Merge branch 'vrf-looping'

davem330 · davem330 · commit 87f78f274db5 · 2020-04-22T12:32:11.000-07:00
David Ahern says:

====================
net: Fix looping with vrf, xfrms and qdisc on VRF

Trev reported that use of VRFs with xfrms is looping when a qdisc
is added to the VRF device. The combination of xfrm + qdisc is not
handled by the VRF driver which lost track that it has already
seen the packet.

The XFRM_TRANSFORMED flag is used by the netfilter code for a similar
purpose, so re-use for VRF. Patch 1 drops the #ifdef around setting
the flag in the xfrm output functions. Patch 2 adds a check to
the VRF driver for flag; if set the packet has already passed through
the VRF driver once and does not need to recirculated a second time.

This is a day 1 bug with VRFs; stable wise, I would only take this
back to 4.14. I have a set of test cases which I will submit to
net-next.
====================

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
@@ -474,7 +474,8 @@ static struct sk_buff *vrf_ip6_out(struct net_device *vrf_dev,
 	if (rt6_need_strict(&ipv6_hdr(skb)->daddr))
 		return skb;
 
-	if (qdisc_tx_is_default(vrf_dev))
+	if (qdisc_tx_is_default(vrf_dev) ||
+	    IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED)
 		return vrf_ip6_out_direct(vrf_dev, sk, skb);
 
 	return vrf_ip6_out_redirect(vrf_dev, skb);
@@ -686,7 +687,8 @@ static struct sk_buff *vrf_ip_out(struct net_device *vrf_dev,
 	    ipv4_is_lbcast(ip_hdr(skb)->daddr))
 		return skb;
 
-	if (qdisc_tx_is_default(vrf_dev))
+	if (qdisc_tx_is_default(vrf_dev) ||
+	    IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED)
 		return vrf_ip_out_direct(vrf_dev, sk, skb);
 
 	return vrf_ip_out_redirect(vrf_dev, skb);
diff --git a/net/ipv4/xfrm4_output.c b/net/ipv4/xfrm4_output.c
@@ -58,9 +58,7 @@ int xfrm4_output_finish(struct sock *sk, struct sk_buff *skb)
 {
 	memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
 
-#ifdef CONFIG_NETFILTER
 	IPCB(skb)->flags |= IPSKB_XFRM_TRANSFORMED;
-#endif
 
 	return xfrm_output(sk, skb);
 }
diff --git a/net/ipv6/xfrm6_output.c b/net/ipv6/xfrm6_output.c
@@ -111,9 +111,7 @@ int xfrm6_output_finish(struct sock *sk, struct sk_buff *skb)
 {
 	memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
 
-#ifdef CONFIG_NETFILTER
 	IP6CB(skb)->flags |= IP6SKB_XFRM_TRANSFORMED;
-#endif
 
 	return xfrm_output(sk, skb);
 }

Original file line number	Diff line number	Diff line change
`@@ -58,9 +58,7 @@ int xfrm4_output_finish(struct sock sk, struct sk_buff skb)`
`58`	`58`	`{`
`59`	`59`	`memset(IPCB(skb), 0, sizeof(*IPCB(skb)));`
`60`	`60`
`61`		`-#ifdef CONFIG_NETFILTER`
`62`	`61`	`IPCB(skb)->flags \|= IPSKB_XFRM_TRANSFORMED;`
`63`		`-#endif`
`64`	`62`
`65`	`63`	`return xfrm_output(sk, skb);`
`66`	`64`	`}`
Original file line number	Diff line number	Diff line change
`@@ -111,9 +111,7 @@ int xfrm6_output_finish(struct sock sk, struct sk_buff skb)`
`111`	`111`	`{`
`112`	`112`	`memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));`
`113`	`113`
`114`		`-#ifdef CONFIG_NETFILTER`
`115`	`114`	`IP6CB(skb)->flags \|= IP6SKB_XFRM_TRANSFORMED;`
`116`		`-#endif`
`117`	`115`
`118`	`116`	`return xfrm_output(sk, skb);`
`119`	`117`	`}`