aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/generic
diff options
context:
space:
mode:
authorHans Dedecker <dedeckeh@gmail.com>2018-12-17 21:26:22 +0100
committerHans Dedecker <dedeckeh@gmail.com>2018-12-17 21:42:23 +0100
commitb0414d718862fae48d601e8549054a82d2cc4fde (patch)
treea0b094a6c3e54062e57c90a1809d829a2a2079bb /target/linux/generic
parent3f7de917be3216785f039c921cfedf72b9989f49 (diff)
downloadupstream-b0414d718862fae48d601e8549054a82d2cc4fde.tar.gz
upstream-b0414d718862fae48d601e8549054a82d2cc4fde.tar.bz2
upstream-b0414d718862fae48d601e8549054a82d2cc4fde.zip
kernel: preserve oif of IPv6 link scope packets
Backort upstream patch which preserves oif of IPv6 link scoped packets. The outgoing interface of IPv6 link scope packets can be changed by the function ip6_route_me_harder. This is unwanted behavior for link local packets and multicast packets as the outgoing interface is fixed and must not be altered as it can break neighbor discovery and multicast listener discovery. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Diffstat (limited to 'target/linux/generic')
-rw-r--r--target/linux/generic/backport-4.14/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch32
-rw-r--r--target/linux/generic/backport-4.14/304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch2
-rw-r--r--target/linux/generic/backport-4.14/305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch2
-rw-r--r--target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch4
-rw-r--r--target/linux/generic/backport-4.14/307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch2
-rw-r--r--target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch6
-rw-r--r--target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch2
-rw-r--r--target/linux/generic/backport-4.14/310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch4
-rw-r--r--target/linux/generic/backport-4.19/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch32
-rw-r--r--target/linux/generic/backport-4.9/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch32
10 files changed, 107 insertions, 11 deletions
diff --git a/target/linux/generic/backport-4.14/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch b/target/linux/generic/backport-4.14/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch
new file mode 100644
index 0000000000..1eb23afacc
--- /dev/null
+++ b/target/linux/generic/backport-4.14/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch
@@ -0,0 +1,32 @@
+From 508b09046c0f21678652fb66fd1e9959d55591d2 Mon Sep 17 00:00:00 2001
+From: Alin Nastac <alin.nastac@gmail.com>
+Date: Wed, 21 Nov 2018 14:00:30 +0100
+Subject: [PATCH] netfilter: ipv6: Preserve link scope traffic original oif
+
+When ip6_route_me_harder is invoked, it resets outgoing interface of:
+ - link-local scoped packets sent by neighbor discovery
+ - multicast packets sent by MLD host
+ - multicast packets send by MLD proxy daemon that sets outgoing
+ interface through IPV6_PKTINFO ipi6_ifindex
+
+Link-local and multicast packets must keep their original oif after
+ip6_route_me_harder is called.
+
+Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv6/netfilter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -25,7 +25,8 @@ int ip6_route_me_harder(struct net *net,
+ unsigned int hh_len;
+ struct dst_entry *dst;
+ struct flowi6 fl6 = {
+- .flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
++ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
++ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
+ .flowi6_mark = skb->mark,
+ .flowi6_uid = sock_net_uid(net, sk),
+ .daddr = iph->daddr,
diff --git a/target/linux/generic/backport-4.14/304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch b/target/linux/generic/backport-4.14/304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch
index 458ddd4172..a73256a2c9 100644
--- a/target/linux/generic/backport-4.14/304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch
+++ b/target/linux/generic/backport-4.14/304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch
@@ -116,7 +116,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
.saveroute = nf_ip_saveroute,
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -193,12 +193,12 @@ static __sum16 nf_ip6_checksum_partial(s
+@@ -194,12 +194,12 @@ static __sum16 nf_ip6_checksum_partial(s
static const struct nf_ipv6_ops ipv6ops = {
.chk_addr = ipv6_chk_addr,
.route_input = ip6_route_input,
diff --git a/target/linux/generic/backport-4.14/305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch b/target/linux/generic/backport-4.14/305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch
index 19a0aacb45..6ef0928257 100644
--- a/target/linux/generic/backport-4.14/305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch
+++ b/target/linux/generic/backport-4.14/305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch
@@ -151,7 +151,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
.reroute = nf_ip_reroute,
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -191,15 +191,15 @@ static __sum16 nf_ip6_checksum_partial(s
+@@ -192,15 +192,15 @@ static __sum16 nf_ip6_checksum_partial(s
};
static const struct nf_ipv6_ops ipv6ops = {
diff --git a/target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch b/target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch
index 75de3c84fe..2b44066f1a 100644
--- a/target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch
+++ b/target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch
@@ -125,7 +125,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
};
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -69,31 +69,6 @@ int ip6_route_me_harder(struct net *net,
+@@ -70,31 +70,6 @@ int ip6_route_me_harder(struct net *net,
}
EXPORT_SYMBOL(ip6_route_me_harder);
@@ -157,7 +157,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry)
{
-@@ -201,7 +176,6 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -202,7 +177,6 @@ static const struct nf_ipv6_ops ipv6ops
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
.route = nf_ip6_route,
diff --git a/target/linux/generic/backport-4.14/307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch b/target/linux/generic/backport-4.14/307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch
index b98aac0fff..eb3e29349a 100644
--- a/target/linux/generic/backport-4.14/307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch
