Re: Why revert commit 2271c95 ("vrf: mark skb for multicast or link-local as enslaved to VRF")?

On 19/10/2020 02:53, David Ahern wrote: > On 10/18/20 10:06 AM, Stephen Suryaputra wrote: >> $ git --no-pager show afed1a4 >> >> commit afed1a4dbb76c81900f10fd77397fb91ad442702 >> Author: Sasha Levin >> Date: Mon Mar 23 16:21:31 2020 -0400 >> >> Revert "vrf: mark skb for multicast or link-lo

Re: Why revert commit 2271c95 ("vrf: mark skb for multicast or link-local as enslaved to VRF")?

On 19/10/2020 13:04, Mike Manning wrote: > On 19/10/2020 02:53, David Ahern wrote: >> On 10/18/20 10:06 AM, Stephen Suryaputra wrote: >>> $ git --no-pager show afed1a4 >>> >>> commit afed1a4dbb76c81900f10fd77397fb91ad442702 >>> Author: Sasha Levi

Re: VRF Issue Since kernel 5

Hi Gareth, Could you please also check that all the following are set to 1, I appreciate you've confirmed that the one for tcp is set to 1, and by default the one for raw is also set to 1: sudo sysctl -a | grep l3mdev If not, sudo sysctl net.ipv4.raw_l3mdev_accept=1 sudo sysctl net.ipv4.udp_l3mde

Re: [PATCH net] net/ipv6: Reinstate ping/traceroute use with source address in VRF

On 20/05/2019 17:58, David Ahern wrote: > On 5/20/19 2:40 AM, Mike Manning wrote: >> Since the commit 1893ff20275b ("net/ipv6: Add l3mdev check to >> ipv6_chk_addr_and_flags"), traceroute using TCP SYN or ICMP ECHO option >> and ping fail when specifying a source

[PATCH net] ipv6: Consider sk_bound_dev_if when binding a raw socket to an address

considering the device if sk_bound_dev_if is set. Signed-off-by: Mike Manning --- net/ipv6/raw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index 84dbe21b71e5..96a3559f2a09 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -287,7 +287,9 @@ static int

[PATCH net] net/ipv6: Reinstate ping/traceroute use with source address in VRF

address exists in the L3 domain that the dev is part of only if the dev has been specified. Signed-off-by: Mike Manning --- net/ipv6/addrconf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index f96d1de79509..3963306ec27f 100644

[PATCH iproute2-next] iplink_vlan: add support for VLAN bridge binding flag

This patch adds support for the VLAN bridge binding flag that is provided in net-next kernel by the series merged by 1ab839281cf7 ("net-support-binding-vlan-dev-link-state-to-vlan-member-bridge-ports") Signed-off-by: Mike Manning --- include/uapi/linux/if_vlan.h | 9 + ip/ipl

[PATCH net-next v3 2/5] vlan: do not transfer link state in vlan bridge binding mode

In vlan bridge binding mode, the link state is no longer transferred from the lower device. Instead it is set by the bridge module according to the state of bridge ports that are members of the vlan. Signed-off-by: Mike Manning --- net/8021q/vlan.c | 18 ++ net/8021q

[PATCH net-next v3 5/5] bridge: update vlan dev link state for bridge netdev changes

must also be down. This is to maintain existing behavior for when STP is enabled and there are no live ports, in which case the link state for the bridge and any vlan devices is down. Signed-off-by: Mike Manning --- net/bridge/br_vlan.c | 50 +++--- 1

[PATCH net-next v3 0/5] net: support binding vlan dev link state to vlan member bridge ports

. v2: - Address review comments from Nikolay Aleksandrov in patches 3 & 4 and add patch 5 to address bridge link down due to STP v3: - Address review comment from Nikolay Aleksandrov in patch 4 so as to remove unnecessary inline #ifdef Mike Manning (5): vlan: support binding

[PATCH net-next v3 3/5] bridge: support binding vlan dev link state to vlan member bridge ports

one bridge port that is a vlan member that is admin & oper up, otherwise its oper state is IF_OPER_LOWERLAYERDOWN. Signed-off-by: Mike Manning --- net/bridge/br.c | 13 +++-- net/bridge/br_private.h | 14 + net/bridge/br_vlan.c|

[PATCH net-next v3 4/5] bridge: update vlan dev state when port added to or deleted from vlan

necessary. Signed-off-by: Mike Manning --- net/bridge/br_vlan.c | 19 +++ 1 file changed, 19 insertions(+) diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index b903689a8fc5..89146a5f0c23 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -7,6 +7,8 @@ #include

