Message ID | f4461b32-852f-da7e-a893-97e08c455e44@linogate.de (mailing list archive) |
---|---|
State | RFC |
Headers | show |
Series | Problem with xfrm interface and bridged devices | expand |
The SubmittingPatches and the Netdev FAQ documents can help in getting this patch in the proper format. On Thu, Jan 26, 2023 at 2:20 PM Wolfgang Nothdurft <wolfgang@linogate.de> wrote: > > Hi there, > > when using a xfrm interface in a bridged setup (the outgoing device is > bridged), the incoming packets in the xfrm interface inherit the bridge > info and confuses the netfilter connection tracking. > > brctl show > bridge name bridge id STP enabled interfaces > br_eth1 8000.000c29fe9646 no eth1 > > This messes up the connection tracking so that only the outgoing packets > shows up and the connections through the xfrm interface are UNREPLIED. > When using stateful netfilter rules, the response packet will be blocked > as state invalid. > > telnet 192.168.12.1 7 > Trying 192.168.12.1... > > conntrack -L > tcp 6 115 SYN_SENT src=192.168.11.1 dst=192.168.12.1 sport=52476 > dport=7 packets=2 bytes=104 [UNREPLIED] src=192.168.12.1 > dst=192.168.11.1 sport=7 dport=52476 packets=0 bytes=0 mark=0 > secctx=system_u:object_r:unlabeled_t:s0 use=1 > > Chain INPUT (policy DROP 0 packets, 0 bytes) > 2 104 DROP_invalid all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > Jan 26 09:28:12 defendo kernel: fw-chk drop [STATE=invalid] IN=ipsec0 > OUT= PHYSIN=eth1 MAC= SRC=192.168.12.1 DST=192.168.11.1 LEN=52 TOS=0x00 > PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=7 DPT=52476 WINDOW=64240 RES=0x00 > ACK SYN URGP=0 MARK=0x1000000 > > The attached patch removes the bridge info from the incoming packets on > the xfrm interface, so the packet can be properly assigned to the > connection. > > Kind Regards, > Wolfgang
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 77e82033ad70..588cd38e2e68 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -539,6 +539,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) goto lock; } + // strip bridge info from skb + if (skb_ext_exist(skb, SKB_EXT_BRIDGE_NF)){ + skb_ext_del(skb, SKB_EXT_BRIDGE_NF); + } + family = XFRM_SPI_SKB_CB(skb)->family; /* if tunnel is present override skb->mark value with tunnel i_key */