bugzilla-daemon at netfilter.org
2024-Jul-16 14:12 UTC
[Bug 1761] New: nft_fib checks only the main route table when iif is a slave of a master vrf interface
https://bugzilla.netfilter.org/show_bug.cgi?id=1761
Bug ID: 1761
Summary: nft_fib checks only the main route table when iif is a
slave of a master vrf interface
Product: nftables
Version: 1.0.x
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: tsv1991 at gmail.com
Root case:
I want to do the NOTRACK in the PREROUTING chain for traffic that has a
"daddr"
route pointing to a specific oif.
What I do:
"nft add rule inet notracks PREROUTING fib daddr oif br999 counter
notrack"
The issue:
nftables always checks only main routing table, though the iif for traffic is
slave for master vrf interface also oif always will be slave for master vrf
interface.
Details:
We have VRF vrf1 and interfaces br100 and br999 as slaves of interface vrf1.
Interface br100 receives traffic. We want to make a notrack in the PREROUTING
hook for this traffic on condition that it will be forwarded to interface
br999. When we add rule "nft add rule inet notracks PREROUTING fib daddr
oif
br999 counter notrack" we see that nftables checks only main fib table. I
think
nftables should be able to discover the VRF master interface for the incoming
interface (br100) and check the fib vrf1 routing table.
I tried to research this issue and found that:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/netfilter/nft_fib_ipv4.c#n87
I think the check should be extended and always consider is iif a slave for
master vrf interface for checking in right routing table.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240716/77ee4a3e/attachment.html>
bugzilla-daemon at netfilter.org
2024-Sep-10 22:01 UTC
[Bug 1761] nft_fib checks only the main route table when iif is a slave of a master vrf interface
https://bugzilla.netfilter.org/show_bug.cgi?id=1761 --- Comment #1 from Pablo Neira Ayuso <pablo at netfilter.org> --- would you submit a patch to netfilter-devel at vger.kernel.org for review? A selftest would be good to have. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240910/f0bf6118/attachment.html>
bugzilla-daemon at netfilter.org
2024-Oct-23 16:20 UTC
[Bug 1761] nft_fib checks only the main route table when iif is a slave of a master vrf interface
https://bugzilla.netfilter.org/show_bug.cgi?id=1761 --- Comment #2 from tsv1991 at gmail.com --- (In reply to Pablo Neira Ayuso from comment #1)> would you submit a patch to netfilter-devel at vger.kernel.org for review? > > A selftest would be good to have.I don't have any ideas how can I fix it. Maybe there is someone in the community who can fix this bug. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241023/2e17a22a/attachment.html>
bugzilla-daemon at netfilter.org
2024-Oct-24 18:48 UTC
[Bug 1761] nft_fib checks only the main route table when iif is a slave of a master vrf interface
https://bugzilla.netfilter.org/show_bug.cgi?id=1761
--- Comment #3 from tsv1991 at gmail.com ---
This patch works as it should, but I'm not sure it won't break anything
--- /root/nft_fib_ipv4.c 2024-10-23 19:01:14.668000000 +0000
+++ net/ipv4/netfilter/nft_fib_ipv4.c 2024-10-24 18:29:48.344000000 +0000
@@ -64,7 +64,7 @@
struct fib_result res;
struct flowi4 fl4 = {
.flowi4_scope = RT_SCOPE_UNIVERSE,
- .flowi4_iif = LOOPBACK_IFINDEX,
+ .flowi4_iif = nft_in(pkt)->ifindex,
.flowi4_uid = sock_net_uid(nft_net(pkt), NULL),
};
const struct net_device *oif;
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241024/4be48ad2/attachment.html>
bugzilla-daemon at netfilter.org
2024-Oct-27 22:04 UTC
[Bug 1761] nft_fib checks only the main route table when iif is a slave of a master vrf interface
https://bugzilla.netfilter.org/show_bug.cgi?id=1761 --- Comment #4 from Pablo Neira Ayuso <pablo at netfilter.org> --- (In reply to tsv1991 from comment #3)> This patch works as it should, but I'm not sure it won't break anything > > --- /root/nft_fib_ipv4.c 2024-10-23 19:01:14.668000000 +0000 > +++ net/ipv4/netfilter/nft_fib_ipv4.c 2024-10-24 18:29:48.344000000 +0000 > @@ -64,7 +64,7 @@ > struct fib_result res; > struct flowi4 fl4 = { > .flowi4_scope = RT_SCOPE_UNIVERSE, > - .flowi4_iif = LOOPBACK_IFINDEX, > + .flowi4_iif = nft_in(pkt)->ifindex, > .flowi4_uid = sock_net_uid(nft_net(pkt), NULL), > }; > const struct net_device *oif;This looks very similar to the patch that has been upstreamed: commit 05ef7055debc804e8083737402127975e7244fc4 Author: Florian Westphal <fw at strlen.de> Date: Wed Oct 9 09:19:02 2024 +0200 netfilter: fib: check correct rtable in vrf setups Could you please give it a try? Thanks. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20241027/9f6ee59c/attachment.html>