[PATCH net-next v3 1/5] vlan: support binding link state to vlan member bridge ports

longer automatically transferred from the lower device, but is instead determined by the bridge ports that are members of the vlan. Signed-off-by: Mike Manning --- include/uapi/linux/if_vlan.h | 9 + net/8021q/vlan_dev.c | 3 ++- net/8021q/vlan_netlink.c | 3 ++- 3 files

Re: [PATCH net-next v2 3/5] bridge: support binding vlan dev link state to vlan member bridge ports

On 18/04/2019 12:28, Nikolay Aleksandrov wrote: > On 17/04/2019 21:16, Mike Manning wrote: >> In the case of vlan filtering on bridges, the bridge may also have the >> corresponding vlan devices as upper devices. A vlan bridge binding mode >> is added to allow the link state

[PATCH net-next v2 2/5] vlan: do not transfer link state in vlan bridge binding mode

In vlan bridge binding mode, the link state is no longer transferred from the lower device. Instead it is set by the bridge module according to the state of bridge ports that are members of the vlan. Signed-off-by: Mike Manning --- net/8021q/vlan.c | 18 ++ net/8021q

[PATCH net-next v2 5/5] bridge: update vlan dev link state for bridge netdev changes

must also be down. This is to maintain existing behavior for when STP is enabled and there are no live ports, in which case the link state for the bridge and any vlan devices is down. Signed-off-by: Mike Manning --- net/bridge/br_vlan.c | 50 +++--- 1

Re: [PATCH net-next 3/4] bridge: support binding vlan dev link state to vlan member bridge ports

On 03/04/2019 19:23, Nikolay Aleksandrov wrote: > On 03/04/2019 21:17, Nikolay Aleksandrov wrote: >> On 03/04/2019 20:53, Nikolay Aleksandrov wrote: >>> On 03/04/2019 20:43, Mike Manning wrote: >>>> On 02/04/2019 20:22, Nikolay Aleksandrov wrote: >>>>

[PATCH net-next v2 3/5] bridge: support binding vlan dev link state to vlan member bridge ports

one bridge port that is a vlan member that is admin & oper up, otherwise its oper state is IF_OPER_LOWERLAYERDOWN. Signed-off-by: Mike Manning --- net/bridge/br.c | 17 -- net/bridge/br_private.h | 14 + net/bridge/br_vlan.c|

[PATCH net-next v2 1/5] vlan: support binding link state to vlan member bridge ports

longer automatically transferred from the lower device, but is instead determined by the bridge ports that are members of the vlan. Signed-off-by: Mike Manning --- include/uapi/linux/if_vlan.h | 9 + net/8021q/vlan_dev.c | 3 ++- net/8021q/vlan_netlink.c | 3 ++- 3 files

[PATCH net-next v2 4/5] bridge: update vlan dev state when port added to or deleted from vlan

necessary. Signed-off-by: Mike Manning --- net/bridge/br_vlan.c | 19 +++ 1 file changed, 19 insertions(+) diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index b903689a8fc5..89146a5f0c23 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -7,6 +7,8 @@ #include

[PATCH net-next v2 0/5] net: support binding vlan dev link state to vlan member bridge ports

. Mike Manning (5): vlan: support binding link state to vlan member bridge ports vlan: do not transfer link state in vlan bridge binding mode bridge: support binding vlan dev link state to vlan member bridge ports bridge: update vlan dev state when port added to or deleted from vlan

Re: [PATCH net-next 2/4] vlan: do not transfer link state in vlan bridge binding mode

On 02/04/2019 21:15, Nikolay Aleksandrov wrote: > On 02/04/2019 18:35, Mike Manning wrote: >> In vlan bridge binding mode, the link state is no longer transferred >> from the lower device. Instead it is set by the bridge module according >> to the state of bridge ports that ar

Re: [PATCH net-next 3/4] bridge: support binding vlan dev link state to vlan member bridge ports

On 02/04/2019 20:22, Nikolay Aleksandrov wrote: > On 02/04/2019 18:35, Mike Manning wrote: >> In the case of vlan filtering on bridges, the bridge may also have the >> corresponding vlan devices as upper devices. A vlan bridge binding mode >> is added to allow the link state

Re: [PATCH net-next 4/4] bridge: update vlan dev state when port added to or deleted from vlan

On 02/04/2019 21:10, Nikolay Aleksandrov wrote: > On 02/04/2019 18:35, Mike Manning wrote: >> If vlan bridge binding is enabled, then the link state of a vlan device >> that is an upper device of the bridge should track the state of bridge >> ports that are members of that

