Hi David,
On Wed, Dec 01, 2021 at 11:00:26AM -0700, David Ahern wrote:
> On 11/30/21 5:47 PM, Peilin Ye wrote:
> > ┌─────────────────────────────┐ ┌─────────────────────────────┐
> > │ network namespace 1 (ns1) │ │ network namespace 2 (ns2) │
> > │ │ │ │
> > │ ┌────┐ ┌─────┐ │ │ ┌─────┐ ┌────┐ │
> > │ │ lo │<───>│veth1│<────────┼────┼─>│veth2│<──────────>│ lo │ │
> > │ └────┘ ├─────┴──────┐ │ │ ├─────┴──────┐ └────┘ │
> > │ │192.0.2.1/24│ │ │ │192.0.2.1/24│ │
> > │ └────────────┘ │ │ └────────────┘ │
> > └─────────────────────────────┘ └─────────────────────────────┘
>
> if the intention of the tests is to validate that rp_filter = 1 works as
> designed, then I suggest a simpler test. 2 namespaces, 2 veth pairs.
> Request goes through one interface, and the response comes in the other
> via routing in ns2. ns1 would see the response coming in the 'wrong'
> interface and drops it.
Quite the opposite - the goal is to make sure that commit 66f8209547cc
("fib: relax source validation check for loopback packets") _prevents_
packets from being dropped when rp_filter = 1 in this corner case, as I
mentioned in the commit message.
In order to test this corner case, I need a packet that:
1. was received on lo;
2. has a local source IP address (other than lo's 127.0.0.1/8, which
is 192.0.2.1 in this case);
3. has no dst attached to it (in this case since it was redirected
from veth).
See __fib_validate_source():
+ dev_match = dev_match || (res.type == RTN_LOCAL &&
+ dev == net->loopback_dev);
^^^^^^^^^^^^
This relaxed check only applies to lo, and I do need to redirect packets
from veth ingress to lo ingress in order to trigger this.
Thanks,
Peilin Ye
