From: "Emil.s" <emil.sandnabba@gmail.com>
To: netdev@vger.kernel.org
Subject: Martian source when routing packets through ipvlan device with loose rp_filter on parent interface
Date: Wed, 15 May 2024 23:48:34 +0200 [thread overview]
Message-ID: <CAEA9r7AR9DwbophLeJ4ScggYako=YfBtRYgd5TfCfNfovw24HA@mail.gmail.com> (raw)
Hello!
I've found what I think might be a bug in the reverse path filtering,
when used in combination with ipvlan devices.
As a simple example I've setup an environment with one client and one gateway:
Gateway:
* ens4f0: 10.1.1.1/16 (Physical interface)
* usb0 (Physical interface - 8c:ae:4c:fe:00:a7)
* ipvlan_usb@usb0: 192.168.0.1/24 (ipvlan mode l2/bridge)
Gateway routing table:
gateway #> ip ro
10.1.0.0/16 dev ens4f0 proto kernel scope link src 10.1.1.1
192.168.0.0/24 dev ipvlan_usb proto kernel scope link src 192.168.0.1
Client:
* eth0 (58:ef:68:b5:0d:46): 192.168.0.1/24
* `ip route add 10.1.0.0/16 via 192.168.0.1`
Client routing table:
client #> ip ro
10.1.0.0/16 via 192.168.0.1 dev eth0
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
From the client, I can ping the gateway without any issues
(192.168.0.1). But when I try to ping 10.1.1.1, the packets are just
dropped with the following log lines shown on the gateway:
kernel: IPv4: martian source 10.1.1.1 from 192.168.0.2, on dev usb0
kernel: ll header: 00000000: 8c ae 4c fe 00 a7 58 ef 68 b5 0d 46 08 00
I would expect this behavior using strict reverse path filtering,
since the packet will enter the usb0 interface, but the IP and route
belong to a sub-interface.
But in my case, I'm using "2 - loose mode" that states: "Each incoming
packet's source address is also tested against the FIB and if the
source address is not reachable via any interface the packet check
will fail."
As seen in the routing table, I do have a route to both subnets, so I
should get a match in my FIB.
Disabling rp_filter (0) on the 'usb0' interface solves the issue, and
packets will get routed normally. Another workaround is to delete the
kernel route from the ipvlan device and manually adding it to the
physical device:
gateway #> ip ro del 192.168.0.0/24 dev ipvlan_usb
gateway #> ip ro add 192.168.0.0/24 dev usb0
I've tested this on both Linux 5.15 on Ubuntu 22.04, as well as Linux
6.8.9 on Arch linux with the same result.
I hope I got this right, It's my first time mailing the kernel mailing lists.
Best regards
Emil Sandnabba
reply other threads:[~2024-05-15 21:48 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEA9r7AR9DwbophLeJ4ScggYako=YfBtRYgd5TfCfNfovw24HA@mail.gmail.com' \
--to=emil.sandnabba@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).