On 2/23/18 10:49 AM, Stephen Suryaputra wrote:
> Greetings,
>
> We found that ICMP destination unreachable isn't sent if VRF
> forwarding isn't configured, i.e.
> /proc/sys/net/ipv4/conf/<vrf_net_device>/forwarding isn't set. The
> relevant code is:
>
> static int ip_error(struct sk_buff *skb)
> {
> ...
> // in_dev is the vrf net_device
> if (!IN_DEV_FORWARD(in_dev)) {
> switch (rt->dst.error) {
> case EHOSTUNREACH:
> __IP_INC_STATS(net, IPSTATS_MIB_INADDRERRORS);
> break;
>
> case ENETUNREACH:
> __IP_INC_STATS(net, IPSTATS_MIB_INNOROUTES);
> break;
> }
> goto out;
> }
> ...
> out: kfree_skb(skb);
> return 0;
> }
>
> The question: is it intended to be set? The basic forwarding seems to
> be working without. We do set it on the slave net devices.
Unintended side effect of VRF as a netdev. This should fix it:
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 5ca7415cd48c..d59d005fb7c5 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -944,7 +944,7 @@ static int ip_error(struct sk_buff *skb)
goto out;
net = dev_net(rt->dst.dev);
- if (!IN_DEV_FORWARD(in_dev)) {
+ if (!IN_DEV_FORWARD(in_dev) && !netif_is_l3_master(skb->dev)) {
switch (rt->dst.error) {
case EHOSTUNREACH:
__IP_INC_STATS(net, IPSTATS_MIB_INADDRERRORS);
