Re: [PATCH 5.19 0537/1157] bpf: Set flow flag to allow any source IP in bpf_tunnel_key

Paul Chaignon <paul@xxxxxxxxxxxxx> · Tue, 16 Aug 2022 16:35:54 +0200

On Mon, Aug 15, 2022 at 07:58:13PM +0200, Greg Kroah-Hartman wrote:
> From: Paul Chaignon <paul@xxxxxxxxxxxxx>
> 
> [ Upstream commit b8fff748521c7178b9a7d32b5a34a81cec8396f3 ]
> 
> Commit 26101f5ab6bd ("bpf: Add source ip in "struct bpf_tunnel_key"")
> added support for getting and setting the outer source IP of encapsulated
> packets via the bpf_skb_{get,set}_tunnel_key BPF helper. This change
> allows BPF programs to set any IP address as the source, including for
> example the IP address of a container running on the same host.
> 
> In that last case, however, the encapsulated packets are dropped when
> looking up the route because the source IP address isn't assigned to any
> interface on the host. To avoid this, we need to set the
> FLOWI_FLAG_ANYSRC flag.

This fix will also require upstream commits 861396ac0b47 ("geneve: Use
ip_tunnel_key flow flags in route lookups") and 7e2fb8bc7ef6 ("vxlan:
Use ip_tunnel_key flow flags in route lookups") to have the intended
effect. In short, these two commits "consume" the new field introduced
in 451ef36bd229 ("ip_tunnels: Add new flow flags field to
ip_tunnel_key") and populated in the present commit.

> 
> Fixes: 26101f5ab6bd ("bpf: Add source ip in "struct bpf_tunnel_key"")
> Signed-off-by: Paul Chaignon <paul@xxxxxxxxxxxxx>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Reviewed-by: Nikolay Aleksandrov <razor@xxxxxxxxxxxxx>
> Acked-by: Martin KaFai Lau <kafai@xxxxxx>
> Link: https://lore.kernel.org/bpf/76873d384e21288abe5767551a0799ac93ec07fb.1658759380.git.paul@xxxxxxxxxxxxx
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
>  net/core/filter.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/core/filter.c b/net/core/filter.c
> index 7950f7520765..5978984b752f 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -4653,6 +4653,7 @@ BPF_CALL_4(bpf_skb_set_tunnel_key, struct sk_buff *, skb,
>  	} else {
>  		info->key.u.ipv4.dst = cpu_to_be32(from->remote_ipv4);
>  		info->key.u.ipv4.src = cpu_to_be32(from->local_ipv4);
> +		info->key.flow_flags = FLOWI_FLAG_ANYSRC;
>  	}
>  
>  	return 0;
> -- 
> 2.35.1
> 
> 
> 