From patchwork Tue Sep 7 05:35:07 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Miller X-Patchwork-Id: 63966 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id A691CB70AB for ; Tue, 7 Sep 2010 15:34:56 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752661Ab0IGFev (ORCPT ); Tue, 7 Sep 2010 01:34:51 -0400 Received: from 74-93-104-97-Washington.hfc.comcastbusiness.net ([74.93.104.97]:40468 "EHLO sunset.davemloft.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751320Ab0IGFeu (ORCPT ); Tue, 7 Sep 2010 01:34:50 -0400 Received: from localhost (localhost [127.0.0.1]) by sunset.davemloft.net (Postfix) with ESMTP id D5CDA24C088; Mon, 6 Sep 2010 22:35:07 -0700 (PDT) Date: Mon, 06 Sep 2010 22:35:07 -0700 (PDT) Message-Id: <20100906.223507.149819455.davem@davemloft.net> To: akpm@linux-foundation.org Cc: netfilter@vger.kernel.org, netdev@vger.kernel.org, bugzilla-daemon@bugzilla.kernel.org, bugme-daemon@bugzilla.kernel.org, for.poige+bugzilla.kernel.org@gmail.com Subject: Re: [Bugme-new] [Bug 16517] New: rp_filter fails to filter with CONFIG_IP_ROUTE_MULTIPATH and more than one 0/0 nexthop dev From: David Miller In-Reply-To: <20100805134653.9e8985cc.akpm@linux-foundation.org> References: <20100805134653.9e8985cc.akpm@linux-foundation.org> X-Mailer: Mew version 6.3 on Emacs 23.1 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Andrew Morton Date: Thu, 5 Aug 2010 13:46:53 -0700 >> I think the problem is net/ipv4/fib_frontend.c fib_validate_source() >> >> ... >> #ifdef CONFIG_IP_ROUTE_MULTIPATH >> if (FIB_RES_DEV(res) == dev || res.fi->fib_nhs > 1) >> #else >> if (FIB_RES_DEV(res) == dev) >> #endif >> ... >> >> I'm not sure, but this code is quite trivial and self-speaking. In case we have >> several default routes, we'd better iterate over each of them and compare >> resulting devices with the input one. So, fix is also trivial, specially for >> network kernel developers. ;-) Please test this patch: ipv4: Fix reverse path filtering with multipath routing. Actually iterate over the next-hops to make sure we have a device match. Otherwise RP filtering is always elided when the route matched has multiple next-hops. Reported-by: Igor M Podlesny Signed-off-by: David S. Miller --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index a439689..7d02a9f 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -246,6 +246,7 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif, struct fib_result res; int no_addr, rpf, accept_local; + bool dev_match; int ret; struct net *net; @@ -273,12 +274,22 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif, } *spec_dst = FIB_RES_PREFSRC(res); fib_combine_itag(itag, &res); + dev_match = false; + #ifdef CONFIG_IP_ROUTE_MULTIPATH - if (FIB_RES_DEV(res) == dev || res.fi->fib_nhs > 1) + for (ret = 0; ret < res.fi->fib_nhs; ret++) { + struct fib_nh *nh = &res.fi->fib_nh[ret]; + + if (nh->nh_dev == dev) { + dev_match = true; + break; + } + } #else if (FIB_RES_DEV(res) == dev) + dev_match = true; #endif - { + if (dev_match) { ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST; fib_res_put(&res); return ret;