From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from gandalf.ozlabs.org (gandalf.ozlabs.org [150.107.74.76]) by passt.top (Postfix) with ESMTPS id 10D895A02F2 for ; Wed, 1 May 2024 08:33:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gibson.dropbear.id.au; s=202312; t=1714545205; bh=WFfgHwlEFPNMXvibVOHs3pxOKIrtFy1UV1VkgBcufMw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Yxg+C3sJX3lrGZi1400ZPtrrkJY/Om/wQD9bgQYPVh27PxBI5zU2yH/91jRX4+r06 R97J4t8lodLEa1zhzMfGMJBNy+gBJT0AR7fLpGATzvE4l99TW5XzEtStG38obRfOmw 4OYrDinZ9Pp7t32LISnEGmwU9g+YOURGAGxRbRLWop23HHHXlADp4Mn3aCxzbLPE3q 3Y1jbUPGVbF3oribwpsKojq9WaRoW7/1P3hApGMsQewjd7EWQZZf3I1kVXPhg8IWgy GWEfKYHiVYOH23pE700uadcNWBjkBJQAnqlei43IRbm9r4Uyy+dLzT/l/ei29ELmWO RbeqCJT4zHfqg== Received: by gandalf.ozlabs.org (Postfix, from userid 1007) id 4VTnM90Jbcz4x11; Wed, 1 May 2024 16:33:25 +1000 (AEST) Date: Wed, 1 May 2024 16:33:20 +1000 From: David Gibson To: Stefano Brivio Subject: Re: [PATCH 2/2] netlink: Don't duplicate routes referring to unrelated host interfaces Message-ID: References: <20240423204125.3424982-1-sbrivio@redhat.com> <20240423204125.3424982-3-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Ae3BLvfdYpns14kc" Content-Disposition: inline In-Reply-To: <20240423204125.3424982-3-sbrivio@redhat.com> Message-ID-Hash: NVKZP4MXAHAWMIH4FRQ6XXLELSNAJ5VJ X-Message-ID-Hash: NVKZP4MXAHAWMIH4FRQ6XXLELSNAJ5VJ X-MailFrom: dgibson@gandalf.ozlabs.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top, runsisi X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --Ae3BLvfdYpns14kc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 23, 2024 at 10:41:25PM +0200, Stefano Brivio wrote: > We take care of this in nl_addr_dup(): if the interface index > associated to an address doesn't match the selected host interface > (ifa->ifa_index !=3D ifi_src), we don't copy that address. >=20 > But for routes, we just unconditionally update the interface index to > match the index in the target namespace, even if the source interface > didn't match. >=20 > This might happen in two cases: with a pre-4.20 kernel without support > for NETLINK_GET_STRICT_CHK, which won't filter routes based on the > interface we pass in the request, as reported by runsisi, and any > kernel with support for multipath routes where any of the nexthops > refers to an unrelated host interface. >=20 > In both cases, check the index of the source interface, and avoid > copying unrelated routes. >=20 > Reported-by: runsisi > Link: https://bugs.passt.top/show_bug.cgi?id=3D86 > Signed-off-by: Stefano Brivio > --- > netlink.c | 43 ++++++++++++++++++++++++++++++++++++------- > 1 file changed, 36 insertions(+), 7 deletions(-) >=20 > diff --git a/netlink.c b/netlink.c > index a5a4870..e8325c7 100644 > --- a/netlink.c > +++ b/netlink.c > @@ -554,21 +554,32 @@ int nl_route_dup(int s_src, unsigned int ifi_src, > NLMSG_OK(nh, left) && (status =3D nl_status(nh, left, seq)) > 0; > nh =3D NLMSG_NEXT(nh, left)) { > struct rtmsg *rtm =3D (struct rtmsg *)NLMSG_DATA(nh); > + bool discard =3D false; > struct rtattr *rta; > size_t na; > =20 > if (nh->nlmsg_type !