2012/12/3 David Miller <davem@xxxxxxxxxxxxx>: > From: Dries De Winter <dries.dewinter@xxxxxxxxx> > Date: Mon, 3 Dec 2012 22:31:51 +0100 > >> Not fixing this means that skb->mark is unavailable for use on ICMPv6 >> packets because it will inevitably put those packets on the wrong >> interface. > > Maybe this suggests that a better fix is to simply explicitly check > for protocol ICMPV6 in ip6_route_me_harder(). Hmmm, maybe my subject line isn't very well chosen ... I don't really mean all ICMPv6 traffic. ICMPv6 also includes Destination Unreachable, Echo request/reply ... and lots of other types that are just regular unicast packets that should follow the routing table like normal packets. My concern is mainly about neighbour discovery and MLD. And after having thought this over and over again, this discussion could be extended to all link-local traffic in general, not to ICMPv6 in general. Routing doesn't make much sense for link-local traffic and typically the sender specifies on what interface its data has to go out. In the example of MLD and neighbour discovery this is done using those special dst entries. But for userspace this can be done by specifying a non-zero sin6_scope_id or by SO_BINDTODEVICE which sets sk_bound_dev_if. When sending a message with a link-local destination, these parameters are taken into account by routing. ip6_route_me_harder() also takes sk_bound_dev_if into account, but it has no access to the user supplied sin6_scope_id, so depending on the method used, you may also hit this issue from user space. My "noreroute" patch will not fix this. Therefore it's indeed maybe better to add a simple check to ip6_route_me_harder(): not a check for ICMPv6, but a check for (ipv6_addr_type(&iph->daddr) & IPV6_ADDR_LINKLOCAL) instead. What do you think? Dries. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
