[PATCH net-next 0/8] ipv4: icmp: Fix source IP derivation in presence of VRFs
Ido Schimmel
idosch at nvidia.com
Mon Sep 1 08:40:26 UTC 2025
On Mon, Sep 01, 2025 at 11:30:19AM +0300, Ido Schimmel wrote:
> Align IPv4 with IPv6 and in the presence of VRFs generate ICMP error
> messages with a source IP that is derived from the receiving interface
> and not from its VRF master. This is especially important when the error
> messages are "Time Exceeded" messages as it means that utilities like
> traceroute will show an incorrect packet path.
>
> Patches #1-#2 are preparations.
>
> Patch #3 is the actual change.
>
> Patches #4-#7 make small improvements in the existing traceroute test.
>
> Patch #8 extends the traceroute test with VRF test cases for both IPv4
> and IPv6.
Jakub / Paolo, patch #2 is going to conflict with the following net
patch:
https://lore.kernel.org/all/20250828091435.161962-1-fabian@blaese.de/
Resolution is below. Please let me know if you prefer that I repost next
week in order to avoid the conflict.
@@ -799,15 +800,16 @@ EXPORT_SYMBOL(__icmp_send);
void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
{
struct sk_buff *cloned_skb = NULL;
- struct ip_options opts = { 0 };
enum ip_conntrack_info ctinfo;
enum ip_conntrack_dir dir;
+ struct inet_skb_parm parm;
struct nf_conn *ct;
__be32 orig_ip;
+ memset(&parm, 0, sizeof(parm));
ct = nf_ct_get(skb_in, &ctinfo);
if (!ct || !(READ_ONCE(ct->status) & IPS_NAT_MASK)) {
- __icmp_send(skb_in, type, code, info, &opts);
+ __icmp_send(skb_in, type, code, info, &parm);
return;
}
@@ -823,7 +825,7 @@ void icmp_ndo_send(struct sk_buff *skb_in, int type, int code, __be32 info)
orig_ip = ip_hdr(skb_in)->saddr;
dir = CTINFO2DIR(ctinfo);
ip_hdr(skb_in)->saddr = ct->tuplehash[dir].tuple.src.u3.ip;
- __icmp_send(skb_in, type, code, info, &opts);
+ __icmp_send(skb_in, type, code, info, &parm);
ip_hdr(skb_in)->saddr = orig_ip;
out:
consume_skb(cloned_skb);
More information about the Linux-security-module-archive
mailing list