| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Oct 2010 10:40:24 +0200 From: Patrick McHardy <kaber@...sh.net> To: Simon Horman <horms@...ge.net.au> CC: lvs-devel@...r.kernel.org, netdev@...r.kernel.org, netfilter-devel@...r.kernel.org, Julian Anastasov <ja@....bg>, Julius Volz <juliusv@...gle.com>, Wensong Zhang <wensong@...ux-vs.org>, Hans Schillström <hans.schillstrom@...csson.com> Subject: Re: [patch v4.1] ipvs: IPv6 tunnel mode Am 16.10.2010 09:58, schrieb Simon Horman: > From: Hans Schillstrom <hans.schillstrom@...csson.com> > > ipvs: IPv6 tunnel mode > > IPv6 encapsulation uses a bad source address for the tunnel. > i.e. VIP will be used as local-addr and encap. dst addr. > Decapsulation will not accept this. > > Example > LVS (eth1 2003::2:0:1/96, VIP 2003::2:0:100) > (eth0 2003::1:0:1/96) > RS (ethX 2003::1:0:5/96) > > tcpdump > 2003::2:0:100 > 2003::1:0:5: > IP6 (hlim 63, next-header TCP (6) payload length: 40) > 2003::3:0:10.50991 > 2003::2:0:100.http: Flags [S], cksum 0x7312 > (correct), seq 3006460279, win 5760, options [mss 1440,sackOK,TS val > 1904932 ecr 0,nop,wscale 3], length 0 > > In Linux IPv6 impl. you can't have a tunnel with an any cast address > receiving packets (I have not tried to interpret RFC 2473) > To have receive capabilities the tunnel must have: > - Local address set as multicast addr or an unicast addr > - Remote address set as an unicast addr. > - Loop back addres or Link local address are not allowed. > > This causes us to setup a tunnel in the Real Server with the > LVS as the remote address, here you can't use the VIP address since it's > used inside the tunnel. > > Solution > Use outgoing interface IPv6 address (match against the destination). > i.e. use ip6_route_output() to look up the route cache and > then use ipv6_dev_get_saddr(...) to set the source address of the > encapsulated packet. > > Additionally, cache the results in new destination > fields: dst_cookie and dst_saddr and properly check the > returned dst from ip6_route_output. We now add xfrm_lookup > call only for the tunneling method where the source address > is a local one. > > Signed-off-by:Hans Schillstrom <hans.schillstrom@...csson.com> > > --- > > Original patch by Hans Schillstrom. > Check dst state and cache results for IPv6 by Julian Anastasov. > Subsequent revisions made by Hans Schillstrom: > > * v1 > > This is Julian's patch with a slightly edited version of the description > from Hans's original patch. > > * v2 > > Updated changelog as per commends from Julian > > * v3 > > Flowi dest address used as destination instead of rt6_info in > +ip_vs_tunnel_xmit_v6() > rt6_info somtimes contains a netw address insted of a tunnel > > * v4 > > Update destination as recommended from Julian > i.e. use &cp->daddr.in6 > > * v4.1 Simon Horman > Fix patch corruption > > Patrick, please consider this for nf-next-2.6 Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists