On Sun, Apr 11, 2021 at 06:18:05PM -0700, David Ahern wrote: > On 4/11/21 1:32 PM, Ido Schimmel wrote: > > From: Ido Schimmel <idosch@xxxxxxxxxx> > > > > Netfilter tries to reroute mangled packets as a different route might > > need to be used following the mangling. When this happens, netfilter > > does not populate the IP protocol, the source port and the destination > > port in the flow key. Therefore, FIB rules that match on these fields > > are ignored and packets can be misrouted. > > > > Solve this by dissecting the outer flow and populating the flow key > > before rerouting the packet. Note that flow dissection only happens when > > FIB rules that match on these fields are installed, so in the common > > case there should not be a penalty. > > > > Reported-by: Michal Soltys <msoltyspl@xxxxxxxxx> > > Signed-off-by: Ido Schimmel <idosch@xxxxxxxxxx> > > --- > > Targeting at nf-next since this use case never worked. > > --- > > net/ipv4/netfilter.c | 2 ++ > > net/ipv6/netfilter.c | 2 ++ > > 2 files changed, 4 insertions(+) > > > > Once this goes in, can you add tests to one of the selftest scripts > (e.g., fib_rule_tests.sh)? Yes. I used Michal's scripts from here [1] to test. Will try to simplify it for a test case. [1] https://lore.kernel.org/netdev/6b707dde-c6f0-ca3e-e817-a09c1e6b3f00@xxxxxxxxx/
