net: ipv4 sysctl option to ignore routes when nexthop link is down

This feature is only enabled with the new per-interface or ipv4 global
sysctls called 'ignore_routes_with_linkdown'.

net.ipv4.conf.all.ignore_routes_with_linkdown = 0
net.ipv4.conf.default.ignore_routes_with_linkdown = 0
net.ipv4.conf.lo.ignore_routes_with_linkdown = 0
...

When the above sysctls are set, will report to userspace that a route is
dead and will no longer resolve to this nexthop when performing a fib
lookup.  This will signal to userspace that the route will not be
selected.  The signalling of a RTNH_F_DEAD is only passed to userspace
if the sysctl is enabled and link is down.  This was done as without it
the netlink listeners would have no idea whether or not a nexthop would
be selected.   The kernel only sets RTNH_F_DEAD internally if the
interface has IFF_UP cleared.

With the new sysctl set, the following behavior can be observed
(interface p8p1 is link-down):

default via 10.0.5.2 dev p9p1
10.0.5.0/24 dev p9p1  proto kernel  scope link  src 10.0.5.15
70.0.0.0/24 dev p7p1  proto kernel  scope link  src 70.0.0.1
80.0.0.0/24 dev p8p1  proto kernel  scope link  src 80.0.0.1 dead linkdown
90.0.0.0/24 via 80.0.0.2 dev p8p1  metric 1 dead linkdown
90.0.0.0/24 via 70.0.0.2 dev p7p1  metric 2
90.0.0.1 via 70.0.0.2 dev p7p1  src 70.0.0.1
    cache
local 80.0.0.1 dev lo  src 80.0.0.1
    cache <local>
80.0.0.2 via 10.0.5.2 dev p9p1  src 10.0.5.15
    cache

While the route does remain in the table (so it can be modified if
needed rather than being wiped away as it would be if IFF_UP was
cleared), the proper next-hop is chosen automatically when the link is
down.  Now interface p8p1 is linked-up:

default via 10.0.5.2 dev p9p1
10.0.5.0/24 dev p9p1  proto kernel  scope link  src 10.0.5.15
70.0.0.0/24 dev p7p1  proto kernel  scope link  src 70.0.0.1
80.0.0.0/24 dev p8p1  proto kernel  scope link  src 80.0.0.1
90.0.0.0/24 via 80.0.0.2 dev p8p1  metric 1
90.0.0.0/24 via 70.0.0.2 dev p7p1  metric 2
192.168.56.0/24 dev p2p1  proto kernel  scope link  src 192.168.56.2
90.0.0.1 via 80.0.0.2 dev p8p1  src 80.0.0.1
    cache
local 80.0.0.1 dev lo  src 80.0.0.1
    cache <local>
80.0.0.2 dev p8p1  src 80.0.0.1
    cache

and the output changes to what one would expect.

If the sysctl is not set, the following output would be expected when
p8p1 is down:

default via 10.0.5.2 dev p9p1
10.0.5.0/24 dev p9p1  proto kernel  scope link  src 10.0.5.15
70.0.0.0/24 dev p7p1  proto kernel  scope link  src 70.0.0.1
80.0.0.0/24 dev p8p1  proto kernel  scope link  src 80.0.0.1 linkdown
90.0.0.0/24 via 80.0.0.2 dev p8p1  metric 1 linkdown
90.0.0.0/24 via 70.0.0.2 dev p7p1  metric 2

Since the dead flag does not appear, there should be no expectation that
the kernel would skip using this route due to link being down.

v2: Split kernel changes into 2 patches, this actually makes a
behavioral change if the sysctl is set.  Also took suggestion from Alex
to simplify code by only checking sysctl during fib lookup and
suggestion from Scott to add a per-interface sysctl.

v3: Code clean-ups to make it more readable and efficient as well as a
reverse path check fix.

