lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Fri, 01 Feb 2013 00:48:30 +0100
From:	Pedro Garcia <pedro.netdev@...devamos.com>
To:	<netdev@...r.kernel.org>
Subject: [BUG?] ip forwarding keeps L2 vlan_tci priority (or looks like)


I have recently found out (3.2.0 kernel) that forwarded packets leave 
the outgoing device with L2 802.1p marking (VLAN 0, prio mark on the 
sbk->vlan_tci), but I have no VLANs configured on the system (even 8021q 
module is not loaded).

It looks like when forwarding a packet, skb->vlan_tci keeps the 
priority from the incoming packet, but IMHO I think a L3 router should 
never forward L2 marking (unless somehow configured by the network 
administrator).

The result is that in my home network, my iPad marks some traffic with 
QoS but my old DSL router (with a 2.6.26 kernel, no way to upgrade) will 
gently drop those packets... (I know the issue in that kernel with VLAN 
0 packets, as I wrote a patch around it a couple of years ago, but it 
was for a latter version of the kernel). As a side effect, some traffic 
will never leave my home network to Internet if the user device uses QoS 
(so no Youtube on HTML5 or IPSEC from my home network on my IOS devices 
since I upgraded my Linux gateway to kernel 3.2)...

I can try to fix this and submit a patch, if it is commonly agreed that 
L2 marking should never traverse by default L3 forwarding.

Also, I have written a xtables filter to properly managing VLAN 0 QoS 
marking from / to tc class priorities(skb->priorirty). I will probably 
submit it to netfilter-devel, if they think it is worth it: I am 
currently using it and happy again :-), as it has the side efect of 
removing the VLAN 0 tci using the proper priomap. It allows setting 
ingress priority from vlan_tci and marking 802.1p priority (1q with VLAN 
0) based on egress priority, but I think this is discussion for 
netfilter-devel.


Best regards,
Pedro
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