On Fri, Jul 15, 2022 at 11:21:08AM -0700, Yonghong Song wrote:
> On 7/15/22 8:02 AM, Paul Chaignon wrote:
> > Commit 26101f5ab6bd ("bpf: Add source ip in "struct bpf_tunnel_key"")
> > added support for getting and setting the outer source IP of encapsulated
> > packets via the bpf_skb_{get,set}_tunnel_key BPF helper. This change
> > allows BPF programs to set any IP address as the source, including for
> > example the IP address of a container running on the same host.
> >
> > In that last case, however, the encapsulated packets are dropped when
> > looking up the route because the source IP address isn't assigned to any
> > interface on the host. To avoid this, we need to set the
> > FLOWI_FLAG_ANYSRC flag.
> >
> > Fixes: 26101f5ab6bd ("bpf: Add source ip in "struct bpf_tunnel_key"")
> > Signed-off-by: Paul Chaignon <paul@xxxxxxxxxxxxx>
> > ---
> > net/core/filter.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/net/core/filter.c b/net/core/filter.c
> > index 5d16d66727fc..6d9c800cdab9 100644
> > --- a/net/core/filter.c
> > +++ b/net/core/filter.c
> > @@ -4641,6 +4641,7 @@ BPF_CALL_4(bpf_skb_set_tunnel_key, struct sk_buff *, skb,
> > info->key.tun_id = cpu_to_be64(from->tunnel_id);
> > info->key.tos = from->tunnel_tos;
> > info->key.ttl = from->tunnel_ttl;
> > + info->key.flow_flags = FLOWI_FLAG_ANYSRC;
>
> Can we set FLOWI_FLAG_ANYSRC in all conditions?
> In lwt_bpf.c, func bpf_lwt_xmit_reroute(), FLOWI_FLAG_ANYSRC
> is set for ipv4 but not for ipv6. I am wondering whether
> FLOWI_FLAG_ANYSRC needs to be set for ipv6 packet or not
> in bpf_skb_set_tunnel_key().
That's a good point; I didn't know about bpf_lwt_xmit_reroute. I set the
flag for IPv6 as the same check seemed to exist, but didn't test it.
I'll check if it's actually needed.
>
> > if (flags & BPF_F_TUNINFO_IPV6) {
> > info->mode |= IP_TUNNEL_INFO_IPV6;