v4: Drop binary sysctl

v5: Whitespace fixups from Dave

v6: Style changes from Dave and checkpatch suggestions

v7: One more checkpatch fixup

Signed-off-by: Andy Gospodarek <gospo@cumulusnetworks.com>
Signed-off-by: Dinesh Dutt <ddutt@cumulusnetworks.com>
Acked-by: Scott Feldman <sfeldma@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h
index 0a21fbefdfbec1a693ed09c3d256b8059760655e..a4328cea376abfc9b11cea8c68403d6a96375f9c 100644 (file)
--- a/include/linux/inetdevice.h
+++ b/include/linux/inetdevice.h
@@ -120,6 +120,9 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev)
         || (!IN_DEV_FORWARD(in_dev) && \
          IN_DEV_ORCONF((in_dev), ACCEPT_REDIRECTS)))
 
+#define IN_DEV_IGNORE_ROUTES_WITH_LINKDOWN(in_dev) \
+       IN_DEV_CONF_GET((in_dev), IGNORE_ROUTES_WITH_LINKDOWN)
+
 #define IN_DEV_ARPFILTER(in_dev)       IN_DEV_ORCONF((in_dev), ARPFILTER)
 #define IN_DEV_ARP_ACCEPT(in_dev)      IN_DEV_ORCONF((in_dev), ARP_ACCEPT)
 #define IN_DEV_ARP_ANNOUNCE(in_dev)    IN_DEV_MAXCONF((in_dev), ARP_ANNOUNCE)

diff --git a/include/net/fib_rules.h b/include/net/fib_rules.h
index 6d67383a5114bd1010908bc7c8328a41d52e0a3b..903a55efbffe50a3507f79b1b5e4b49405f31aa8 100644 (file)
--- a/include/net/fib_rules.h
+++ b/include/net/fib_rules.h
@@ -36,7 +36,8 @@ struct fib_lookup_arg {
        void                    *result;
        struct fib_rule         *rule;
        int                     flags;
-#define FIB_LOOKUP_NOREF       1
+#define FIB_LOOKUP_NOREF               1
+#define FIB_LOOKUP_IGNORE_LINKSTATE    2
 };
 
 struct fib_rules_ops {

diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index f73d27c5575ae320a2573015f5aac591ba95805d..49c142bdf01e67b55bcf59c2d1e63f6615783ea1 100644 (file)
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -226,7 +226,7 @@ static inline struct fib_table *fib_new_table(struct net *net, u32 id)
 }
 
 static inline int fib_lookup(struct net *net, const struct flowi4 *flp,
-                            struct fib_result *res)
+                            struct fib_result *res, unsigned int flags)
 {
        struct fib_table *tb;
        int err = -ENETUNREACH;
@@ -234,7 +234,7 @@ static inline int fib_lookup(struct net *net, const struct flowi4 *flp,
        rcu_read_lock();
 
        tb = fib_get_table(net, RT_TABLE_MAIN);
-       if (tb && !fib_table_lookup(tb, flp, res, FIB_LOOKUP_NOREF))
+       if (tb && !fib_table_lookup(tb, flp, res, flags | FIB_LOOKUP_NOREF))
                err = 0;
 
        rcu_read_unlock();
@@ -249,16 +249,18 @@ void __net_exit fib4_rules_exit(struct net *net);
 struct fib_table *fib_new_table(struct net *net, u32 id);
 struct fib_table *fib_get_table(struct net *net, u32 id);
 
-int __fib_lookup(struct net *net, struct flowi4 *flp, struct fib_result *res);
+int __fib_lookup(struct net *net, struct flowi4 *flp,
+                struct fib_result *res, unsigned int flags);
 
 static inline int fib_lookup(struct net *net, struct flowi4 *flp,
-                            struct fib_result *res)
+                            struct fib_result *res, unsigned int flags)
 {
        struct fib_table *tb;
        int err;
 
+       flags |= FIB_LOOKUP_NOREF;
        if (net->ipv4.fib_has_custom_rules)
-               return __fib_lookup(net, flp, res);
+               return __fib_lookup(net, flp, res, flags);
 
        rcu_read_lock();
 
