Merge branch 'fib_validate_loopback'

Cong Wang says: ==================== ipv4: fix flowi4_iif for input routing This patchset fixes ->flowi4_iif for input routing and rp filter, based on suggestion from Julian. See per patch for details. v1 -> v2: * merge the first two patches into one * fix fib_check_nh() too * add this cover letter ==================== Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: Cong Wang <cwang@twopensource.com> Reviewed-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2014-04-16 15:05:39 -0400
committer: David S. Miller <davem@davemloft.net> 2014-04-16 15:05:39 -0400
commit: bc383ea52278f1fafd7592ea7faf4b8f1edd8602 (patch)
tree: f0e29586ba3af5fe02b569016bef1e596015fa3f
parent: c98235cb8584a72e95786e17d695a8e5fafcd766 (diff)
parent: 0d5edc68739f1c1e0519acbea1d3f0c1882a15d7 (diff)
8 files changed, 16 insertions, 18 deletions
diff --git a/include/net/flow.h b/include/net/flow.h
index 64fd24836650..8109a159d1b3 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -11,6 +11,14 @@
 #include <linux/in6.h>
 #include <linux/atomic.h>
+/*
+ * ifindex generation is per-net namespace, and loopback is
+ * always the 1st device in ns (see net_dev_init), thus any
+ * loopback device should get ifindex 1
+ */
+#define LOOPBACK_IFINDEX        1
 struct flowi_common {
        int     flowic_oif;
        int     flowic_iif;
@@ -80,7 +88,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
                                      __be16 dport, __be16 sport)
 {
        fl4->flowi4_oif = oif;
-        fl4->flowi4_iif = 0;
+        fl4->flowi4_iif = LOOPBACK_IFINDEX;
        fl4->flowi4_mark = mark;
        fl4->flowi4_tos = tos;
        fl4->flowi4_scope = scope;
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 79387f73f875..5f9eb260990f 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -9,6 +9,7 @@
 #include <linux/list.h>
 #include <linux/sysctl.h>
+#include <net/flow.h>
 #include <net/netns/core.h>
 #include <net/netns/mib.h>
 #include <net/netns/unix.h>
@@ -131,14 +132,6 @@ struct net {
        atomic_t                fnhe_genid;
 };
-/*
- * ifindex generation is per-net namespace, and loopback is
- * always the 1st device in ns (see net_dev_init), thus any
- * loopback device should get ifindex 1
- */
-#define LOOPBACK_IFINDEX        1
 #include <linux/seq_file_net.h>
 /* Init's network namespace */
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 1a629f870274..255aa9946fe7 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -250,7 +250,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
        bool dev_match;
        fl4.flowi4_oif = 0;
-        fl4.flowi4_iif = oif;
+        fl4.flowi4_iif = oif ? : LOOPBACK_IFINDEX;
        fl4.daddr = src;
        fl4.saddr = dst;
        fl4.flowi4_tos = tos;
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index b53f0bf84dca..8a043f03c88e 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -631,6 +631,7 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_info *fi,
                                .daddr = nh->nh_gw,
                                .flowi4_scope = cfg->fc_scope + 1,
                                .flowi4_oif = nh->nh_oif,
+                                .flowi4_iif = LOOPBACK_IFINDEX,
                        };
                        /* It is not necessary, but requires a bit of thinking */
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 28863570dd60..d84dc8d4c916 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -455,7 +455,7 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb, struct net_device *dev)
        struct mr_table *mrt;
        struct flowi4 fl4 = {
                .flowi4_oif     = dev->ifindex,
-                .flowi4_iif     = skb->skb_iif,
+                .flowi4_iif     = skb->skb_iif ? : LOOPBACK_IFINDEX,
                .flowi4_mark    = skb->mark,
        };
        int err;
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index c49dcd0284a0..4bfaedf9b34e 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -89,11 +89,8 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
        if (ipv4_is_multicast(iph->daddr)) {
                if (ipv4_is_zeronet(iph->saddr))
                        return ipv4_is_local_multicast(iph->daddr) ^ invert;
-                flow.flowi4_iif = 0;
-        } else {
-                flow.flowi4_iif = LOOPBACK_IFINDEX;
        }
+        flow.flowi4_iif = LOOPBACK_IFINDEX;
        flow.daddr = iph->saddr;
        flow.saddr = rpfilter_get_saddr(iph->daddr);
        flow.flowi4_oif = 0;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 1485aafcad59..db1e0da871f4 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1700,8 +1700,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
        if (res.type == RTN_LOCAL) {
                err = fib_validate_source(skb, saddr, daddr, tos,
-                                          LOOPBACK_IFINDEX,
+                                          0, dev, in_dev, &itag);
-                                          dev, in_dev, &itag);
                if (err < 0)
                        goto martian_source_keep_err;
                goto local_input;
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 8737400af0a0..8659067da28e 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -700,7 +700,7 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
        struct mr6_table *mrt;
        struct flowi6 fl6 = {
                .flowi6_oif     = dev->ifindex,
-                .flowi6_iif     = skb->skb_iif,
+                .flowi6_iif     = skb->skb_iif ? : LOOPBACK_IFINDEX,
                .flowi6_mark    = skb->mark,
        };
        int err;
author	David S. Miller <davem@davemloft.net>	2014-04-16 15:05:39 -0400
committer	David S. Miller <davem@davemloft.net>	2014-04-16 15:05:39 -0400
commit	bc383ea52278f1fafd7592ea7faf4b8f1edd8602 (patch)
tree	f0e29586ba3af5fe02b569016bef1e596015fa3f
parent	c98235cb8584a72e95786e17d695a8e5fafcd766 (diff)
parent	0d5edc68739f1c1e0519acbea1d3f0c1882a15d7 (diff)

