linux/net/ipv6
David Ahern b6cdbc8523 net/ipv6: Fix route leaking between VRFs
Donald reported that IPv6 route leaking between VRFs is not working.
The root cause is the strict argument in the call to rt6_lookup when
validating the nexthop spec.

ip6_route_check_nh validates the gateway and device (if given) of a
route spec. It in turn could call rt6_lookup (e.g., lookup in a given
table did not succeed so it falls back to a full lookup) and if so
sets the strict argument to 1. That means if the egress device is given,
the route lookup needs to return a result with the same device. This
strict requirement does not work with VRFs (IPv4 or IPv6) because the
oif in the flow struct is overridden with the index of the VRF device
to trigger a match on the l3mdev rule and force the lookup to its table.

The right long term solution is to add an l3mdev index to the flow
struct such that the oif is not overridden. That solution will not
backport well, so this patch aims for a simpler solution to relax the
strict argument if the route spec device is an l3mdev slave. As done
in other places, use the FLOWI_FLAG_SKIP_NH_OIF to know that the
RT6_LOOKUP_F_IFACE flag needs to be removed.

Fixes: ca254490c8 ("net: Add VRF support to IPv6 stack")
Reported-by: Donald Sharp <sharpd@cumulusnetworks.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 14:23:59 -04:00
..
ila rhashtable: Change rhashtable_walk_start to return void 2017-12-11 09:58:38 -05:00
netfilter netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6} 2018-03-24 21:17:14 +01:00
addrconf_core.c net: ipv6: Make inet6addr_validator a blocking notifier 2017-10-20 13:15:07 +01:00
addrconf.c ipv6: addrconf: break critical section in addrconf_verify_rtnl() 2018-01-29 14:23:38 -05:00
addrlabel.c rtnetlink: ipv6: convert remaining users to rtnl_register_module 2017-12-04 13:35:36 -05:00
af_inet6.c ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only 2018-01-29 11:37:40 -05:00
ah6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2017-11-15 11:56:19 -08:00
anycast.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
calipso.c
datagram.c ipv6: old_dport should be a __be16 in __ip6_datagram_connect() 2018-03-20 12:43:43 -04:00
esp6_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-23 13:51:56 -05:00
esp6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-17 00:10:42 -05:00
exthdrs_core.c net: ipv6: remove unused code in ipv6_find_hdr() 2017-10-05 21:53:02 -07:00
exthdrs_offload.c
exthdrs.c ipv6: sr: fix TLVs not being copied using setsockopt 2018-01-10 16:03:55 -05:00
fib6_notifier.c net: Add module reference to FIB notifiers 2017-09-01 20:33:42 -07:00
fib6_rules.c
fou6.c
icmp.c ipv6: mark expected switch fall-throughs 2017-10-18 14:13:08 +01:00
inet6_connection_sock.c
inet6_hashtables.c inet: Add a 2nd listener hashtable (port+addr) 2017-12-03 10:18:28 -05:00
ip6_checksum.c udplite: fix partial checksum initialization 2018-02-16 15:57:42 -05:00
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-19 22:59:33 -05:00
ip6_flowlabel.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
ip6_gre.c ip6erspan: make sure enough headroom at xmit. 2018-03-09 13:03:57 -05:00
ip6_icmp.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip6_input.c
ip6_offload.c gso: fix payload length when gso_size is zero 2017-10-08 10:12:15 -07:00
ip6_offload.h
ip6_output.c ipv6: the entire IPv6 header chain must fit the first fragment 2018-03-25 21:17:20 -04:00
ip6_tunnel.c ip6_tunnel: fix IFLA_MTU ignored on NEWLINK 2018-02-27 14:36:28 -05:00
ip6_udp_tunnel.c
ip6_vti.c vti6: Fix dev->max_mtu setting 2018-03-19 08:45:50 +01:00
ip6mr.c ip6mr: fix stale iterator 2018-01-31 10:26:30 -05:00
ipcomp6.c
ipv6_sockglue.c netfilter: drop outermost socket lock in getsockopt() 2018-02-14 20:44:42 +01:00
Kconfig
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mcast_snoop.c
mcast.c build_bug.h: remove BUILD_BUG_ON_NULL() 2018-02-06 18:32:46 -08:00
mip6.c
ndisc.c ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() 2018-03-09 11:16:19 -05:00
netfilter.c netfilter: use skb_to_full_sk in ip6_route_me_harder 2018-02-25 20:51:13 +01:00
output_core.c net: accept UFO datagrams from tuntap and packet 2017-11-24 01:37:35 +09:00
ping.c net/ipv6: Convert icmpv6_push_pending_frames to void 2017-10-06 09:52:31 -07:00
proc.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
protocol.c
raw.c Currently, hardened usercopy performs dynamic bounds checking on slab 2018-02-03 16:25:42 -08:00
reassembly.c inet: frags: Convert timers to use timer_setup() 2017-10-18 12:39:55 +01:00
route.c net/ipv6: Fix route leaking between VRFs 2018-03-30 14:23:59 -04:00
seg6_hmac.c ipv6: sr: Use ARRAY_SIZE macro 2017-09-01 18:35:23 -07:00
seg6_iptunnel.c ipv6: sr: fix seg6 encap performances with TSO enabled 2018-03-30 14:14:33 -04:00
seg6_local.c ipv6: use ARRAY_SIZE for array sizing calculation on array seg6_action_table 2018-01-09 11:40:46 -05:00
seg6.c rhashtable: Change rhashtable_walk_start to return void 2017-12-11 09:58:38 -05:00
sit.c sit: fix IFLA_MTU ignored on NEWLINK 2018-02-27 14:36:28 -05:00
syncookies.c net/ipv4: disable SMC TCP option with SYN Cookies 2018-03-25 20:53:54 -04:00
sysctl_net_ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
tcp_ipv6.c tcp: tracepoint: only call trace_tcp_send_reset with full socket 2018-02-07 22:00:42 -05:00
tcpv6_offload.c gso: validate gso_type in GSO handlers 2018-01-22 16:01:30 -05:00
tunnel6.c
udp_impl.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
udp_offload.c gso: validate gso_type in GSO handlers 2018-01-22 16:01:30 -05:00
udp.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
udplite.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
xfrm6_input.c xfrm: Reinject transport-mode packets through tasklet 2017-12-19 08:23:21 +01:00
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto 2018-03-07 10:54:29 +01:00
xfrm6_output.c net: xfrm: use skb_gso_validate_network_len() to check gso sizes 2018-03-04 17:49:17 -05:00
xfrm6_policy.c xfrm: reuse uncached_list to track xdsts 2018-02-16 07:03:33 +01:00
xfrm6_protocol.c
xfrm6_state.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm6_tunnel.c xfrm6_tunnel: exit_net cleanup check added 2017-11-14 15:46:17 +09:00