Backort upstream patch which preserves oif of IPv6 link scoped packets.
The outgoing interface of IPv6 link scope packets can be changed by the
function ip6_route_me_harder. This is unwanted behavior for link local
packets and multicast packets as the outgoing interface is fixed and must
not be altered as it can break neighbor discovery and multicast listener
discovery.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
--- /dev/null
+From 508b09046c0f21678652fb66fd1e9959d55591d2 Mon Sep 17 00:00:00 2001
+From: Alin Nastac <alin.nastac@gmail.com>
+Date: Wed, 21 Nov 2018 14:00:30 +0100
+Subject: [PATCH] netfilter: ipv6: Preserve link scope traffic original oif
+
+When ip6_route_me_harder is invoked, it resets outgoing interface of:
+ - link-local scoped packets sent by neighbor discovery
+ - multicast packets sent by MLD host
+ - multicast packets send by MLD proxy daemon that sets outgoing
+ interface through IPV6_PKTINFO ipi6_ifindex
+
+Link-local and multicast packets must keep their original oif after
+ip6_route_me_harder is called.
+
+Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv6/netfilter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -25,7 +25,8 @@ int ip6_route_me_harder(struct net *net,
+ unsigned int hh_len;
+ struct dst_entry *dst;
+ struct flowi6 fl6 = {
+- .flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
++ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
++ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
+ .flowi6_mark = skb->mark,
+ .flowi6_uid = sock_net_uid(net, sk),
+ .daddr = iph->daddr,
.saveroute = nf_ip_saveroute,
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -193,12 +193,12 @@ static __sum16 nf_ip6_checksum_partial(s
+@@ -194,12 +194,12 @@ static __sum16 nf_ip6_checksum_partial(s
static const struct nf_ipv6_ops ipv6ops = {
.chk_addr = ipv6_chk_addr,
.route_input = ip6_route_input,
.reroute = nf_ip_reroute,
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -191,15 +191,15 @@ static __sum16 nf_ip6_checksum_partial(s
+@@ -192,15 +192,15 @@ static __sum16 nf_ip6_checksum_partial(s
};
static const struct nf_ipv6_ops ipv6ops = {
};
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -69,31 +69,6 @@ int ip6_route_me_harder(struct net *net,
+@@ -70,31 +70,6 @@ int ip6_route_me_harder(struct net *net,
}
EXPORT_SYMBOL(ip6_route_me_harder);
static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry)
{
-@@ -201,7 +176,6 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -202,7 +177,6 @@ static const struct nf_ipv6_ops ipv6ops
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
.route = nf_ip6_route,
};
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -171,11 +171,11 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -172,11 +172,11 @@ static const struct nf_ipv6_ops ipv6ops
.fragment = ip6_fragment,
.checksum = nf_ip6_checksum,
.checksum_partial = nf_ip6_checksum_partial,
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -69,7 +69,7 @@ int ip6_route_me_harder(struct net *net,
+@@ -70,7 +70,7 @@ int ip6_route_me_harder(struct net *net,
}
EXPORT_SYMBOL(ip6_route_me_harder);
const struct nf_queue_entry *entry)
{
struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
-@@ -79,7 +79,7 @@ static int nf_ip6_reroute(struct net *ne
+@@ -80,7 +80,7 @@ static int nf_ip6_reroute(struct net *ne
if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
!ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
skb->mark != rt_info->mark)
}
return 0;
}
-@@ -172,11 +172,11 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -173,11 +173,11 @@ static const struct nf_ipv6_ops ipv6ops
.checksum = nf_ip6_checksum,
.checksum_partial = nf_ip6_checksum_partial,
.route = nf_ip6_route,
static int __init ipv4_netfilter_init(void)
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -177,7 +177,6 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -178,7 +178,6 @@ static const struct nf_ipv6_ops ipv6ops
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
-subsys_initcall(ipv4_netfilter_init);
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -175,14 +175,10 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -176,14 +176,10 @@ static const struct nf_ipv6_ops ipv6ops
.reroute = nf_ip6_reroute,
};
}
/* This can be called from inet6_init() on errors, so it cannot
-@@ -191,5 +187,4 @@ int __init ipv6_netfilter_init(void)
+@@ -192,5 +188,4 @@ int __init ipv6_netfilter_init(void)
void ipv6_netfilter_fini(void)
{
RCU_INIT_POINTER(nf_ipv6_ops, NULL);
--- /dev/null
+From 508b09046c0f21678652fb66fd1e9959d55591d2 Mon Sep 17 00:00:00 2001
+From: Alin Nastac <alin.nastac@gmail.com>
+Date: Wed, 21 Nov 2018 14:00:30 +0100
+Subject: [PATCH] netfilter: ipv6: Preserve link scope traffic original oif
+
+When ip6_route_me_harder is invoked, it resets outgoing interface of:
+ - link-local scoped packets sent by neighbor discovery
+ - multicast packets sent by MLD host
+ - multicast packets send by MLD proxy daemon that sets outgoing
+ interface through IPV6_PKTINFO ipi6_ifindex
+
+Link-local and multicast packets must keep their original oif after
+ip6_route_me_harder is called.
+
+Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv6/netfilter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net,
+ unsigned int hh_len;
+ struct dst_entry *dst;
+ struct flowi6 fl6 = {
+- .flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
++ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
++ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
+ .flowi6_mark = skb->mark,
+ .flowi6_uid = sock_net_uid(net, sk),
+ .daddr = iph->daddr,
--- /dev/null
+From 508b09046c0f21678652fb66fd1e9959d55591d2 Mon Sep 17 00:00:00 2001
+From: Alin Nastac <alin.nastac@gmail.com>
+Date: Wed, 21 Nov 2018 14:00:30 +0100
+Subject: [PATCH] netfilter: ipv6: Preserve link scope traffic original oif
+
+When ip6_route_me_harder is invoked, it resets outgoing interface of:
+ - link-local scoped packets sent by neighbor discovery
+ - multicast packets sent by MLD host
+ - multicast packets send by MLD proxy daemon that sets outgoing
+ interface through IPV6_PKTINFO ipi6_ifindex
+
+Link-local and multicast packets must keep their original oif after
+ip6_route_me_harder is called.
+
+Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv6/netfilter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net,
+ unsigned int hh_len;
+ struct dst_entry *dst;
+ struct flowi6 fl6 = {
+- .flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
++ .flowi6_oif = skb->sk && skb->sk->sk_bound_dev_if ? skb->sk->sk_bound_dev_if :
++ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
+ .flowi6_mark = skb->mark,
+ .daddr = iph->daddr,
+ .saddr = iph->saddr,
projects / openwrt / staging / lynxis.git / commitdiff