[PATCH net-next 2/4] vlan: do not transfer link state in vlan bridge binding mode

In vlan bridge binding mode, the link state is no longer transferred from the lower device. Instead it is set by the bridge module according to the state of bridge ports that are members of the vlan. Signed-off-by: Mike Manning --- net/8021q/vlan.c | 18 ++ net/8021q

[PATCH net-next 4/4] bridge: update vlan dev state when port added to or deleted from vlan

necessary. Signed-off-by: Mike Manning --- net/bridge/br_vlan.c | 23 +++ 1 file changed, 23 insertions(+) diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index 642373231386..7c11607cf1f4 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c @@ -7,6 +7,9

[PATCH net-next 3/4] bridge: support binding vlan dev link state to vlan member bridge ports

one bridge port that is a vlan member that is admin & oper up, otherwise its oper state is IF_OPER_LOWERLAYERDOWN. Signed-off-by: Mike Manning --- net/bridge/br.c | 23 ++-- net/bridge/br_private.h | 17 ++ net/bridge/br_vlan.c|

[PATCH net-next 0/4] net: support binding vlan dev link state to vlan member bridge ports

. Mike Manning (4): vlan: support binding link state to vlan member bridge ports vlan: do not transfer link state in vlan bridge binding mode bridge: support binding vlan dev link state to vlan member bridge ports bridge: update vlan dev state when port added to or deleted from vlan

[PATCH net-next 1/4] vlan: support binding link state to vlan member bridge ports

longer automatically transferred from the lower device, but is instead determined by the bridge ports that are members of the vlan. Signed-off-by: Mike Manning --- include/uapi/linux/if_vlan.h | 9 + net/8021q/vlan_dev.c | 3 ++- net/8021q/vlan_netlink.c | 3 ++- 3 files

[PATCH net-next v5 9/9] ipv6: do not drop vrf udp multicast packets

From: Dewi Morgan For bound udp sockets in a vrf, also check the sdif to get the index for ingress devices enslaved to an l3mdev. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning --- net/ipv6/udp.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/ipv6

[PATCH net-next v5 8/9] ipv6: handling of multicast packets received in VRF

If the skb for multicast packets marked as enslaved to a VRF are received, then the secondary device index should be used to obtain the real device. And verify the multicast address against the enslaved rather than the l3mdev device. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning

[PATCH net-next v5 7/9] ipv6: allow ping to link-local address in VRF

resses, in that this can now be done from within the same VRF that the address is in. Signed-off-by: Mike Manning --- net/ipv6/ipv6_sockglue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 381ce38940ae..973e215c3114 10

[PATCH net-next v5 0/9] vrf: allow simultaneous service instances in default and other VRFs

for raw socket sysctl as recommended by David Ahern v5: - Address review comments from David Ahern in patches 2-5 Dewi Morgan (1): ipv6: do not drop vrf udp multicast packets Duncan Eastoe (1): net: fix raw socket lookup device bind matching with VRFs Mike Manning (6): net: ensure unb

[PATCH net-next v5 4/9] net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs

correspondingly packets in the default VRF are only handled by a socket not bound to any VRF. Signed-off-by: Mike Manning --- Documentation/networking/ip-sysctl.txt | 12 Documentation/networking/vrf.txt | 13 + include/net/netns/ipv4.h | 3 +++ include

[PATCH net-next v5 5/9] net: fix raw socket lookup device bind matching with VRFs

similarly updated to use raw_sk_bound_dev_eq() which matches the handling in __raw_v4_lookup(). Importantly raw_sk_bound_dev_eq() takes the raw_l3mdev_accept sysctl into account. Signed-off-by: Duncan Eastoe Signed-off-by: Mike Manning --- include/net/raw.h | 13 - net/ipv4/raw.c

[PATCH net-next v5 1/9] net: allow binding socket in a VRF when there's an unbound socket

-by: Robert Shearman Signed-off-by: Mike Manning --- Documentation/networking/vrf.txt | 9 + include/net/inet6_hashtables.h | 5 ++--- include/net/inet_hashtables.h| 13 ++--- include/net/inet_sock.h | 13 + net/ipv4/inet_connection_sock.c | 13

[PATCH net-next v5 3/9] net: ensure unbound datagram socket to be chosen when not in a VRF

be selected for the required port. The root cause is that the skt is immediately placed into a slot when it is created, but when the skt is then bound using SO_BINDTODEVICE, it remains in the same slot. The solution is to move the skt to the correct slot by forcing a rehash. Signed-off-by: Mike

