1. 08 Nov, 2018 5 commits
    • Duncan Eastoe's avatar
      net: fix raw socket lookup device bind matching with VRFs · 7055420f
      Duncan Eastoe authored
      When there exist a pair of raw sockets one unbound and one bound
      to a VRF but equal in all other respects, when a packet is received
      in the VRF context, __raw_v4_lookup() matches on both sockets.
      
      This results in the packet being delivered over both sockets,
      instead of only the raw socket bound to the VRF. The bound device
      checks in __raw_v4_lookup() are replaced with a call to
      raw_sk_bound_dev_eq() which correctly handles whether the packet
      should be delivered over the unbound socket in such cases.
      
      In __raw_v6_lookup() the match on the device binding of the socket is
      similarly updated to use raw_sk_bound_dev_eq() which matches the
      handling in __raw_v4_lookup().
      
      Importantly raw_sk_bound_dev_eq() takes the raw_l3mdev_accept sysctl
      into account.
      Signed-off-by: default avatarDuncan Eastoe <deastoe@vyatta.att-mail.com>
      Signed-off-by: default avatarMike Manning <mmanning@vyatta.att-mail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Tested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7055420f
    • Mike Manning's avatar
      net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs · 6897445f
      Mike Manning authored
      Add a sysctl raw_l3mdev_accept to control raw socket lookup in a manner
      similar to use of tcp_l3mdev_accept for stream and of udp_l3mdev_accept
      for datagram sockets. Have this default to enabled for reasons of
      backwards compatibility. This is so as to specify the output device
      with cmsg and IP_PKTINFO, but using a socket not bound to the
      corresponding VRF. This allows e.g. older ping implementations to be
      run with specifying the device but without executing it in the VRF.
      If the option is disabled, packets received in a VRF context are only
      handled by a raw socket bound to the VRF, and correspondingly packets
      in the default VRF are only handled by a socket not bound to any VRF.
      Signed-off-by: default avatarMike Manning <mmanning@vyatta.att-mail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Tested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6897445f
    • Mike Manning's avatar
      net: ensure unbound datagram socket to be chosen when not in a VRF · 6da5b0f0
      Mike Manning authored
      Ensure an unbound datagram skt is chosen when not in a VRF. The check
      for a device match in compute_score() for UDP must be performed when
      there is no device match. For this, a failure is returned when there is
      no device match. This ensures that bound sockets are never selected,
      even if there is no unbound socket.
      
      Allow IPv6 packets to be sent over a datagram skt bound to a VRF. These
      packets are currently blocked, as flowi6_oif was set to that of the
      master vrf device, and the ipi6_ifindex is that of the slave device.
      Allow these packets to be sent by checking the device with ipi6_ifindex
      has the same L3 scope as that of the bound device of the skt, which is
      the master vrf device. Note that this check always succeeds if the skt
      is unbound.
      
      Even though the right datagram skt is now selected by compute_score(),
      a different skt is being returned that is bound to the wrong vrf. The
      difference between these and stream sockets is the handling of the skt
      option for SO_REUSEPORT. While the handling when adding a skt for reuse
      correctly checks that the bound device of the skt is a match, the skts
      in the hashslot are already incorrect. So for the same hash, a skt for
      the wrong vrf may be selected for the required port. The root cause is
      that the skt is immediately placed into a slot when it is created,
      but when the skt is then bound using SO_BINDTODEVICE, it remains in the
      same slot. The solution is to move the skt to the correct slot by
      forcing a rehash.
      Signed-off-by: default avatarMike Manning <mmanning@vyatta.att-mail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Tested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6da5b0f0
    • Mike Manning's avatar
      net: ensure unbound stream socket to be chosen when not in a VRF · e7819058
      Mike Manning authored
      The commit a04a480d ("net: Require exact match for TCP socket
      lookups if dif is l3mdev") only ensures that the correct socket is
      selected for packets in a VRF. However, there is no guarantee that
      the unbound socket will be selected for packets when not in a VRF.
      By checking for a device match in compute_score() also for the case
      when there is no bound device and attaching a score to this, the
      unbound socket is selected. And if a failure is returned when there
      is no device match, this ensures that bound sockets are never selected,
      even if there is no unbound socket.
      Signed-off-by: default avatarMike Manning <mmanning@vyatta.att-mail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Tested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7819058
    • Robert Shearman's avatar
      net: allow binding socket in a VRF when there's an unbound socket · 3c82a21f
      Robert Shearman authored
      Change the inet socket lookup to avoid packets arriving on a device
      enslaved to an l3mdev from matching unbound sockets by removing the
      wildcard for non sk_bound_dev_if and instead relying on check against
      the secondary device index, which will be 0 when the input device is
      not enslaved to an l3mdev and so match against an unbound socket and
      not match when the input device is enslaved.
      
      Change the socket binding to take the l3mdev into account to allow an
      unbound socket to not conflict sockets bound to an l3mdev given the
      datapath isolation now guaranteed.
      Signed-off-by: default avatarRobert Shearman <rshearma@vyatta.att-mail.com>
      Signed-off-by: default avatarMike Manning <mmanning@vyatta.att-mail.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Tested-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3c82a21f
  2. 07 Nov, 2018 22 commits
  3. 06 Nov, 2018 13 commits