| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Aug 2012 12:55:14 +0200 (CEST) From: "Hans Schillstrom" <hans@...illstrom.com> To: "Patrick McHardy" <kaber@...sh.net> Cc: "Jesper Dangaard Brouer" <brouer@...hat.com>, netdev@...r.kernel.org, lvs-devel@...r.kernel.org, "Julian Anastasov" <ja@....bg>, "Simon Horman" <horms@...ge.net.au>, "Wensong Zhang" <wensong@...ux-vs.org>, netfilter-devel@...r.kernel.org Subject: Re[2]: [PATCH 2/3] ipvs: Fix faulty IPv6 extension header handling in IPVS > >On Mon, 20 Aug 2012, Jesper Dangaard Brouer wrote: > >> Based on patch from: Hans Schillstrom >> >> IPv6 headers must be processed in order of appearance, >> neither can it be assumed that Upper layer headers is first. >> If anything else than L4 is the first header IPVS will throw it. >> >> IPVS will write SNAT & DNAT modifications at a fixed pos which >> will corrupt the message. Proper header position must be found >> before writing modifying packet. >> >> This patch contains a lot of API changes. This is done, to avoid >> the costly scan of finding the IPv6 headers, via ipv6_find_hdr(). >> Finding the IPv6 headers is done as early as possible, and passed >> on as a pointer "struct ip_vs_iphdr *" to the affected functions. > >How about we change netfilter to set up the skb's transport header >at an early time so we can avoid all (most of) these header scans >in netfilter? I think that would be great, maybe it should be global i.e. not only a netfilter issue. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists