• Mike Manning's avatar
    net: ensure unbound datagram socket to be chosen when not in a VRF · 6da5b0f0
    Mike Manning authored
    Ensure an unbound datagram skt is chosen when not in a VRF. The check
    for a device match in compute_score() for UDP must be performed when
    there is no device match. For this, a failure is returned when there is
    no device match. This ensures that bound sockets are never selected,
    even if there is no unbound socket.
    
    Allow IPv6 packets to be sent over a datagram skt bound to a VRF. These
    packets are currently blocked, as flowi6_oif was set to that of the
    master vrf device, and the ipi6_ifindex is that of the slave device.
    Allow these packets to be sent by checking the device with ipi6_ifindex
    has the same L3 scope as that of the bound device of the skt, which is
    the master vrf device. Note that this check always succeeds if the skt
    is unbound.
    
    Even though the right datagram skt is now selected by compute_score(),
    a different skt is being returned that is bound to the wrong vrf. The
    difference between these and stream sockets is the handling of the skt
    option for SO_REUSEPORT. While the handling when adding a skt for reuse
    correctly checks that the bound device of the skt is a match, the skts
    in the hashslot are already incorrect. So for the same hash, a skt for
    the wrong vrf may be selected for the required port. The root cause is
    that the skt is immediately placed into a slot when it is created,
    but when the skt is then bound using SO_BINDTODEVICE, it remains in the
    same slot. The solution is to move the skt to the correct slot by
    forcing a rehash.
    Signed-off-by: default avatarMike Manning <mmanning@vyatta.att-mail.com>
    Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
    Tested-by: default avatarDavid Ahern <dsahern@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    6da5b0f0
datagram.c 24.9 KB