diff options
| author | Martin KaFai Lau <kafai@fb.com> | 2015-05-22 23:56:02 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-05-25 13:25:34 -0400 |
| commit | 48e8aa6e3137692d38f20e8bfff100e408c6bc53 (patch) | |
| tree | 9527801b5b219fb0f3c1cb62c8d1e8bfc44e7a51 /net/netfilter | |
| parent | b197df4f0f3782782e9ea8996e91b65ae33e8dd9 (diff) | |
ipv6: Set FLOWI_FLAG_KNOWN_NH at flowi6_flags
The neighbor look-up used to depend on the rt6i_gateway (if
there is a gateway) or the rt6i_dst (if it is a RTF_CACHE clone)
as the nexthop address. Note that rt6i_dst is set to fl6->daddr
for the RTF_CACHE clone where fl6->daddr is the one used to do
the route look-up.
Now, we only create RTF_CACHE clone after encountering exception.
When doing the neighbor look-up with a route that is neither a gateway
nor a RTF_CACHE clone, the daddr in skb will be used as the nexthop.
In some cases, the daddr in skb is not the one used to do
the route look-up. One example is in ip_vs_dr_xmit_v6() where the
real nexthop server address is different from the one in the skb.
This patch is going to follow the IPv4 approach and ask the
ip6_pol_route() callers to set the FLOWI_FLAG_KNOWN_NH properly.
In the next patch, ip6_pol_route() will honor the FLOWI_FLAG_KNOWN_NH
and create a RTF_CACHE clone.
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Tested-by: Julian Anastasov <ja@ssi.bg>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/ipvs/ip_vs_xmit.c | 13 | ||||
| -rw-r--r-- | net/netfilter/xt_TEE.c | 1 |
2 files changed, 10 insertions, 4 deletions
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c index 5eff9f6dcfb8..bf66a8657a5f 100644 --- a/net/netfilter/ipvs/ip_vs_xmit.c +++ b/net/netfilter/ipvs/ip_vs_xmit.c | |||
| @@ -364,13 +364,16 @@ err_unreach: | |||
| 364 | #ifdef CONFIG_IP_VS_IPV6 | 364 | #ifdef CONFIG_IP_VS_IPV6 |
| 365 | static struct dst_entry * | 365 | static struct dst_entry * |
| 366 | __ip_vs_route_output_v6(struct net *net, struct in6_addr *daddr, | 366 | __ip_vs_route_output_v6(struct net *net, struct in6_addr *daddr, |
| 367 | struct in6_addr *ret_saddr, int do_xfrm) | 367 | struct in6_addr *ret_saddr, int do_xfrm, int rt_mode) |
| 368 | { | 368 | { |
| 369 | struct dst_entry *dst; | 369 | struct dst_entry *dst; |
| 370 | struct flowi6 fl6 = { | 370 | struct flowi6 fl6 = { |
| 371 | .daddr = *daddr, | 371 | .daddr = *daddr, |
| 372 | }; | 372 | }; |
| 373 | 373 | ||
| 374 | if (rt_mode & IP_VS_RT_MODE_KNOWN_NH) | ||
| 375 | fl6.flowi6_flags = FLOWI_FLAG_KNOWN_NH; | ||
| 376 | |||
| 374 | dst = ip6_route_output(net, NULL, &fl6); | 377 | dst = ip6_route_output(net, NULL, &fl6); |
| 375 | if (dst->error) | 378 | if (dst->error) |
| 376 | goto out_err; | 379 | goto out_err; |
| @@ -427,7 +430,7 @@ __ip_vs_get_out_rt_v6(int skb_af, struct sk_buff *skb, struct ip_vs_dest *dest, | |||
| 427 | } | 430 | } |
| 428 | dst = __ip_vs_route_output_v6(net, &dest->addr.in6, | 431 | dst = __ip_vs_route_output_v6(net, &dest->addr.in6, |
| 429 | &dest_dst->dst_saddr.in6, | 432 | &dest_dst->dst_saddr.in6, |
| 430 | do_xfrm); | 433 | do_xfrm, rt_mode); |
| 431 | if (!dst) { | 434 | if (!dst) { |
| 432 | __ip_vs_dst_set(dest, NULL, NULL, 0); | 435 | __ip_vs_dst_set(dest, NULL, NULL, 0); |
| 433 | spin_unlock_bh(&dest->dst_lock); | 436 | spin_unlock_bh(&dest->dst_lock); |
| @@ -446,7 +449,8 @@ __ip_vs_get_out_rt_v6(int skb_af, struct sk_buff *skb, struct ip_vs_dest *dest, | |||
| 446 | *ret_saddr = dest_dst->dst_saddr.in6; | 449 | *ret_saddr = dest_dst->dst_saddr.in6; |
| 447 | } else { | 450 | } else { |
| 448 | noref = 0; | 451 | noref = 0; |
| 449 | dst = __ip_vs_route_output_v6(net, daddr, ret_saddr, do_xfrm); | 452 | dst = __ip_vs_route_output_v6(net, daddr, ret_saddr, do_xfrm, |
| 453 | rt_mode); | ||
| 450 | if (!dst) | 454 | if (!dst) |
| 451 | goto err_unreach; | 455 | goto err_unreach; |
| 452 | rt = (struct rt6_info *) dst; | 456 | rt = (struct rt6_info *) dst; |
| @@ -1164,7 +1168,8 @@ ip_vs_dr_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, | |||
| 1164 | local = __ip_vs_get_out_rt_v6(cp->af, skb, cp->dest, &cp->daddr.in6, | 1168 | local = __ip_vs_get_out_rt_v6(cp->af, skb, cp->dest, &cp->daddr.in6, |
| 1165 | NULL, ipvsh, 0, | 1169 | NULL, ipvsh, 0, |
| 1166 | IP_VS_RT_MODE_LOCAL | | 1170 | IP_VS_RT_MODE_LOCAL | |
| 1167 | IP_VS_RT_MODE_NON_LOCAL); | 1171 | IP_VS_RT_MODE_NON_LOCAL | |
| 1172 | IP_VS_RT_MODE_KNOWN_NH); | ||
| 1168 | if (local < 0) | 1173 | if (local < 0) |
| 1169 | goto tx_error; | 1174 | goto tx_error; |
| 1170 | if (local) { | 1175 | if (local) { |
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c index 292934d23482..a747eb475b68 100644 --- a/net/netfilter/xt_TEE.c +++ b/net/netfilter/xt_TEE.c | |||
| @@ -152,6 +152,7 @@ tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info) | |||
| 152 | fl6.daddr = info->gw.in6; | 152 | fl6.daddr = info->gw.in6; |
| 153 | fl6.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) | | 153 | fl6.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) | |
| 154 | (iph->flow_lbl[1] << 8) | iph->flow_lbl[2]; | 154 | (iph->flow_lbl[1] << 8) | iph->flow_lbl[2]; |
| 155 | fl6.flowi6_flags = FLOWI_FLAG_KNOWN_NH; | ||
| 155 | dst = ip6_route_output(net, NULL, &fl6); | 156 | dst = ip6_route_output(net, NULL, &fl6); |
| 156 | if (dst->error) { | 157 | if (dst->error) { |
| 157 | dst_release(dst); | 158 | dst_release(dst); |