| Message ID | f4461b32-852f-da7e-a893-97e08c455e44@linogate.de (mailing list archive) |
|---|---|
| State | RFC |
| Headers | show |
| Series | Problem with xfrm interface and bridged devices | expand |
The SubmittingPatches and the Netdev FAQ documents can help in getting this patch in the proper format. On Thu, Jan 26, 2023 at 2:20 PM Wolfgang Nothdurft <wolfgang@linogate.de> wrote: > > Hi there, > > when using a xfrm interface in a bridged setup (the outgoing device is > bridged), the incoming packets in the xfrm interface inherit the bridge > info and confuses the netfilter connection tracking. > > brctl show > bridge name bridge id STP enabled interfaces > br_eth1 8000.000c29fe9646 no eth1 > > This messes up the connection tracking so that only the outgoing packets > shows up and the connections through the xfrm interface are UNREPLIED. > When using stateful netfilter rules, the response packet will be blocked > as state invalid. > > telnet 192.168.12.1 7 > Trying 192.168.12.1... > > conntrack -L > tcp 6 115 SYN_SENT src=192.168.11.1 dst=192.168.12.1 sport=52476 > dport=7 packets=2 bytes=104 [UNREPLIED] src=192.168.12.1 > dst=192.168.11.1 sport=7 dport=52476 packets=0 bytes=0 mark=0 > secctx=system_u:object_r:unlabeled_t:s0 use=1 > > Chain INPUT (policy DROP 0 packets, 0 bytes) > 2 104 DROP_invalid all -- * * 0.0.0.0/0 > 0.0.0.0/0 state INVALID > > Jan 26 09:28:12 defendo kernel: fw-chk drop [STATE=invalid] IN=ipsec0 > OUT= PHYSIN=eth1 MAC= SRC=192.168.12.1 DST=192.168.11.1 LEN=52 TOS=0x00 > PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=7 DPT=52476 WINDOW=64240 RES=0x00 > ACK SYN URGP=0 MARK=0x1000000 > > The attached patch removes the bridge info from the incoming packets on > the xfrm interface, so the packet can be properly assigned to the > connection. > > Kind Regards, > Wolfgang
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 77e82033ad70..588cd38e2e68 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -539,6 +539,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) goto lock; } + // strip bridge info from skb + if (skb_ext_exist(skb, SKB_EXT_BRIDGE_NF)){ + skb_ext_del(skb, SKB_EXT_BRIDGE_NF); + } + family = XFRM_SPI_SKB_CB(skb)->family; /* if tunnel is present override skb->mark value with tunnel i_key */
Hi there, when using a xfrm interface in a bridged setup (the outgoing device is bridged), the incoming packets in the xfrm interface inherit the bridge info and confuses the netfilter connection tracking. brctl show bridge name bridge id STP enabled interfaces br_eth1 8000.000c29fe9646 no eth1 This messes up the connection tracking so that only the outgoing packets shows up and the connections through the xfrm interface are UNREPLIED. When using stateful netfilter rules, the response packet will be blocked as state invalid. telnet 192.168.12.1 7 Trying 192.168.12.1... conntrack -L tcp 6 115 SYN_SENT src=192.168.11.1 dst=192.168.12.1 sport=52476 dport=7 packets=2 bytes=104 [UNREPLIED] src=192.168.12.1 dst=192.168.11.1 sport=7 dport=52476 packets=0 bytes=0 mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1 Chain INPUT (policy DROP 0 packets, 0 bytes) 2 104 DROP_invalid all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID Jan 26 09:28:12 defendo kernel: fw-chk drop [STATE=invalid] IN=ipsec0 OUT= PHYSIN=eth1 MAC= SRC=192.168.12.1 DST=192.168.11.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=7 DPT=52476 WINDOW=64240 RES=0x00 ACK SYN URGP=0 MARK=0x1000000 The attached patch removes the bridge info from the incoming packets on the xfrm interface, so the packet can be properly assigned to the connection. Kind Regards, Wolfgang