On 11/7/18 8:36 AM, Mike Manning wrote: > Ensure an unbound datagram skt is chosen when not in a VRF. The check > for a device match in compute_score() for UDP must be performed when > there is no device match. For this, a failure is returned when there is > no device match. This ensures that bound sockets are never selected, > even if there is no unbound socket. > > Allow IPv6 packets to be sent over a datagram skt bound to a VRF. These > packets are currently blocked, as flowi6_oif was set to that of the > master vrf device, and the ipi6_ifindex is that of the slave device. > Allow these packets to be sent by checking the device with ipi6_ifindex > has the same L3 scope as that of the bound device of the skt, which is > the master vrf device. Note that this check always succeeds if the skt > is unbound. > > Even though the right datagram skt is now selected by compute_score(), > a different skt is being returned that is bound to the wrong vrf. The > difference between these and stream sockets is the handling of the skt > option for SO_REUSEPORT. While the handling when adding a skt for reuse > correctly checks that the bound device of the skt is a match, the skts > in the hashslot are already incorrect. So for the same hash, a skt for > the wrong vrf may be selected for the required port. The root cause is > that the skt is immediately placed into a slot when it is created, > but when the skt is then bound using SO_BINDTODEVICE, it remains in the > same slot. The solution is to move the skt to the correct slot by > forcing a rehash. > > Signed-off-by: Mike Manning <mmann...@vyatta.att-mail.com> > --- > include/net/udp.h | 11 +++++++++++ > net/core/sock.c | 2 ++ > net/ipv4/udp.c | 15 ++++++--------- > net/ipv6/datagram.c | 10 +++++++--- > net/ipv6/udp.c | 14 +++++--------- > 5 files changed, 31 insertions(+), 21 deletions(-)
Reviewed-by: David Ahern <dsah...@gmail.com> Tested-by: David Ahern <dsah...@gmail.com>