[PATCH net-next v5 6/9] vrf: mark skb for multicast or link-local as enslaved to VRF

: Mike Manning --- drivers/net/vrf.c | 19 +-- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c index 69b7227c637e..21ad4b1d7f03 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c @@ -981,24 +981,23 @@ static struct sk_buff

[PATCH net-next v5 2/9] net: ensure unbound stream socket to be chosen when not in a VRF

vice match in compute_score() also for the case when there is no bound device and attaching a score to this, the unbound socket is selected. And if a failure is returned when there is no device match, this ensures that bound sockets are never selected, even if there is no unbound socket. Signed-of

[PATCH net-next v4 2/9] net: ensure unbound stream socket to be chosen when not in a VRF

vice match in compute_score() also for the case when there is no bound device and attaching a score to this, the unbound socket is selected. And if a failure is returned when there is no device match, this ensures that bound sockets are never selected, even if there is no unbound socket. Signed-of

[PATCH net-next v4 0/9] vrf: allow simultaneous service instances in default and other VRFs

for raw socket sysctl as recommended by David Ahern Dewi Morgan (1): ipv6: do not drop vrf udp multicast packets Duncan Eastoe (1): net: fix raw socket lookup device bind matching with VRFs Mike Manning (6): net: ensure unbound stream socket to be chosen when not in a VRF net: ensure unbou

[PATCH net-next v4 6/9] vrf: mark skb for multicast or link-local as enslaved to VRF

: Mike Manning --- drivers/net/vrf.c | 19 +-- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c index 69b7227c637e..21ad4b1d7f03 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c @@ -981,24 +981,23 @@ static struct sk_buff

[PATCH net-next v4 5/9] net: fix raw socket lookup device bind matching with VRFs

similarly updated to use raw_sk_bound_dev_eq() which matches the handling in __raw_v4_lookup(). Importantly raw_sk_bound_dev_eq() takes the raw_l3mdev_accept sysctl into account. Signed-off-by: Duncan Eastoe Signed-off-by: Mike Manning --- include/net/raw.h | 12 net/ipv4/raw.c

[PATCH net-next v4 3/9] net: ensure unbound datagram socket to be chosen when not in a VRF

be selected for the required port. The root cause is that the skt is immediately placed into a slot when it is created, but when the skt is then bound using SO_BINDTODEVICE, it remains in the same slot. The solution is to move the skt to the correct slot by forcing a rehash. Signed-off-by: Mike

[PATCH net-next v4 7/9] ipv6: allow ping to link-local address in VRF

resses, in that this can now be done from within the same VRF that the address is in. Signed-off-by: Mike Manning --- net/ipv6/ipv6_sockglue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 381ce38940ae..973e215c3114 10

[PATCH net-next v4 8/9] ipv6: handling of multicast packets received in VRF

If the skb for multicast packets marked as enslaved to a VRF are received, then the secondary device index should be used to obtain the real device. And verify the multicast address against the enslaved rather than the l3mdev device. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning

[PATCH net-next v4 4/9] net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs

correspondingly packets in the default VRF are only handled by a socket not bound to any VRF. Signed-off-by: Mike Manning --- Documentation/networking/ip-sysctl.txt | 12 Documentation/networking/vrf.txt | 13 + include/net/netns/ipv4.h | 3 +++ include

[PATCH net-next v4 9/9] ipv6: do not drop vrf udp multicast packets

From: Dewi Morgan For bound udp sockets in a vrf, also check the sdif to get the index for ingress devices enslaved to an l3mdev. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning --- net/ipv6/udp.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/ipv6

[PATCH net-next v4 1/9] net: allow binding socket in a VRF when there's an unbound socket

-by: Robert Shearman Signed-off-by: Mike Manning --- Documentation/networking/vrf.txt | 9 + include/net/inet6_hashtables.h | 5 ++--- include/net/inet_hashtables.h| 13 ++--- include/net/inet_sock.h | 13 + net/ipv4/inet_connection_sock.c | 13

[PATCH] net: allow traceroute with a specified interface in a vrf

lookup fails for ICMP_DEST_UNREACH and ICMP_TIME_EXCEEDED messages. The solution is for the secondary dev to be passed so that the interface is available for the device match to succeed, in the same way as is already done for non-error cases. Signed-off-by: Mike Manning --- net/ipv4/udp.c | 4

[PATCH net-next v3 4/9] net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs

application into a default VRF. Signed-off-by: Mike Manning --- Documentation/networking/ip-sysctl.txt | 9 + Documentation/networking/vrf.txt | 8 +--- include/net/netns/ipv4.h | 3 +++ net/ipv4/sysctl_net_ipv4.c | 11 +++ 4 files changed, 28

[PATCH net-next v3 2/9] net: ensure unbound stream socket to be chosen when not in a VRF

vice match in compute_score() also for the case when there is no bound device and attaching a score to this, the unbound socket is selected. And if a failure is returned when there is no device match, this ensures that bound sockets are never selected, even if there is no unbound socket. Signed-of

[PATCH net-next v3 3/9] net: ensure unbound datagram socket to be chosen when not in a VRF

be selected for the required port. The root cause is that the skt is immediately placed into a slot when it is created, but when the skt is then bound using SO_BINDTODEVICE, it remains in the same slot. The solution is to move the skt to the correct slot by forcing a rehash. Signed-off-by: Mike

[PATCH net-next v3 5/9] net: fix raw socket lookup device bind matching with VRFs

similarly updated to use raw_sk_bound_dev_eq() which matches the handling in __raw_v4_lookup(). Importantly raw_sk_bound_dev_eq() takes the raw_l3mdev_accept sysctl into account. Signed-off-by: Duncan Eastoe Signed-off-by: Mike Manning --- include/net/raw.h | 12 net/ipv4/raw.c

[PATCH net-next v3 9/9] ipv6: do not drop vrf udp multicast packets

From: Dewi Morgan For bound udp sockets in a vrf, also check the sdif to get the index for ingress devices enslaved to an l3mdev. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning --- net/ipv6/udp.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/ipv6

[PATCH net-next v3 1/9] net: allow binding socket in a VRF when there's an unbound socket

-by: Robert Shearman Signed-off-by: Mike Manning --- Documentation/networking/vrf.txt | 9 + include/net/inet6_hashtables.h | 5 ++--- include/net/inet_hashtables.h| 13 ++--- include/net/inet_sock.h | 13 + net/ipv4/inet_connection_sock.c | 13

[PATCH net-next v3 8/9] ipv6: handling of multicast packets received in VRF

If the skb for multicast packets marked as enslaved to a VRF are received, then the secondary device index should be used to obtain the real device. And verify the multicast address against the enslaved rather than the l3mdev device. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning

[PATCH net-next v3 0/9] vrf: allow simultaneous service instances in default and other VRFs

- Expand series into 10 patches and provide improved descriptions v3: - Update description for patch 1/10 and remove patch 6/10 Dewi Morgan (1): ipv6: do not drop vrf udp multicast packets Duncan Eastoe (1): net: fix raw socket lookup device bind matching with VRFs Mike Manning (6): ne

[PATCH net-next v3 7/9] ipv6: allow ping to link-local address in VRF

resses, in that this can now be done from within the same VRF that the address is in. Signed-off-by: Mike Manning --- net/ipv6/ipv6_sockglue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index c0cac9cc3a28..f3e99e578843 10

[PATCH net-next v3 6/9] vrf: mark skb for multicast or link-local as enslaved to VRF

: Mike Manning --- drivers/net/vrf.c | 19 +-- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c index 69b7227c637e..21ad4b1d7f03 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c @@ -981,24 +981,23 @@ static struct sk_buff

Re: [PATCH net] ipv6: revert degradation in IPv6 Ready Logo test results

On 02/10/2018 19:26, David Miller wrote: > From: Mike Manning > Date: Tue, 2 Oct 2018 12:40:30 +0100 > >> This reverts commit 0ed4229b08c1 ("ipv6: defrag: drop non-last frags >> smaller than min mtu"). While one should not get fragments smaller than >> the I

[PATCH net] ipv6: revert degradation in IPv6 Ready Logo test results

presenting over 5% of the score. Cc: Florian Westphal Signed-off-by: Mike Manning --- The failures which are reverted by this fix are: Section 1: RFC 2460 - IPv6 Specification Test v6LC.1.2.4: Extension Header Processing Order 33-34 Test v6LC.1.3.1: Fragment Reassembly 67-72 Test v6LC.1.3.2: Reass

Re: [PATCH net-next v1 1/5] net: allow binding socket in a VRF when there's an unbound socket

On 25/09/2018 18:16, David Ahern wrote: > On 9/25/18 9:26 AM, Mike Manning wrote: >> On 24/09/2018 23:44, David Ahern wrote: >>> On 9/24/18 10:13 AM, Mike Manning wrote: >>>> From: Robert Shearman >>>> >>>> There is no easy way currently for

[PATCH net-next v2 03/10] net: ensure unbound datagram socket to be chosen when not in a VRF

be selected for the required port. The root cause is that the skt is immediately placed into a slot when it is created, but when the skt is then bound using SO_BINDTODEVICE, it remains in the same slot. The solution is to move the skt to the correct slot by forcing a rehash. Signed-off-by: Mike

[PATCH net-next v2 01/10] net: allow binding socket in a VRF when there's an unbound socket

socket and not match when the input device is enslaved. Change the socket binding to take the l3mdev into account to allow an unbound socket to not conflict sockets bound to an l3mdev given the datapath isolation now guaranteed. Signed-off-by: Robert Shearman Signed-off-by: Mike Manning

[PATCH net-next v2 08/10] ipv6: allow ping to link-local address in VRF

resses, in that this can now be done from within the same VRF that the address is in. Signed-off-by: Mike Manning --- net/ipv6/ipv6_sockglue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 7dfbc797b130..4ebd395dd3df 10

[PATCH net-next v2 07/10] vrf: mark skb for multicast or link-local as enslaved to VRF

: Mike Manning --- drivers/net/vrf.c | 19 +-- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c index 69b7227c637e..21ad4b1d7f03 100644 --- a/drivers/net/vrf.c +++ b/drivers/net/vrf.c @@ -981,24 +981,23 @@ static struct sk_buff

[PATCH net-next v2 04/10] net: provide a sysctl raw_l3mdev_accept for raw socket lookup with VRFs

application into a default VRF. Signed-off-by: Mike Manning --- Documentation/networking/ip-sysctl.txt | 9 + Documentation/networking/vrf.txt | 8 +--- include/net/netns/ipv4.h | 3 +++ net/ipv4/sysctl_net_ipv4.c | 11 +++ 4 files changed, 28

[PATCH net-next v2 10/10] ipv6: do not drop vrf udp multicast packets

From: Dewi Morgan For bound udp sockets in a vrf, also check the sdif to get the index for ingress devices enslaved to an l3mdev. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning --- net/ipv6/udp.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/ipv6

[PATCH net-next v2 05/10] net: fix raw socket lookup device bind matching with VRFs

similarly updated to use raw_sk_bound_dev_eq() which matches the handling in __raw_v4_lookup(). Importantly raw_sk_bound_dev_eq() takes the raw_l3mdev_accept sysctl into account. Signed-off-by: Duncan Eastoe Signed-off-by: Mike Manning --- include/net/raw.h | 12 net/ipv4/raw.c

[PATCH net-next v2 06/10] net: IP[V6]_MULTICAST_IF constraint on unbound socket if VRFs present

unbound socket. Signed-off-by: Duncan Eastoe Signed-off-by: Mike Manning --- net/ipv4/ip_sockglue.c | 3 +++ net/ipv6/ipv6_sockglue.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index c0fe5ad996f2..026971314c43 100644 --- a/net/ipv4

[PATCH net-next v2 09/10] ipv6: handling of multicast packets received in VRF

If the skb for multicast packets marked as enslaved to a VRF are received, then the secondary device index should be used to obtain the real device. And verify the multicast address against the enslaved rather than the l3mdev device. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning

[PATCH net-next v2 00/10] vrf: allow simultaneous service instances in default and other VRFs

- Expand series into 10 patches and provide improved descriptions Dewi Morgan (1): ipv6: do not drop vrf udp multicast packets Duncan Eastoe (2): net: fix raw socket lookup device bind matching with VRFs net: IP[V6]_MULTICAST_IF constraint on unbound socket if VRFs present Mike Manning (6

[PATCH net-next v2 02/10] net: ensure unbound stream socket to be chosen when not in a VRF

vice match in compute_score() also for the case when there is no bound device and attaching a score to this, the unbound socket is selected. And if a failure is returned when there is no device match, this ensures that bound sockets are never selected, even if there is no unbound socket. Signed-of

[PATCH net-next] ipv6: add vrf table handling code for ipv6 mcast

From: Patrick Ruddy The code to obtain the correct table for the incoming interface was missing for IPv6. This has been added along with the table creation notification to fib rules for the RTNL_FAMILY_IP6MR address family. Signed-off-by: Patrick Ruddy Signed-off-by: Mike Manning --- drivers

[PATCH net-next] ipv4: Allow sending multicast packets on specific i/f using VRF socket

on overriding the output interface to use for sending packets out of UDP, raw and ping sockets to allow multicast packets to be sent using the specified multicast interface. Signed-off-by: Robert Shearman Signed-off-by: Mike Manning --- net/ipv4/datagram.c | 2 +- net/ipv4/ping.c | 2 +- net

