mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	netfilter: ip6t_rpfilter: Fix regression with VRF interfaces
When calling ip6_route_lookup() for the packet arriving on the VRF
interface, the result is always the real (slave) interface. Expect this
when validating the result.
Fixes: acc641ab95 ("netfilter: rpfilter/fib: Populate flowic_l3mdev field")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
			
			
This commit is contained in:
		
							parent
							
								
									e6d57e9ff0
								
							
						
					
					
						commit
						efb056e5f1
					
				| @ -72,7 +72,9 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb, | ||||
| 		goto out; | ||||
| 	} | ||||
| 
 | ||||
| 	if (rt->rt6i_idev->dev == dev || (flags & XT_RPFILTER_LOOSE)) | ||||
| 	if (rt->rt6i_idev->dev == dev || | ||||
| 	    l3mdev_master_ifindex_rcu(rt->rt6i_idev->dev) == dev->ifindex || | ||||
| 	    (flags & XT_RPFILTER_LOOSE)) | ||||
| 		ret = true; | ||||
|  out: | ||||
| 	ip6_rt_put(rt); | ||||
|  | ||||
| @ -62,10 +62,16 @@ ip -net "$ns1" a a fec0:42::2/64 dev v0 nodad | ||||
| ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad | ||||
| 
 | ||||
| # firewall matches to test | ||||
| [ -n "$iptables" ] && ip netns exec "$ns2" \ | ||||
| 	"$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter | ||||
| [ -n "$ip6tables" ] && ip netns exec "$ns2" \ | ||||
| 	"$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter | ||||
| [ -n "$iptables" ] && { | ||||
| 	common='-t raw -A PREROUTING -s 192.168.0.0/16' | ||||
| 	ip netns exec "$ns2" "$iptables" $common -m rpfilter | ||||
| 	ip netns exec "$ns2" "$iptables" $common -m rpfilter --invert | ||||
| } | ||||
| [ -n "$ip6tables" ] && { | ||||
| 	common='-t raw -A PREROUTING -s fec0::/16' | ||||
| 	ip netns exec "$ns2" "$ip6tables" $common -m rpfilter | ||||
| 	ip netns exec "$ns2" "$ip6tables" $common -m rpfilter --invert | ||||
| } | ||||
| [ -n "$nft" ] && ip netns exec "$ns2" $nft -f - <<EOF | ||||
| table inet t { | ||||
| 	chain c { | ||||
| @ -89,6 +95,11 @@ ipt_zero_rule() { # (command) | ||||
| 	[ -n "$1" ] || return 0 | ||||
| 	ip netns exec "$ns2" "$1" -t raw -vS | grep -q -- "-m rpfilter -c 0 0" | ||||
| } | ||||
| ipt_zero_reverse_rule() { # (command) | ||||
| 	[ -n "$1" ] || return 0 | ||||
| 	ip netns exec "$ns2" "$1" -t raw -vS | \ | ||||
| 		grep -q -- "-m rpfilter --invert -c 0 0" | ||||
| } | ||||
| nft_zero_rule() { # (family) | ||||
| 	[ -n "$nft" ] || return 0 | ||||
| 	ip netns exec "$ns2" "$nft" list chain inet t c | \ | ||||
| @ -101,8 +112,7 @@ netns_ping() { # (netns, args...) | ||||
| 	ip netns exec "$netns" ping -q -c 1 -W 1 "$@" >/dev/null | ||||
| } | ||||
| 
 | ||||
| testrun() { | ||||
| 	# clear counters first | ||||
| clear_counters() { | ||||
| 	[ -n "$iptables" ] && ip netns exec "$ns2" "$iptables" -t raw -Z | ||||
| 	[ -n "$ip6tables" ] && ip netns exec "$ns2" "$ip6tables" -t raw -Z | ||||
| 	if [ -n "$nft" ]; then | ||||
| @ -111,6 +121,10 @@ testrun() { | ||||
| 			ip netns exec "$ns2" $nft -s list table inet t; | ||||
| 		) | ip netns exec "$ns2" $nft -f - | ||||
| 	fi | ||||
| } | ||||
| 
 | ||||
| testrun() { | ||||
| 	clear_counters | ||||
| 
 | ||||
| 	# test 1: martian traffic should fail rpfilter matches | ||||
| 	netns_ping "$ns1" -I v0 192.168.42.1 && \ | ||||
| @ -120,9 +134,13 @@ testrun() { | ||||
| 
 | ||||
| 	ipt_zero_rule "$iptables" || die "iptables matched martian" | ||||
| 	ipt_zero_rule "$ip6tables" || die "ip6tables matched martian" | ||||
| 	ipt_zero_reverse_rule "$iptables" && die "iptables not matched martian" | ||||
| 	ipt_zero_reverse_rule "$ip6tables" && die "ip6tables not matched martian" | ||||
| 	nft_zero_rule ip || die "nft IPv4 matched martian" | ||||
| 	nft_zero_rule ip6 || die "nft IPv6 matched martian" | ||||
| 
 | ||||
| 	clear_counters | ||||
| 
 | ||||
| 	# test 2: rpfilter match should pass for regular traffic | ||||
| 	netns_ping "$ns1" 192.168.23.1 || \ | ||||
| 		die "regular ping 192.168.23.1 failed" | ||||
| @ -131,6 +149,8 @@ testrun() { | ||||
| 
 | ||||
| 	ipt_zero_rule "$iptables" && die "iptables match not effective" | ||||
| 	ipt_zero_rule "$ip6tables" && die "ip6tables match not effective" | ||||
| 	ipt_zero_reverse_rule "$iptables" || die "iptables match over-effective" | ||||
| 	ipt_zero_reverse_rule "$ip6tables" || die "ip6tables match over-effective" | ||||
| 	nft_zero_rule ip && die "nft IPv4 match not effective" | ||||
| 	nft_zero_rule ip6 && die "nft IPv6 match not effective" | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user
	 Phil Sutter
						Phil Sutter