Re: [PATCH v4] net: netfilter: Fix rpfilter dropping vrf packets by mistake
From: David Ahern
Date: Fri Jun 28 2019 - 13:04:28 EST
On 6/28/19 3:06 AM, Miaohe Lin wrote:
> diff --git a/net/ipv6/netfilter/ip6t_rpfilter.c b/net/ipv6/netfilter/ip6t_rpfilter.c
> index 6bcaf7357183..3c4a1772c15f 100644
> --- a/net/ipv6/netfilter/ip6t_rpfilter.c
> +++ b/net/ipv6/netfilter/ip6t_rpfilter.c
> @@ -55,6 +55,10 @@ static bool rpfilter_lookup_reverse6(struct net *net, const struct sk_buff *skb,
> if (rpfilter_addr_linklocal(&iph->saddr)) {
> lookup_flags |= RT6_LOOKUP_F_IFACE;
> fl6.flowi6_oif = dev->ifindex;
> + /* Set flowi6_oif for vrf devices to lookup route in l3mdev domain. */
> + } else if (netif_is_l3_master(dev) || netif_is_l3_slave(dev)) {
> + lookup_flags |= FLOWI_FLAG_SKIP_NH_OIF;
you don't need to set that flag here. It is done by the fib_rules code
as needed.