@@ -266,11 +268,11 @@ static inline int fib_lookup(struct net *net, struct flowi4 *flp,
 
        for (err = 0; !err; err = -ENETUNREACH) {
                tb = rcu_dereference_rtnl(net->ipv4.fib_main);
-               if (tb && !fib_table_lookup(tb, flp, res, FIB_LOOKUP_NOREF))
+               if (tb && !fib_table_lookup(tb, flp, res, flags))
                        break;
 
                tb = rcu_dereference_rtnl(net->ipv4.fib_default);
-               if (tb && !fib_table_lookup(tb, flp, res, FIB_LOOKUP_NOREF))
+               if (tb && !fib_table_lookup(tb, flp, res, flags))
                        break;
        }
 

diff --git a/include/uapi/linux/ip.h b/include/uapi/linux/ip.h
index 411959405ab6ed278d2a963c5931b546cff2dc2e..08f894d2ddbd9cf21b423a0dbac7c73b6b105846 100644 (file)
--- a/include/uapi/linux/ip.h
+++ b/include/uapi/linux/ip.h
@@ -164,6 +164,7 @@ enum
        IPV4_DEVCONF_ROUTE_LOCALNET,
        IPV4_DEVCONF_IGMPV2_UNSOLICITED_REPORT_INTERVAL,
        IPV4_DEVCONF_IGMPV3_UNSOLICITED_REPORT_INTERVAL,
+       IPV4_DEVCONF_IGNORE_ROUTES_WITH_LINKDOWN,
        __IPV4_DEVCONF_MAX
 };
 

diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index 419d23c53ec756327178f9101ea8287d671c9a47..7498716e8f541b5a55aef59a85e70b302ba7248c 100644 (file)
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -2169,6 +2169,8 @@ static struct devinet_sysctl_table {
                                        "igmpv2_unsolicited_report_interval"),
                DEVINET_SYSCTL_RW_ENTRY(IGMPV3_UNSOLICITED_REPORT_INTERVAL,
                                        "igmpv3_unsolicited_report_interval"),
+               DEVINET_SYSCTL_RW_ENTRY(IGNORE_ROUTES_WITH_LINKDOWN,
+                                       "ignore_routes_with_linkdown"),
 
                DEVINET_SYSCTL_FLUSHING_ENTRY(NOXFRM, "disable_xfrm"),
                DEVINET_SYSCTL_FLUSHING_ENTRY(NOPOLICY, "disable_policy"),

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 534eb148504575e9756df206e2e5184f45aea643..6bbc54940eb4ee4802a5a94835e44b0d22b170dd 100644 (file)
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -280,7 +280,7 @@ __be32 fib_compute_spec_dst(struct sk_buff *skb)
                fl4.flowi4_tos = RT_TOS(ip_hdr(skb)->tos);
                fl4.flowi4_scope = scope;
                fl4.flowi4_mark = IN_DEV_SRC_VMARK(in_dev) ? skb->mark : 0;
-               if (!fib_lookup(net, &fl4, &res))
+               if (!fib_lookup(net, &fl4, &res, 0))
                        return FIB_RES_PREFSRC(net, res);
        } else {
                scope = RT_SCOPE_LINK;
@@ -319,7 +319,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
        fl4.flowi4_mark = IN_DEV_SRC_VMARK(idev) ? skb->mark : 0;
 
        net = dev_net(dev);
-       if (fib_lookup(net, &fl4, &res))
+       if (fib_lookup(net, &fl4, &res, 0))
                goto last_resort;
        if (res.type != RTN_UNICAST &&
            (res.type != RTN_LOCAL || !IN_DEV_ACCEPT_LOCAL(idev)))
@@ -354,7 +354,7 @@ static int __fib_validate_source(struct sk_buff *skb, __be32 src, __be32 dst,
        fl4.flowi4_oif = dev->ifindex;
 
        ret = 0;
-       if (fib_lookup(net, &fl4, &res) == 0) {
+       if (fib_lookup(net, &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE) == 0) {
                if (res.type == RTN_UNICAST)
                        ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST;
        }

diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 56151982f74efb26dab4abad429f473ba8b06cba..18123d50f576117358e47c4d3de0f5c3dcebafaa 100644 (file)
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -47,11 +47,12 @@ struct fib4_rule {
 #endif
 };
 