Re: [PATCH net-next v1 1/5] net: allow binding socket in a VRF when there's an unbound socket

On 24/09/2018 23:44, David Ahern wrote: On 9/24/18 10:13 AM, Mike Manning wrote: From: Robert Shearman There is no easy way currently for applications that want to receive packets in the default VRF to be isolated from packets arriving in VRFs, which makes using VRF-unaware applications in a

[PATCH net-next v1 1/5] net: allow binding socket in a VRF when there's an unbound socket

kets arriving on a device enslaved to an l3mdev. Change the socket binding to take the l3mdev into account to allow an unbound socket to not conflict sockets bound to an l3mdev given the datapath isolation now guaranteed. Signed-off-by: Robert Shearman Signed-off-by: Mike Manning --- Documenta

[PATCH net-next v1 3/5] ipv4: Allow sending multicast packets on specific i/f using VRF socket

on overriding the output interface to use for sending packets out of UDP, raw and ping sockets to allow multicast packets to be sent using the specified multicast interface. Signed-off-by: Robert Shearman Signed-off-by: Mike Manning --- net/ipv4/datagram.c | 2 +- net/ipv4/ping.c | 2 +- net

[PATCH net-next v1 0/5] vrf: allow simultaneous service instances in default and other VRFs

comments (patch 4/5) - Fix build when CONFIG_NET_L3_MASTER_DEV not defined (patch 1/5) Dewi Morgan (1): ipv6: do not drop vrf udp multicast packets Mike Manning (1): ipv6: allow link-local and multicast packets inside vrf Patrick Ruddy (1): ipv6: add vrf table handling code for ipv6 mcast

[PATCH net-next v1 4/5] ipv6: do not drop vrf udp multicast packets

From: Dewi Morgan For bound udp sockets in a vrf, also check the sdif to get the index for ingress devices enslaved to an l3mdev. Verify the multicast address against the enslaved rather than the l3mdev device. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning --- net/ipv6/ip6_input.c

[PATCH net-next v1 2/5] ipv6: allow link-local and multicast packets inside vrf

as being enslaved, modify the VRF driver to do the same for IPv6. As a result, the multicast address check needs to verify the address against the enslaved rather than the l3mdev device. Signed-off-by: Mike Manning --- drivers/net/vrf.c| 19 +-- net/ipv6/ip6_input.c

[PATCH net-next v1 5/5] ipv6: add vrf table handling code for ipv6 mcast

From: Patrick Ruddy The code to obtain the correct table for the incoming interface was missing for IPv6. This has been added along with the table creation notification to fib rules for the RTNL_FAMILY_IP6MR address family. Signed-off-by: Patrick Ruddy Signed-off-by: Mike Manning --- drivers

Re: [PATCH net-next 4/5] ipv6: do not drop vrf udp multicast packets

On 20/09/2018 14:02, Paolo Abeni wrote: > Hi, > > On Thu, 2018-09-20 at 09:58 +0100, Mike Manning wrote: >> diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c >> index 108f5f88ec98..fc60f297d95b 100644 >> --- a/net/ipv6/ip6_input.c >> +++ b/net/ipv6/ip6_input

[PATCH net-next 0/5] vrf: allow simultaneous service instances in default and other VRFs

t drop vrf udp multicast packets Mike Manning (1): ipv6: allow link-local and multicast packets inside vrf Patrick Ruddy (1): ipv6: add vrf table handling code for ipv6 mcast Robert Shearman (2): net: allow binding socket in a VRF when there's an unbound socket ipv4: Allow sending multicast

[PATCH net-next 2/5] ipv6: allow link-local and multicast packets inside vrf

as being enslaved, modify the VRF driver to do the same for IPv6. As a result, the multicast address check needs to verify the address against the enslaved rather than the l3mdev device. Signed-off-by: Mike Manning --- drivers/net/vrf.c| 19 +-- net/ipv6/ip6_input.c

[PATCH net-next 5/5] ipv6: add vrf table handling code for ipv6 mcast

From: Patrick Ruddy The code to obtain the correct table for the incoming interface was missing for IPv6. This has been added along with the table creation notification to fib rules for the RTNL_FAMILY_IP6MR address family. Signed-off-by: Patrick Ruddy Signed-off-by: Mike Manning --- drivers

