lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 28 Nov 2009 14:44:02 -0500
From:	jamal <hadi@...erus.ca>
To:	KOVACS Krisztian <hidden@....bme.hu>
Cc:	Patrick McHardy <kaber@...sh.net>,
	KOVACS Krisztian <hidden@...abit.hu>,
	Andreas Schultz <aschultz@...p10.net>, tproxy@...ts.balabit.hu,
	netdev@...r.kernel.org
Subject: Re: [tproxy,regression] tproxy broken in 2.6.32

On Sat, 2009-11-28 at 20:05 +0100, KOVACS Krisztian wrote:
> Hi,
> 

> The source address *is* unicast. 

Sorry - I meant the route type is unicast. The fact that an address is
unicast or not is already dealt with by the time you get to source
address validation (in ip_input())

> The problem is that the routing setup is
> asymmetrical, as Patrick has already mentioned: we're using a mark to
> force certain packets (those that have matching sockets on the host) being
> delivered locally.
>
> In the other direction, reply packets won't be marked by the iptables
> rules and thus will be routed on egress just fine. 

In that case i dont understand the reluctance to use unicast routes.
Maybe you can explain and put me at ease because i see youve put extra
effort to use local addresses. 

> Your modification has
> the assumption that routing is symmetrical, and that reply packets will
> have the same mark. That assumption is not necessarily right, and I think
> it's not entirely unreasonable to think that not only tproxy setups will
> be broken by the change.
> 
> > So i didnt introduce that logic thats causing this pain.
> 
> Well, it depends whether or not you consider the initial setup valid.
> 

Based on what i see - I frankly dont. If i looked up the source address
and found that it belonged to something other than unicast route - we
drop it. It doesnt matter whether you use policy routing, rpf or not.
It may be the solution is to allow local routes under certain conditions
although i dont understand why.

> > If it worked before it was hack or fluke imo ;-> If we think that
> > source address validation needs to check for something else
> > additionally, i think thats a separate topic (but doesnt
> > seem worth a change)
> 
> My only concern is that this definitely breaks current setups, and while
> we do have a workaround we don't have a way to let all users know what
> needs to be done...

This code just went in i think. And really this is a user space issue;
i am not unreasonable - please convince me i am just having a technical
challenge understanding your desire to use local instead of unicast.

cheers,
jamal

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