original_kernel/net/ipv6
David Ahern b6cdbc8523 net/ipv6: Fix route leaking between VRFs
Donald reported that IPv6 route leaking between VRFs is not working.
The root cause is the strict argument in the call to rt6_lookup when
validating the nexthop spec.

ip6_route_check_nh validates the gateway and device (if given) of a
route spec. It in turn could call rt6_lookup (e.g., lookup in a given
table did not succeed so it falls back to a full lookup) and if so
sets the strict argument to 1. That means if the egress device is given,
the route lookup needs to return a result with the same device. This
strict requirement does not work with VRFs (IPv4 or IPv6) because the
oif in the flow struct is overridden with the index of the VRF device
to trigger a match on the l3mdev rule and force the lookup to its table.

The right long term solution is to add an l3mdev index to the flow
struct such that the oif is not overridden. That solution will not
backport well, so this patch aims for a simpler solution to relax the
strict argument if the route spec device is an l3mdev slave. As done
in other places, use the FLOWI_FLAG_SKIP_NH_OIF to know that the
RT6_LOOKUP_F_IFACE flag needs to be removed.

Fixes: ca254490c8 ("net: Add VRF support to IPv6 stack")
Reported-by: Donald Sharp <sharpd@cumulusnetworks.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-03-30 14:23:59 -04:00
..
ila
netfilter netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6} 2018-03-24 21:17:14 +01:00
Kconfig
Makefile
addrconf.c ipv6: addrconf: break critical section in addrconf_verify_rtnl() 2018-01-29 14:23:38 -05:00
addrconf_core.c
addrlabel.c
af_inet6.c ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only 2018-01-29 11:37:40 -05:00
ah6.c
anycast.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
calipso.c
datagram.c ipv6: old_dport should be a __be16 in __ip6_datagram_connect() 2018-03-20 12:43:43 -04:00
esp6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-17 00:10:42 -05:00
esp6_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-23 13:51:56 -05:00
exthdrs.c
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c
fou6.c
icmp.c
inet6_connection_sock.c
inet6_hashtables.c
ip6_checksum.c udplite: fix partial checksum initialization 2018-02-16 15:57:42 -05:00
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-01-19 22:59:33 -05:00
ip6_flowlabel.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
ip6_gre.c ip6erspan: make sure enough headroom at xmit. 2018-03-09 13:03:57 -05:00
ip6_icmp.c
ip6_input.c
ip6_offload.c
ip6_offload.h
ip6_output.c ipv6: the entire IPv6 header chain must fit the first fragment 2018-03-25 21:17:20 -04:00
ip6_tunnel.c ip6_tunnel: fix IFLA_MTU ignored on NEWLINK 2018-02-27 14:36:28 -05:00
ip6_udp_tunnel.c
ip6_vti.c vti6: Fix dev->max_mtu setting 2018-03-19 08:45:50 +01:00
ip6mr.c ip6mr: fix stale iterator 2018-01-31 10:26:30 -05:00
ipcomp6.c
ipv6_sockglue.c netfilter: drop outermost socket lock in getsockopt() 2018-02-14 20:44:42 +01:00
mcast.c build_bug.h: remove BUILD_BUG_ON_NULL() 2018-02-06 18:32:46 -08:00
mcast_snoop.c
mip6.c
ndisc.c ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() 2018-03-09 11:16:19 -05:00
netfilter.c netfilter: use skb_to_full_sk in ip6_route_me_harder 2018-02-25 20:51:13 +01:00
output_core.c
ping.c
proc.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
protocol.c
raw.c Currently, hardened usercopy performs dynamic bounds checking on slab 2018-02-03 16:25:42 -08:00
reassembly.c
route.c net/ipv6: Fix route leaking between VRFs 2018-03-30 14:23:59 -04:00
seg6.c
seg6_hmac.c
seg6_iptunnel.c ipv6: sr: fix seg6 encap performances with TSO enabled 2018-03-30 14:14:33 -04:00
seg6_local.c
sit.c sit: fix IFLA_MTU ignored on NEWLINK 2018-02-27 14:36:28 -05:00
syncookies.c net/ipv4: disable SMC TCP option with SYN Cookies 2018-03-25 20:53:54 -04:00
sysctl_net_ipv6.c
tcp_ipv6.c tcp: tracepoint: only call trace_tcp_send_reset with full socket 2018-02-07 22:00:42 -05:00
tcpv6_offload.c gso: validate gso_type in GSO handlers 2018-01-22 16:01:30 -05:00
tunnel6.c
udp.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
udp_impl.h
udp_offload.c gso: validate gso_type in GSO handlers 2018-01-22 16:01:30 -05:00
udplite.c net: delete /proc THIS_MODULE references 2018-01-16 15:01:33 -05:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto 2018-03-07 10:54:29 +01:00
xfrm6_output.c net: xfrm: use skb_gso_validate_network_len() to check gso sizes 2018-03-04 17:49:17 -05:00
xfrm6_policy.c xfrm: reuse uncached_list to track xdsts 2018-02-16 07:03:33 +01:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c