > > That sounds quite standard. Did this broke after kernel upgrade? I'm > trying to guess if the problem is somewhere else... I used kernel version 4.1 to test an adapted version of this patch. Judging after ip6_route_output_flags() definition present in kernel version 4.10, callers are expected to provide a valid value for fl6->flowi6_oif when rt6_need_strict(&fl6->daddr) is true. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/ipv6/netfilter.c b/net/ipv6/netfilter.c index 39970e2..02811c5 100644 --- a/net/ipv6/netfilter.c +++ b/net/ipv6/netfilter.c @@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net, struct sk_buff *skb) unsigned int hh_len; struct dst_entry *dst; struct flowi6 fl6 = { - .flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0, + .flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : + rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0, .flowi6_mark = skb->mark, .flowi6_uid = sock_net_uid(net, skb->sk), .daddr = iph->daddr,
Link-local and multicast packets must keep their original oif after ip6_route_me_harder is called. Signed-off-by: Alin Nastac <alin.nastac@gmail.com> --- net/ipv6/netfilter.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)