aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid S. Miller2020-04-22 12:32:11 -0700
committerDavid S. Miller2020-04-22 12:32:11 -0700
commit87f78f274db5e54f8bd1686aa5095ee17363b519 (patch)
tree0b80f20d78ad1ba90372a5c1c0711006807788b2
parent9175d3f38816835b0801bacbf4f6aff1a1672b71 (diff)
parent16b9db1ce34ff00d6c18e82825125cfef0cdfb13 (diff)
Merge branch 'vrf-looping'
David Ahern says: ==================== net: Fix looping with vrf, xfrms and qdisc on VRF Trev reported that use of VRFs with xfrms is looping when a qdisc is added to the VRF device. The combination of xfrm + qdisc is not handled by the VRF driver which lost track that it has already seen the packet. The XFRM_TRANSFORMED flag is used by the netfilter code for a similar purpose, so re-use for VRF. Patch 1 drops the #ifdef around setting the flag in the xfrm output functions. Patch 2 adds a check to the VRF driver for flag; if set the packet has already passed through the VRF driver once and does not need to recirculated a second time. This is a day 1 bug with VRFs; stable wise, I would only take this back to 4.14. I have a set of test cases which I will submit to net-next. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--drivers/net/vrf.c6
-rw-r--r--net/ipv4/xfrm4_output.c2
-rw-r--r--net/ipv6/xfrm6_output.c2
3 files changed, 4 insertions, 6 deletions
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 66e00ddc0d42..6f5d03b7d9c0 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -474,7 +474,8 @@ static struct sk_buff *vrf_ip6_out(struct net_device *vrf_dev,
if (rt6_need_strict(&ipv6_hdr(skb)->daddr))
return skb;
- if (qdisc_tx_is_default(vrf_dev))
+ if (qdisc_tx_is_default(vrf_dev) ||
+ IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
return vrf_ip6_out_direct(vrf_dev, sk, skb);
return vrf_ip6_out_redirect(vrf_dev, skb);
@@ -686,7 +687,8 @@ static struct sk_buff *vrf_ip_out(struct net_device *vrf_dev,
ipv4_is_lbcast(ip_hdr(skb)->daddr))
return skb;
- if (qdisc_tx_is_default(vrf_dev))
+ if (qdisc_tx_is_default(vrf_dev) ||
+ IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
return vrf_ip_out_direct(vrf_dev, sk, skb);
return vrf_ip_out_redirect(vrf_dev, skb);
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
index 89ba7c87de5d..30ddb9dc9398 100644
--- a/net/ipv4/xfrm4_output.c
+++ b/net/ipv4/xfrm4_output.c
@@ -58,9 +58,7 @@ int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb)
{
memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
-#ifdef CONFIG_NETFILTER
IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
-#endif
return xfrm_output(sk, skb);
}
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
index fbe51d40bd7e..e34167f790e6 100644
--- a/net/ipv6/xfrm6_output.c
+++ b/net/ipv6/xfrm6_output.c
@@ -111,9 +111,7 @@ int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb)
{
memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
-#ifdef CONFIG_NETFILTER
IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
-#endif
return xfrm_output(sk, skb);
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-08 17:16:47 +0000