[PATCH net-next 4/5] ipv6: do not drop vrf udp multicast packets

From: Dewi Morgan For bound udp sockets in a vrf, also check the sdif to get the index for ingress devices enslaved to an l3mdev. Verify the multicast address against the enslaved rather than the l3mdev device. Signed-off-by: Dewi Morgan Signed-off-by: Mike Manning --- net/ipv6/ip6_input.c

[PATCH net-next 1/5] net: allow binding socket in a VRF when there's an unbound socket

kets arriving on a device enslaved to an l3mdev. Change the socket binding to take the l3mdev into account to allow an unbound socket to not conflict sockets bound to an l3mdev given the datapath isolation now guaranteed. Signed-off-by: Robert Shearman Signed-off-by: Mike Manning --- Documenta

[PATCH net-next 3/5] ipv4: Allow sending multicast packets on specific i/f using VRF socket

on overriding the output interface to use for sending packets out of UDP, raw and ping sockets to allow multicast packets to be sent using the specified multicast interface. Signed-off-by: Robert Shearman Signed-off-by: Mike Manning --- net/ipv4/datagram.c | 2 +- net/ipv4/ping.c | 2 +- net

[PATCH net-next] ipv6: Allow the l3mdev to be a loopback

doesn't drop the packets. Signed-off-by: Robert Shearman Signed-off-by: Mike Manning --- net/ipv6/addrconf.c | 1 + net/ipv6/ip6_input.c | 3 ++- net/ipv6/route.c | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c

[PATCH net-next] ipv6: Allow the l3mdev to be a loopback

There is no way currently for an IPv6 client connect using a loopback address in a VRF, whereas for IPv4 the loopback address can be added: $ sudo ip addr add dev vrfred 127.0.0.1/8 $ sudo ip -6 addr add ::1/128 dev vrfred RTNETLINK answers: Cannot assign requested address So allow ::

[PATCH] net: allow interface to be set into VRF if VLAN interface in same VRF

k into the default VRF beforehand, but it has to be shut first so as to avoid the risk of traffic leaking from the VRF. This fix avoids needing this workaround. Signed-off-by: Mike Manning --- net/core/dev.c | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/net/core/d

[PATCH] net: allow interface to be set into vrf if a vif in same vrf

han master. As only one master device can be linked to a device, in this case the check is for the upper device (vrf) to be linked to as being the master device rather than any other upper device. Signed-off-by: Mike Manning --- net/core/dev.c | 14 +- 1 file changed, 9 insert

[PATCH net-next] net: ipv6: send NS for DAD when link operationally up

port has been opened in the case of port-based network access control, which should be desirable. Signed-off-by: Mike Manning --- net/ipv6/addrconf.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c index c2e2a78..dffbf3b

Re: [PATCH] net: ipv6: fix regression of no RTM_DELADDR sent after DAD failure

tentative state, but is also incorrectly removing the very necessary RTM_DELADDR when an address is deleted that was previously notified with an RTM_NEWADDR as being in tentative dadfailed state. Thanks Mike On 08/09/17 03:18, David Miller wrote: > From: Mike Manning > Date: Mon, 4 Sep 2017 15

[PATCH] net: ipv6: fix regression of no RTM_DELADDR sent after DAD failure

was being relied on. The solution is to allow RTM_DELADDR to still be sent after DAD failure. Fixes: f784ad3d79e5("ipv6: do not send RTM_DELADDR for tentative addresses") Signed-off-by: Mike Manning Cc: Mahesh Bandewar --- net/ipv6/addrconf.c | 5 +++-- 1 file changed, 3 insertions(+),

Re: [PATCH] net: ipv6: Fix warning of freeing alive inet6 address

On 03/05/17 19:24, Mike Manning wrote: > On 03/05/17 18:58, Cong Wang wrote: >> On Tue, May 2, 2017 at 11:30 AM, Mike Manning wrote: >>> While this is not reproducible manually, Andrey's syzkaller program hit >>> the warning "IPv6: Freeing aliv

Re: [PATCH] net: ipv6: Fix warning of freeing alive inet6 address

On 03/05/17 18:58, Cong Wang wrote: > On Tue, May 2, 2017 at 11:30 AM, Mike Manning wrote: >> While this is not reproducible manually, Andrey's syzkaller program hit >> the warning "IPv6: Freeing alive inet6 address" with this part trace: >> >>

Re: [PATCH] net: ipv6: Fix warning of freeing alive inet6 address

On reflection, please put this on hold subject to testing with syzkaller. I have not had a repro of the issue and so the fix even though harmless may not be effective. Thanks Mike On 02/05/17 19:30, Mike Manning wrote: > While this is not reproducible manually, Andrey's syzkaller pro

  1   2   >