diff --git a/include/net/flow.h b/include/net/flow.h index 64fd24836650..8109a159d1b3 100644 --- a/include/net/flow.h +++ b/include/net/flow.h
@@ -11,6 +11,14 @@
11	#include <linux/in6.h>	11	#include <linux/in6.h>
12	#include <linux/atomic.h>	12	#include <linux/atomic.h>
13		13
		14	/*
		15	* ifindex generation is per-net namespace, and loopback is
		16	* always the 1st device in ns (see net_dev_init), thus any
		17	* loopback device should get ifindex 1
		18	*/
		19
		20	#define LOOPBACK_IFINDEX 1
		21
14	struct flowi_common {	22	struct flowi_common {
15	int flowic_oif;	23	int flowic_oif;
16	int flowic_iif;	24	int flowic_iif;
@@ -80,7 +88,7 @@ static inline void flowi4_init_output(struct flowi4 *fl4, int oif,
80	__be16 dport, __be16 sport)	88	__be16 dport, __be16 sport)
81	{	89	{
82	fl4->flowi4_oif = oif;	90	fl4->flowi4_oif = oif;
83	fl4->flowi4_iif = 0;	91	fl4->flowi4_iif = LOOPBACK_IFINDEX;
84	fl4->flowi4_mark = mark;	92	fl4->flowi4_mark = mark;
85	fl4->flowi4_tos = tos;	93	fl4->flowi4_tos = tos;
86	fl4->flowi4_scope = scope;	94	fl4->flowi4_scope = scope;


diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h index 79387f73f875..5f9eb260990f 100644 --- a/include/net/net_namespace.h +++ b/include/net/net_namespace.h
@@ -9,6 +9,7 @@
9	#include <linux/list.h>	9	#include <linux/list.h>
10	#include <linux/sysctl.h>	10	#include <linux/sysctl.h>
11		11
		12	#include <net/flow.h>
12	#include <net/netns/core.h>	13	#include <net/netns/core.h>
13	#include <net/netns/mib.h>	14	#include <net/netns/mib.h>
14	#include <net/netns/unix.h>	15	#include <net/netns/unix.h>
@@ -131,14 +132,6 @@ struct net {
131	atomic_t fnhe_genid;	132	atomic_t fnhe_genid;
132	};	133	};
133		134
134	/*
135	* ifindex generation is per-net namespace, and loopback is
136	* always the 1st device in ns (see net_dev_init), thus any
137	* loopback device should get ifindex 1
138	*/
139
140	#define LOOPBACK_IFINDEX 1
141
142	#include <linux/seq_file_net.h>	135	#include <linux/seq_file_net.h>
143		136
144	/* Init's network namespace */	137	/* Init's network namespace */


diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 1a629f870274..255aa9946fe7 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c
@@ -250,7 +250,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
250	bool dev_match;	250	bool dev_match;
251		251
252	fl4.flowi4_oif = 0;	252	fl4.flowi4_oif = 0;
253	fl4.flowi4_iif = oif;	253	fl4.flowi4_iif = oif ? : LOOPBACK_IFINDEX;
254	fl4.daddr = src;	254	fl4.daddr = src;
255	fl4.saddr = dst;	255	fl4.saddr = dst;
256	fl4.flowi4_tos = tos;	256	fl4.flowi4_tos = tos;


diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c index b53f0bf84dca..8a043f03c88e 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c
@@ -631,6 +631,7 @@ static int fib_check_nh(struct fib_config cfg, struct fib_info fi,
631	.daddr = nh->nh_gw,	631	.daddr = nh->nh_gw,
632	.flowi4_scope = cfg->fc_scope + 1,	632	.flowi4_scope = cfg->fc_scope + 1,
633	.flowi4_oif = nh->nh_oif,	633	.flowi4_oif = nh->nh_oif,
		634	.flowi4_iif = LOOPBACK_IFINDEX,
634	};	635	};
635		636
636	/* It is not necessary, but requires a bit of thinking */	637	/* It is not necessary, but requires a bit of thinking */


diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c index 28863570dd60..d84dc8d4c916 100644 --- a/net/ipv4/ipmr.c +++ b/net/ipv4/ipmr.c
@@ -455,7 +455,7 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff skb, struct net_device dev)
455	struct mr_table *mrt;	455	struct mr_table *mrt;
456	struct flowi4 fl4 = {	456	struct flowi4 fl4 = {
457	.flowi4_oif = dev->ifindex,	457	.flowi4_oif = dev->ifindex,
458	.flowi4_iif = skb->skb_iif,	458	.flowi4_iif = skb->skb_iif ? : LOOPBACK_IFINDEX,
459	.flowi4_mark = skb->mark,	459	.flowi4_mark = skb->mark,
460	};	460	};
461	int err;	461	int err;


diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c index c49dcd0284a0..4bfaedf9b34e 100644 --- a/net/ipv4/netfilter/ipt_rpfilter.c +++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -89,11 +89,8 @@ static bool rpfilter_mt(const struct sk_buff skb, struct xt_action_param par)
89	if (ipv4_is_multicast(iph->daddr)) {	89	if (ipv4_is_multicast(iph->daddr)) {
90	if (ipv4_is_zeronet(iph->saddr))	90	if (ipv4_is_zeronet(iph->saddr))
91	return ipv4_is_local_multicast(iph->daddr) ^ invert;	91	return ipv4_is_local_multicast(iph->daddr) ^ invert;
92	flow.flowi4_iif = 0;
93	} else {
94	flow.flowi4_iif = LOOPBACK_IFINDEX;
95	}	92	}
96		93	flow.flowi4_iif = LOOPBACK_IFINDEX;
97	flow.daddr = iph->saddr;	94	flow.daddr = iph->saddr;
98	flow.saddr = rpfilter_get_saddr(iph->daddr);	95	flow.saddr = rpfilter_get_saddr(iph->daddr);
99	flow.flowi4_oif = 0;	96	flow.flowi4_oif = 0;


diff --git a/net/ipv4/route.c b/net/ipv4/route.c index 1485aafcad59..db1e0da871f4 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c
@@ -1700,8 +1700,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
1700		1700
1701	if (res.type == RTN_LOCAL) {	1701	if (res.type == RTN_LOCAL) {
1702	err = fib_validate_source(skb, saddr, daddr, tos,	1702	err = fib_validate_source(skb, saddr, daddr, tos,
1703	LOOPBACK_IFINDEX,	1703	0, dev, in_dev, &itag);
1704	dev, in_dev, &itag);
1705	if (err < 0)	1704	if (err < 0)
1706	goto martian_source_keep_err;	1705	goto martian_source_keep_err;
1707	goto local_input;	1706	goto local_input;


diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c index 8737400af0a0..8659067da28e 100644 --- a/net/ipv6/ip6mr.c +++ b/net/ipv6/ip6mr.c
@@ -700,7 +700,7 @@ static netdev_tx_t reg_vif_xmit(struct sk_buff *skb,
700	struct mr6_table *mrt;	700	struct mr6_table *mrt;
701	struct flowi6 fl6 = {	701	struct flowi6 fl6 = {
702	.flowi6_oif = dev->ifindex,	702	.flowi6_oif = dev->ifindex,
703	.flowi6_iif = skb->skb_iif,	703	.flowi6_iif = skb->skb_iif ? : LOOPBACK_IFINDEX,
704	.flowi6_mark = skb->mark,	704	.flowi6_mark = skb->mark,
705	};	705	};
706	int err;	706	int err;