-int __fib_lookup(struct net *net, struct flowi4 *flp, struct fib_result *res)
+int __fib_lookup(struct net *net, struct flowi4 *flp,
+                struct fib_result *res, unsigned int flags)
 {
        struct fib_lookup_arg arg = {
                .result = res,
-               .flags = FIB_LOOKUP_NOREF,
+               .flags = flags,
        };
        int err;
 

diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index b1b305b1e34050883d246a150458a1c17fb480e5..3bfccd83551ce71cc2b69efe233426f3e70ea854 100644 (file)
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -623,7 +623,8 @@ static int fib_check_nh(struct fib_config *cfg, struct fib_info *fi,
                        /* It is not necessary, but requires a bit of thinking */
                        if (fl4.flowi4_scope < RT_SCOPE_LINK)
                                fl4.flowi4_scope = RT_SCOPE_LINK;
-                       err = fib_lookup(net, &fl4, &res);
+                       err = fib_lookup(net, &fl4, &res,
+                                        FIB_LOOKUP_IGNORE_LINKSTATE);
                        if (err) {
                                rcu_read_unlock();
                                return err;
@@ -1035,12 +1036,20 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
            nla_put_in_addr(skb, RTA_PREFSRC, fi->fib_prefsrc))
                goto nla_put_failure;
        if (fi->fib_nhs == 1) {
+               struct in_device *in_dev;
+
                if (fi->fib_nh->nh_gw &&
                    nla_put_in_addr(skb, RTA_GATEWAY, fi->fib_nh->nh_gw))
                        goto nla_put_failure;
                if (fi->fib_nh->nh_oif &&
                    nla_put_u32(skb, RTA_OIF, fi->fib_nh->nh_oif))
                        goto nla_put_failure;
+               if (fi->fib_nh->nh_flags & RTNH_F_LINKDOWN) {
+                       in_dev = __in_dev_get_rcu(fi->fib_nh->nh_dev);
+                       if (in_dev &&
+                           IN_DEV_IGNORE_ROUTES_WITH_LINKDOWN(in_dev))
+                               rtm->rtm_flags |= RTNH_F_DEAD;
+               }
 #ifdef CONFIG_IP_ROUTE_CLASSID
                if (fi->fib_nh[0].nh_tclassid &&
                    nla_put_u32(skb, RTA_FLOW, fi->fib_nh[0].nh_tclassid))
@@ -1057,11 +1066,19 @@ int fib_dump_info(struct sk_buff *skb, u32 portid, u32 seq, int event,
                        goto nla_put_failure;
 
                for_nexthops(fi) {
+                       struct in_device *in_dev;
+
                        rtnh = nla_reserve_nohdr(skb, sizeof(*rtnh));
                        if (!rtnh)
                                goto nla_put_failure;
 
                        rtnh->rtnh_flags = nh->nh_flags & 0xFF;
+                       if (nh->nh_flags & RTNH_F_LINKDOWN) {
+                               in_dev = __in_dev_get_rcu(nh->nh_dev);
+                               if (in_dev &&
+                                   IN_DEV_IGNORE_ROUTES_WITH_LINKDOWN(in_dev))
+                                       rtnh->rtnh_flags |= RTNH_F_DEAD;
+                       }
                        rtnh->rtnh_hops = nh->nh_weight - 1;
                        rtnh->rtnh_ifindex = nh->nh_oif;
 
@@ -1310,16 +1327,22 @@ int fib_sync_up(struct net_device *dev, unsigned int nh_flags)
 void fib_select_multipath(struct fib_result *res)
 {
        struct fib_info *fi = res->fi;
+       struct in_device *in_dev;
        int w;
 
        spin_lock_bh(&fib_multipath_lock);
        if (fi->fib_power <= 0) {
                int power = 0;
                change_nexthops(fi) {
-                       if (!(nexthop_nh->nh_flags & RTNH_F_DEAD)) {
-                               power += nexthop_nh->nh_weight;
-                               nexthop_nh->nh_power = nexthop_nh->nh_weight;
-                       }
+                       in_dev = __in_dev_get_rcu(nexthop_nh->nh_dev);
+                       if (nexthop_nh->nh_flags & RTNH_F_DEAD)
+                               continue;
+                       if (in_dev &&
+                           IN_DEV_IGNORE_ROUTES_WITH_LINKDOWN(in_dev) &&
+                           nexthop_nh->nh_flags & RTNH_F_LINKDOWN)
+                               continue;
+                       power += nexthop_nh->nh_weight;
+                       nexthop_nh->nh_power = nexthop_nh->nh_weight;
                } endfor_nexthops(fi);
                fi->fib_power = power;
                if (power <= 0) {

diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 6c666a9f1bd52d491e845b89f698726b28abbf4c..15d32612e3c6f134a533034aa4d7f74fa52da51b 100644 (file)
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1412,9 +1412,15 @@ found:
                        continue;
                for (nhsel = 0; nhsel < fi->fib_nhs; nhsel++) {
                        const struct fib_nh *nh = &fi->fib_nh[nhsel];
+                       struct in_device *in_dev = __in_dev_get_rcu(nh->nh_dev);
 
                        if (nh->nh_flags & RTNH_F_DEAD)
                                continue;
+                       if (in_dev &&
+                           IN_DEV_IGNORE_ROUTES_WITH_LINKDOWN(in_dev) &&
+                           nh->nh_flags & RTNH_F_LINKDOWN &&
+                           !(fib_flags & FIB_LOOKUP_IGNORE_LINKSTATE))
+                               continue;
                        if (flp->flowi4_oif && flp->flowi4_oif != nh->nh_oif)
                                continue;
 

diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index 4bfaedf9b34e5248aa6f8133e2c3bb0e555062e9..8618fd150c965015ca2ee256499add4186f4810a 100644 (file)
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -40,7 +40,7 @@ static bool rpfilter_lookup_reverse(struct flowi4 *fl4,
        struct net *net = dev_net(dev);
        int ret __maybe_unused;
 
-       if (fib_lookup(net, fl4, &res))
+       if (fib_lookup(net, fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
                return false;
 
        if (res.type != RTN_UNICAST) {

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index f6055984c3070a6b76ba79a09292bcd8f937f79d..d0362a2de3d3805260c878f5e3a9341e225cade9 100644 (file)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -747,7 +747,7 @@ static void __ip_do_redirect(struct rtable *rt, struct sk_buff *skb, struct flow
                if (!(n->nud_state & NUD_VALID)) {
                        neigh_event_send(n, NULL);
                } else {
-                       if (fib_lookup(net, fl4, &res) == 0) {
+                       if (fib_lookup(net, fl4, &res, 0) == 0) {
                                struct fib_nh *nh = &FIB_RES_NH(res);
 
                                update_or_create_fnhe(nh, fl4->daddr, new_gw,
@@ -975,7 +975,7 @@ static void __ip_rt_update_pmtu(struct rtable *rt, struct flowi4 *fl4, u32 mtu)
                return;
 
        rcu_read_lock();
-       if (fib_lookup(dev_net(dst->dev), fl4, &res) == 0) {
+       if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) {
                struct fib_nh *nh = &FIB_RES_NH(res);
 
                update_or_create_fnhe(nh, fl4->daddr, 0, mtu,
@@ -1186,7 +1186,7 @@ void ip_rt_get_source(u8 *addr, struct sk_buff *skb, struct rtable *rt)
                fl4.flowi4_mark = skb->mark;
 
                rcu_read_lock();
-               if (fib_lookup(dev_net(rt->dst.dev), &fl4, &res) == 0)
+               if (fib_lookup(dev_net(rt->dst.dev), &fl4, &res, 0) == 0)
                        src = FIB_RES_PREFSRC(dev_net(rt->dst.dev), res);
                else
                        src = inet_select_addr(rt->dst.dev,
@@ -1716,7 +1716,7 @@ static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
        fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
        fl4.daddr = daddr;
        fl4.saddr = saddr;
-       err = fib_lookup(net, &fl4, &res);
+       err = fib_lookup(net, &fl4, &res, 0);
        if (err != 0) {
                if (!IN_DEV_FORWARD(in_dev))
                        err = -EHOSTUNREACH;
@@ -2123,7 +2123,7 @@ struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *fl4)
                goto make_route;
        }
 
-       if (fib_lookup(net, fl4, &res)) {
+       if (fib_lookup(net, fl4, &res, 0)) {
                res.fi = NULL;
                res.table = NULL;
                if (fl4->flowi4_oif) {