leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
4964e5a1e0
linux/net/ipv4/netfilter
History
Guillaume Nault 2e5a6266fb netfilter: rpfilter: mask ecn bits before fib lookup 
RT_TOS() only masks one of the two ECN bits. Therefore rpfilter_mt()
treats Not-ECT or ECT(1) packets in a different way than those with
ECT(0) or CE.

Reproducer:

  Create two netns, connected with a veth:
  $ ip netns add ns0
  $ ip netns add ns1
  $ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1
  $ ip -netns ns0 link set dev veth01 up
  $ ip -netns ns1 link set dev veth10 up
  $ ip -netns ns0 address add 192.0.2.10/32 dev veth01
  $ ip -netns ns1 address add 192.0.2.11/32 dev veth10

  Add a route to ns1 in ns0:
  $ ip -netns ns0 route add 192.0.2.11/32 dev veth01

  In ns1, only packets with TOS 4 can be routed to ns0:
  $ ip -netns ns1 route add 192.0.2.10/32 tos 4 dev veth10

  Ping from ns0 to ns1 works regardless of the ECN bits, as long as TOS
  is 4:
  $ ip netns exec ns0 ping -Q 4 192.0.2.11   # TOS 4, Not-ECT
    ... 0% packet loss ...
  $ ip netns exec ns0 ping -Q 5 192.0.2.11   # TOS 4, ECT(1)
    ... 0% packet loss ...
  $ ip netns exec ns0 ping -Q 6 192.0.2.11   # TOS 4, ECT(0)
    ... 0% packet loss ...
  $ ip netns exec ns0 ping -Q 7 192.0.2.11   # TOS 4, CE
    ... 0% packet loss ...

  Now use iptable's rpfilter module in ns1:
  $ ip netns exec ns1 iptables-legacy -t raw -A PREROUTING -m rpfilter --invert -j DROP

  Not-ECT and ECT(1) packets still pass:
  $ ip netns exec ns0 ping -Q 4 192.0.2.11   # TOS 4, Not-ECT
    ... 0% packet loss ...
  $ ip netns exec ns0 ping -Q 5 192.0.2.11   # TOS 4, ECT(1)
    ... 0% packet loss ...

  But ECT(0) and ECN packets are dropped:
  $ ip netns exec ns0 ping -Q 6 192.0.2.11   # TOS 4, ECT(0)
    ... 100% packet loss ...
  $ ip netns exec ns0 ping -Q 7 192.0.2.11   # TOS 4, CE
    ... 100% packet loss ...

After this patch, rpfilter doesn't drop ECT(0) and CE packets anymore.

Fixes: 8f97339d3f ("netfilter: add ipv4 reverse path filter match")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-01-19 13:54:30 -08:00
..
arp_tables.c netfilter: x_tables: Update remaining dereference to RCU 2020-12-17 19:44:52 +01:00
arpt_mangle.c
arptable_filter.c
ip_tables.c netfilter: x_tables: Update remaining dereference to RCU 2020-12-17 19:44:52 +01:00
ipt_ah.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
ipt_CLUSTERIP.c Replace HTTP links with HTTPS ones: IPv* 2020-07-06 13:23:03 -07:00
ipt_ECN.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
ipt_REJECT.c netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00
ipt_rpfilter.c netfilter: rpfilter: mask ecn bits before fib lookup 2021-01-19 13:54:30 -08:00
ipt_SYNPROXY.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
iptable_filter.c netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c. 2020-06-25 00:50:31 +02:00
iptable_mangle.c netfilter: use actual socket sk rather than skb sk when routing harder 2020-10-30 12:57:39 +01:00
iptable_nat.c netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c. 2020-06-25 00:50:31 +02:00
iptable_raw.c netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c. 2020-06-25 00:50:31 +02:00
iptable_security.c netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c. 2020-06-25 00:50:31 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile netfilter: fix coding-style errors. 2019-09-13 11:39:38 +02:00
nf_defrag_ipv4.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
nf_dup_ipv4.c netfilter: drop bridge nf reset from nf_reset 2019-10-01 18:42:15 +02:00
nf_flow_table_ipv4.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nf_log_arp.c netfilter: nf_log: missing vlan offload tag and proto 2020-10-14 01:25:14 +02:00
nf_log_ipv4.c netfilter: nf_log: missing vlan offload tag and proto 2020-10-14 01:25:14 +02:00
nf_nat_h323.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_nat_pptp.c netfilter: delete repeated words 2020-08-28 20:11:38 +02:00
nf_nat_snmp_basic_main.c
nf_nat_snmp_basic.asn1
nf_reject_ipv4.c netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00
nf_socket_ipv4.c treewide: Remove uninitialized_var() usage 2020-07-16 12:35:15 -07:00
nf_tproxy_ipv4.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
nft_dup_ipv4.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_fib_ipv4.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_reject_ipv4.c netfilter: use actual socket sk for REJECT action 2020-12-01 14:33:55 +01:00