Adding support for VRF traffic passed by mangle table

Message ID	1491188266363.26046@alliedtelesis.co.nz
State	Awaiting Upstream, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Jack Ma <Jack.Ma@alliedtelesis.co.nz> To: "dsa@cumulusnetworks.com" <dsa@cumulusnetworks.com> CC: "netdev@vger.kernel.org" <netdev@vger.kernel.org> Subject: Adding support for VRF traffic passed by mangle table Thread-Topic: Adding support for VRF traffic passed by mangle table Thread-Index: AQHSrCYQIULOhd+ecUyTL8WvTf/MeQ== Date: Mon, 3 Apr 2017 02:57:46 +0000 Message-ID: <1491188266363.26046@alliedtelesis.co.nz> Accept-Language: en-US, en-NZ Content-Language: en-US Content-Type: multipart/mixed; boundary="_002_149118826636326046alliedtelesisconz_" MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

1491188266363.26046@alliedtelesis.co.nz

State

Awaiting Upstream, archived

Delegated to:

David Miller

Headers

From: Jack Ma <Jack.Ma@alliedtelesis.co.nz>
To: "dsa@cumulusnetworks.com" <dsa@cumulusnetworks.com>
CC: "netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Adding support for VRF traffic passed by mangle table
Thread-Topic: Adding support for VRF traffic passed by mangle table
Thread-Index: AQHSrCYQIULOhd+ecUyTL8WvTf/MeQ==
Date: Mon, 3 Apr 2017 02:57:46 +0000
Message-ID: <1491188266363.26046@alliedtelesis.co.nz>
Accept-Language: en-US, en-NZ
Content-Language: en-US
Content-Type: multipart/mixed;
	boundary="_002_149118826636326046alliedtelesisconz_"
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Jack Ma April 3, 2017, 2:57 a.m. UTC

Hi David,

I formatted a patch to support vrf flow passed by iptables(mangle table). And previously, we lost the flow.oif which would result in a routing look-up failure. This patch wraps vrf response flow with the correct master interface by using the skb->dev, which was set to the real ingress device.
Without this patch, VRF traffic permitted by firewall rules that changes nf_mark would be dropped while doing fib_lookup.
Kernel documentations suggested two way of fixing this:

 
        <
        [2] Iptables on ingress supports PREROUTING with skb->dev set to the real
            ingress device and both INPUT and PREROUTING rules with skb->dev set to
            the VRF device. For egress POSTROUTING and OUTPUT rules can be written
            using either the VRF device or real egress device.
        >


Could you please look at this patch and give me some feedback?
Thanks for your time and considerations.

Regards,
Jack

Comments

David Ahern April 3, 2017, 1:24 p.m. UTC | #1

On 4/2/17 10:57 PM, Jack Ma wrote:
> diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
> index c0cc6aa..07168d4 100644
> --- a/net/ipv4/netfilter.c
> +++ b/net/ipv4/netfilter.c
> @@ -46,6 +46,14 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned int addr_t
>                 fl4.flowi4_oif = l3mdev_master_ifindex(dev);

How does the above line (which is part of this block:
        fl4.flowi4_oif = sk ? sk->sk_bound_dev_if : 0;
        if (!fl4.flowi4_oif)
                fl4.flowi4_oif = l3mdev_master_ifindex(dev);

) not work? The dst should be set on the skb at this point and the
device would reference the VRF.


>         fl4.flowi4_mark = skb->mark;
>         fl4.flowi4_flags = flags;
> +
> +       /* Since we have already known this is vrf flow passed by
> +        * mangle table, we wrap the oif with the master interface.
> +        */
> +       if (fl4.flowi4_oif == 0 && fl4.daddr && skb->dev &&
> +           netif_index_is_l3_master(net, skb->dev->ifindex))
> +               fl4.flowi4_oif = skb->dev->ifindex;
> +
>         rt = ip_route_output_key(net, &fl4);
>         if (IS_ERR(rt))
>                 return PTR_ERR(rt);
>

0001-Wrap-vrf-traffic-passed-by-mangle-table-with-correct.patch

Adding support for VRF traffic passed by mangle table

Commit Message

Comments

Patch