=3D RTM_NEWROUTE) > continue; > =20 > - dup_routes++; > - > for (rta =3D RTM_RTA(rtm), na =3D RTM_PAYLOAD(nh); RTA_OK(rta, na); > rta =3D RTA_NEXT(rta, na)) { > /* RTA_OIF and RTA_MULTIPATH attributes carry the > - * identifier of a host interface. Change them to match > - * the corresponding identifier in the target namespace. > - */ > + * identifier of a host interface. If they match the > + * host interface we're copying from, change them to > + * match the corresponding identifier in the target > + * namespace. > + * > + * If RTA_OIF doesn't match (NETLINK_GET_STRICT_CHK not > + * available), or if any interface index in nexthop > + * objects differ from the host interface, discard the > + * route altogether. > + */ > if (rta->rta_type =3D=3D RTA_OIF) { > + if (*(unsigned int *)RTA_DATA(rta) !=3D ifi_src) { > + discard =3D true; > + break; > + } > + > *(unsigned int *)RTA_DATA(rta) =3D ifi_dst; > } else if (rta->rta_type =3D=3D RTA_MULTIPATH) { > size_t nh_len =3D RTA_PAYLOAD(rta); > @@ -576,8 +587,19 @@ int nl_route_dup(int s_src, unsigned int ifi_src, > =20 > for (rtnh =3D (struct rtnexthop *)RTA_DATA(rta); > RTNH_OK(rtnh, nh_len); > - rtnh =3D RTNH_NEXT_AND_DEC(rtnh, nh_len)) > + rtnh =3D RTNH_NEXT_AND_DEC(rtnh, nh_len)) { > + int src =3D (int)ifi_src; > + > + if (rtnh->rtnh_ifindex !=3D src) { > + discard =3D true; > + break; > + } > + > rtnh->rtnh_ifindex =3D ifi_dst; > + } > + > + if (discard) > + break; > } else if (rta->rta_type =3D=3D RTA_PREFSRC) { > /* Host routes might include a preferred source > * address, which must be one of the host's > @@ -588,6 +610,11 @@ int nl_route_dup(int s_src, unsigned int ifi_src, > rta->rta_type =3D RTA_UNSPEC; > } > } > + > + if (discard) > + rtm->rtm_family =3D AF_UNSPEC; Sorry, I misremembered by constants. Rather than using AF_UNSPEC, I was thinking you could change nh->nlmsg_type to NLMSG_NOOP, that way.. > + else > + dup_routes++; > } > =20 > if (!NLMSG_OK(nh, left)) { > @@ -619,10 +646,12 @@ int nl_route_dup(int s_src, unsigned int ifi_src, > for (nh =3D (struct nlmsghdr *)buf, left =3D nlmsgs_size; > NLMSG_OK(nh, left); > nh =3D NLMSG_NEXT(nh, left)) { > + struct rtmsg *rtm =3D (struct rtmsg *)NLMSG_DATA(nh); > uint16_t flags =3D nh->nlmsg_flags; > int rc; > =20 > - if (nh->nlmsg_type !=3D RTM_NEWROUTE) > + if (nh->nlmsg_type !=3D RTM_NEWROUTE || > + rtm->rtm_family =3D=3D AF_UNSPEC) =2E. you don't need to update the condition here. > continue; > =20 > rc =3D nl_do(s_dst, nh, RTM_NEWROUTE, --=20 David Gibson | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you. NOT _the_ _other_ | _way_ _around_! http://www.ozlabs.org/~dgibson --Ae3BLvfdYpns14kc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmYx4i8ACgkQzQJF27ox 2GegHw//XZVLRE1IQCrXEKXlmNAFukTHqJnoCCsJii6fjreZ1V1DC8oLJxEb7bS3 Y6nyJOt8Fa1cQVUs+VL4eS0ISz0+jjo8qEqmO8F6vjPmO1XAtKz0bcKB2JgYCk/C 8xHq5TXeGZDYHybMFXTZ7Esj22h0K+ua6lBiDwkuyPj30OXcwbTQnQzyWphQ5V0Q KXxmvTX47Au2ijNCDR+5v7wFSfFKohvhXhso6C7zqthLWIQ0ZhoX5udaxWZnqCQ7 p7aK4gEz/xuAsQv8iGqapoQeOpAesQIxKe+7zTtGOh747B4yWDEZIiT12AfqrbQH Y5ubL6UboUm7lfwQN47Pf5jcOwg4dyJhh3tKAgVKRcYCAO0NsIms6VShlfBUhDZb qHcDYZcIy61YifvbZ1vLNsi98j1+eBpBl9xrFb+9eX94W/4UlwTgBBmfFLKXJufP 8M2dJ4aAkAkjcX0eXzTb+WfxuHBrQBRDVtPnJPE8xSJn+wqva8e9r8DfdqZJphHe xPBUvGZvpmWkzP7muzcTfRTG948Koi0NFazswGiqA0E8c2UCfg3EvyOiNc96vwlB X3aRaUcwxvrmXThlBtOvZwS/F1t+MJJoneQ9lAPbnn2pFXO1834vDsXcVMACATss CzFvYoAClvMPnbQ+ManDSxT8LwigO9iE0+Y+vM6m/HH7VtFd9y8= =lys7 -----END PGP SIGNATURE----- --Ae3BLvfdYpns14kc--