+++ b/target/linux/generic/backport-4.14/307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch
@@ -114,7 +114,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
};
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -171,11 +171,11 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -172,11 +172,11 @@ static const struct nf_ipv6_ops ipv6ops
.fragment = ip6_fragment,
.checksum = nf_ip6_checksum,
.checksum_partial = nf_ip6_checksum_partial,
diff --git a/target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch b/target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch
index 5dbd1a4cea..d45c4ef85b 100644
--- a/target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch
+++ b/target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch
@@ -138,7 +138,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -69,7 +69,7 @@ int ip6_route_me_harder(struct net *net,
+@@ -70,7 +70,7 @@ int ip6_route_me_harder(struct net *net,
}
EXPORT_SYMBOL(ip6_route_me_harder);
@@ -147,7 +147,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
const struct nf_queue_entry *entry)
{
struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
-@@ -79,7 +79,7 @@ static int nf_ip6_reroute(struct net *ne
+@@ -80,7 +80,7 @@ static int nf_ip6_reroute(struct net *ne
if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
!ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
skb->mark != rt_info->mark)
@@ -156,7 +156,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
}
return 0;
}
-@@ -172,11 +172,11 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -173,11 +173,11 @@ static const struct nf_ipv6_ops ipv6ops
.checksum = nf_ip6_checksum,
.checksum_partial = nf_ip6_checksum_partial,
.route = nf_ip6_route,
diff --git a/target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch b/target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch
index 21381b7e6b..270379346a 100644
--- a/target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch
+++ b/target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch
@@ -29,7 +29,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
static int __init ipv4_netfilter_init(void)
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -177,7 +177,6 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -178,7 +178,6 @@ static const struct nf_ipv6_ops ipv6ops
static const struct nf_afinfo nf_ip6_afinfo = {
.family = AF_INET6,
diff --git a/target/linux/generic/backport-4.14/310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch b/target/linux/generic/backport-4.14/310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch
index 0ca58f9988..381b99721a 100644
--- a/target/linux/generic/backport-4.14/310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch
+++ b/target/linux/generic/backport-4.14/310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch
@@ -102,7 +102,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-subsys_initcall(ipv4_netfilter_init);
--- a/net/ipv6/netfilter.c
+++ b/net/ipv6/netfilter.c
-@@ -175,14 +175,10 @@ static const struct nf_ipv6_ops ipv6ops
+@@ -176,14 +176,10 @@ static const struct nf_ipv6_ops ipv6ops
.reroute = nf_ip6_reroute,
};
@@ -118,7 +118,7 @@ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
}
/* This can be called from inet6_init() on errors, so it cannot
-@@ -191,5 +187,4 @@ int __init ipv6_netfilter_init(void)
+@@ -192,5 +188,4 @@ int __init ipv6_netfilter_init(void)
void ipv6_netfilter_fini(void)
{
RCU_INIT_POINTER(nf_ipv6_ops, NULL);
diff --git a/target/linux/generic/backport-4.19/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch b/target/linux/generic/backport-4.19/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch
new file mode 100644
index 0000000000..3f5267eb75
--- /dev/null
+++ b/target/linux/generic/backport-4.19/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch
@@ -0,0 +1,32 @@
+From 508b09046c0f21678652fb66fd1e9959d55591d2 Mon Sep 17 00:00:00 2001
+From: Alin Nastac <alin.nastac@gmail.com>
+Date: Wed, 21 Nov 2018 14:00:30 +0100
+Subject: [PATCH] netfilter: ipv6: Preserve link scope traffic original oif
+
+When ip6_route_me_harder is invoked, it resets outgoing interface of:
+ - link-local scoped packets sent by neighbor discovery
+ - multicast packets sent by MLD host
+ - multicast packets send by MLD proxy daemon that sets outgoing
+ interface through IPV6_PKTINFO ipi6_ifindex
+
+Link-local and multicast packets must keep their original oif after
+ip6_route_me_harder is called.
+
+Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv6/netfilter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net,
+ unsigned int hh_len;
+ struct dst_entry *dst;
+ struct flowi6 fl6 = {
+- .flowi6_oif = sk ? sk->sk_bound_dev_if : 0,
++ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
++ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
+ .flowi6_mark = skb->mark,
+ .flowi6_uid = sock_net_uid(net, sk),
+ .daddr = iph->daddr,
diff --git a/target/linux/generic/backport-4.9/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch b/target/linux/generic/backport-4.9/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch
new file mode 100644
index 0000000000..bfb7690dec
--- /dev/null
+++ b/target/linux/generic/backport-4.9/096-v4.20-netfilter-ipv6-Preserve-link-scope-traffic-original-.patch
@@ -0,0 +1,32 @@
+From 508b09046c0f21678652fb66fd1e9959d55591d2 Mon Sep 17 00:00:00 2001
+From: Alin Nastac <alin.nastac@gmail.com>
+Date: Wed, 21 Nov 2018 14:00:30 +0100
+Subject: [PATCH] netfilter: ipv6: Preserve link scope traffic original oif
+
+When ip6_route_me_harder is invoked, it resets outgoing interface of:
+ - link-local scoped packets sent by neighbor discovery
+ - multicast packets sent by MLD host
+ - multicast packets send by MLD proxy daemon that sets outgoing
+ interface through IPV6_PKTINFO ipi6_ifindex
+
+Link-local and multicast packets must keep their original oif after
+ip6_route_me_harder is called.
+
+Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/ipv6/netfilter.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -24,7 +24,8 @@ int ip6_route_me_harder(struct net *net,
+ unsigned int hh_len;
+ struct dst_entry *dst;
+ struct flowi6 fl6 = {
+- .flowi6_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0,
++ .flowi6_oif = skb->sk && skb->sk->sk_bound_dev_if ? skb->sk->sk_bound_dev_if :
++ rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
+ .flowi6_mark = skb->mark,
+ .daddr = iph->daddr,
+ .saddr = iph->saddr,