lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Fri, 22 May 2009 16:17:23 +0300
From:	Mark Ryden <markryde@...il.com>
To:	netdev@...r.kernel.org
Subject: Priority of added rules after deleting main and default rules in IPV4

Hi,

As we all know, when policy routing is enabled (CONFIG_IP_MULTIPLE_TABLES is
set, which is the default in many distros kernels) the local rule table
cannot be deleted since it is added with a permanent flag (FIB_RULE_PERMANENT).
Trying to delete the local rule will yield EPERM error 	(see
fib_nl_delrule() in
net/core/fib_rules.c). However, a sysadmin can delete the two other default
rules, (main and default) , for example thus:
ip rule del from all lookup main
ip rule del from all lookup default

(Another question is why he should do it)

Then each rule that we will add will get a priority of 0; (unless we
explicitly specify the priority when we add the rule). If we look at
the code, in
fib4_rule_default_pref(), we will see why is it so. (This method will
return 0, since
if (rule->pref) is evaluated as 0 when we have a single local rule,
which is with priority 0).

This means that after deleting the main and default rules and adding rules,
the priority convention (which says that each new rule as a priority
which is 1 less then the last added) does not hold.  All rules that
will be added will have priority of 0.
The question is: should this be avoided ?
(As I said, I know that the priority of a rule can be specified when
it is added)

I tried for example this series of actions:
ip rule del from all lookup main
ip rule del from all lookup default
ip rule add tos 0x08 table 252
ip rule add tos 0x04 table 252

and then:
ip rule show
0:      from all lookup local
0:      from all tos throughput lookup my_rt_table
0:      from all tos reliability lookup my_rt_table


Also of course trying to add the default (or main) rules will add them
with priority 0.
(trying for example "ip rule add from all lookup default" )

Regards,
Mark
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