Commit f8ea4a19 authored by Jakub Kicinski's avatar Jakub Kicinski

Merge branch 'l3mdev-icmp-error-route-lookup-fixes'

Mathieu Desnoyers says:

====================
l3mdev icmp error route lookup fixes

Here is a series of fixes for ipv4 and ipv6 which ensure the route
lookup is performed on the right routing table in VRF configurations
when sending TTL expired icmp errors (useful for traceroute).

It includes tests for both ipv4 and ipv6.

These fixes address specifically address the code paths involved in
sending TTL expired icmp errors. As detailed in the individual commit
messages, those fixes do not address similar icmp errors related to
network namespaces and unreachable / fragmentation needed messages,
which appear to use different code paths.
====================

Link: https://lore.kernel.org/r/20201012145016.2023-1-mathieu.desnoyers@efficios.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 1e40d75e 1a017276
...@@ -457,6 +457,23 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb) ...@@ -457,6 +457,23 @@ static void icmp_reply(struct icmp_bxm *icmp_param, struct sk_buff *skb)
local_bh_enable(); local_bh_enable();
} }
/*
* The device used for looking up which routing table to use for sending an ICMP
* error is preferably the source whenever it is set, which should ensure the
* icmp error can be sent to the source host, else lookup using the routing
* table of the destination device, else use the main routing table (index 0).
*/
static struct net_device *icmp_get_route_lookup_dev(struct sk_buff *skb)
{
struct net_device *route_lookup_dev = NULL;
if (skb->dev)
route_lookup_dev = skb->dev;
else if (skb_dst(skb))
route_lookup_dev = skb_dst(skb)->dev;
return route_lookup_dev;
}
static struct rtable *icmp_route_lookup(struct net *net, static struct rtable *icmp_route_lookup(struct net *net,
struct flowi4 *fl4, struct flowi4 *fl4,
struct sk_buff *skb_in, struct sk_buff *skb_in,
...@@ -465,6 +482,7 @@ static struct rtable *icmp_route_lookup(struct net *net, ...@@ -465,6 +482,7 @@ static struct rtable *icmp_route_lookup(struct net *net,
int type, int code, int type, int code,
struct icmp_bxm *param) struct icmp_bxm *param)
{ {
struct net_device *route_lookup_dev;
struct rtable *rt, *rt2; struct rtable *rt, *rt2;
struct flowi4 fl4_dec; struct flowi4 fl4_dec;
int err; int err;
...@@ -479,7 +497,8 @@ static struct rtable *icmp_route_lookup(struct net *net, ...@@ -479,7 +497,8 @@ static struct rtable *icmp_route_lookup(struct net *net,
fl4->flowi4_proto = IPPROTO_ICMP; fl4->flowi4_proto = IPPROTO_ICMP;
fl4->fl4_icmp_type = type; fl4->fl4_icmp_type = type;
fl4->fl4_icmp_code = code; fl4->fl4_icmp_code = code;
fl4->flowi4_oif = l3mdev_master_ifindex(skb_dst(skb_in)->dev); route_lookup_dev = icmp_get_route_lookup_dev(skb_in);
fl4->flowi4_oif = l3mdev_master_ifindex(route_lookup_dev);
security_skb_classify_flow(skb_in, flowi4_to_flowi(fl4)); security_skb_classify_flow(skb_in, flowi4_to_flowi(fl4));
rt = ip_route_output_key_hash(net, fl4, skb_in); rt = ip_route_output_key_hash(net, fl4, skb_in);
...@@ -503,7 +522,7 @@ static struct rtable *icmp_route_lookup(struct net *net, ...@@ -503,7 +522,7 @@ static struct rtable *icmp_route_lookup(struct net *net,
if (err) if (err)
goto relookup_failed; goto relookup_failed;
if (inet_addr_type_dev_table(net, skb_dst(skb_in)->dev, if (inet_addr_type_dev_table(net, route_lookup_dev,
fl4_dec.saddr) == RTN_LOCAL) { fl4_dec.saddr) == RTN_LOCAL) {
rt2 = __ip_route_output_key(net, &fl4_dec); rt2 = __ip_route_output_key(net, &fl4_dec);
if (IS_ERR(rt2)) if (IS_ERR(rt2))
......
...@@ -501,8 +501,11 @@ void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, ...@@ -501,8 +501,11 @@ void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info,
if (__ipv6_addr_needs_scope_id(addr_type)) { if (__ipv6_addr_needs_scope_id(addr_type)) {
iif = icmp6_iif(skb); iif = icmp6_iif(skb);
} else { } else {
dst = skb_dst(skb); /*
iif = l3mdev_master_ifindex(dst ? dst->dev : skb->dev); * The source device is used for looking up which routing table
* to use for sending an ICMP error.
*/
iif = l3mdev_master_ifindex(skb->dev);
} }
/* /*
......
...@@ -468,8 +468,6 @@ int ip6_forward(struct sk_buff *skb) ...@@ -468,8 +468,6 @@ int ip6_forward(struct sk_buff *skb)
* check and decrement ttl * check and decrement ttl
*/ */
if (hdr->hop_limit <= 1) { if (hdr->hop_limit <= 1) {
/* Force OUTPUT device used as source address */
skb->dev = dst->dev;
icmpv6_send(skb, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT, 0); icmpv6_send(skb, ICMPV6_TIME_EXCEED, ICMPV6_EXC_HOPLIMIT, 0);
__IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS); __IP6_INC_STATS(net, idev, IPSTATS_MIB_INHDRERRORS);
......
...@@ -19,6 +19,7 @@ TEST_PROGS += txtimestamp.sh ...@@ -19,6 +19,7 @@ TEST_PROGS += txtimestamp.sh
TEST_PROGS += vrf-xfrm-tests.sh TEST_PROGS += vrf-xfrm-tests.sh
TEST_PROGS += rxtimestamp.sh TEST_PROGS += rxtimestamp.sh
TEST_PROGS += devlink_port_split.py TEST_PROGS += devlink_port_split.py
TEST_PROGS += vrf_route_leaking.sh
TEST_PROGS_EXTENDED := in_netns.sh TEST_PROGS_EXTENDED := in_netns.sh
TEST_GEN_FILES = socket nettest TEST_GEN_FILES = socket nettest
TEST_GEN_FILES += psock_fanout psock_tpacket msg_zerocopy reuseport_addr_any TEST_GEN_FILES += psock_fanout psock_tpacket msg_zerocopy reuseport_addr_any
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment