xfrm: Use VRF master index if output device is enslaved

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Directs route lookups to VRF table. Compiles out if NET_VRF is not
enabled. With this patch able to successfully bring up ipsec tunnels
in VRFs, even with duplicate network configuration.

Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

David Ahern and committed by

David S. Miller 10 years ago 4ec3b28c 6f021c62

+10 -4

2 changed files

expand all

net

ipv4

xfrm4_policy.c

ipv6

xfrm6_policy.c

+5 -2

net/ipv4/xfrm4_policy.c

··· 15 15 #include <net/dst.h> 16 16 #include <net/xfrm.h> 17 17 #include <net/ip.h> 18 + #include <net/vrf.h> 18 19 19 20 static struct xfrm_policy_afinfo xfrm4_policy_afinfo; 20 21 ··· 108 107 struct flowi4 *fl4 = &fl->u.ip4; 109 108 int oif = 0; 110 109 111 - if (skb_dst(skb)) 112 - oif = skb_dst(skb)->dev->ifindex; 110 + if (skb_dst(skb)) { 111 + oif = vrf_master_ifindex(skb_dst(skb)->dev) ? 112 + : skb_dst(skb)->dev->ifindex; 113 + } 113 114 114 115 memset(fl4, 0, sizeof(struct flowi4)); 115 116 fl4->flowi4_mark = skb->mark;

+5 -2

net/ipv6/xfrm6_policy.c

··· 20 20 #include <net/ip.h> 21 21 #include <net/ipv6.h> 22 22 #include <net/ip6_route.h> 23 + #include <net/vrf.h> 23 24 #if IS_ENABLED(CONFIG_IPV6_MIP6) 24 25 #include <net/mip6.h> 25 26 #endif ··· 132 131 133 132 nexthdr = nh[nhoff]; 134 133 135 - if (skb_dst(skb)) 136 - oif = skb_dst(skb)->dev->ifindex; 134 + if (skb_dst(skb)) { 135 + oif = vrf_master_ifindex(skb_dst(skb)->dev) ? 136 + : skb_dst(skb)->dev->ifindex; 137 + } 137 138 138 139 memset(fl6, 0, sizeof(struct flowi6)); 139 140 fl6->flowi6_mark = skb->mark;