On Wed, Nov 09, 2016 at 10:25:05AM -0800, David Ahern wrote: > nf_send_reset6 is not considering the L3 domain and lookups are sent > to the wrong table. For example consider the following output rule: > > ip6tables -A OUTPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset > > using perf to analyze lookups via the fib6_table_lookup tracepoint shows: > > swapper 0 [001] 248.787816: fib6:fib6_table_lookup: table 255 oif 0 iif 1 src 2100:1::3 dst 2100:1: > ffffffff81439cdc perf_trace_fib6_table_lookup ([kernel.kallsyms]) > ffffffff814c1ce3 trace_fib6_table_lookup ([kernel.kallsyms]) > ffffffff814c3e89 ip6_pol_route ([kernel.kallsyms]) > ffffffff814c40d5 ip6_pol_route_output ([kernel.kallsyms]) > ffffffff814e7b6f fib6_rule_action ([kernel.kallsyms]) > ffffffff81437f60 fib_rules_lookup ([kernel.kallsyms]) > ffffffff814e7c79 fib6_rule_lookup ([kernel.kallsyms]) > ffffffff814c2541 ip6_route_output_flags ([kernel.kallsyms]) > 528 nf_send_reset6 ([nf_reject_ipv6]) > > The lookup is directed to table 255 rather than the table associated with > the device via the L3 domain. Update nf_send_reset6 to pull the L3 domain > from the dst currently attached to the skb. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html