Hi David,
I formatted a patch to support vrf flow passed by iptables(mangle table). And
previously, we lost the flow.oif which would result in a routing look-up
failure. This patch wraps vrf response flow with the correct master interface
by using the skb->dev, which was set to the real ingress device.
Without this patch, VRF traffic permitted by firewall rules that changes
nf_mark would be dropped while doing fib_lookup.
Kernel documentations suggested two way of fixing this:
<
[2] Iptables on ingress supports PREROUTING with skb->dev set to the
real
ingress device and both INPUT and PREROUTING rules with skb->dev
set to
the VRF device. For egress POSTROUTING and OUTPUT rules can be
written
using either the VRF device or real egress device.
>
Could you please look at this patch and give me some feedback?
Thanks for your time and considerations.
Regards,
Jack
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index c0cc6aa..07168d4 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -46,6 +46,14 @@ int ip_route_me_harder(struct net *net, struct sk_buff *skb,
unsigned int addr_t
fl4.flowi4_oif = l3mdev_master_ifindex(dev);
fl4.flowi4_mark = skb->mark;
fl4.flowi4_flags = flags;
+
+ /* Since we have already known this is vrf flow passed by
+ * mangle table, we wrap the oif with the master interface.
+ */
+ if (fl4.flowi4_oif == 0 && fl4.daddr && skb->dev &&
+ netif_index_is_l3_master(net, skb->dev->ifindex))
+ fl4.flowi4_oif = skb->dev->ifindex;
+
rt = ip_route_output_key(net, &fl4);
if (IS_ERR(rt))
return PTR_ERR(rt);0001-Wrap-vrf-traffic-passed-by-mangle-table-with-correct.patch
