lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Aug 2013 12:46:27 +0200 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Steffen Klassert <steffen.klassert@...unet.com> Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: Problematic commits in the ipsec tree On Mon, Aug 26, 2013 at 11:41:45AM +0200, Steffen Klassert wrote: > On Fri, Aug 23, 2013 at 02:49:11PM +0200, Hannes Frederic Sowa wrote: > > > > This could be the replacement for patch 1/2 to reassemble old behaviour > > without touching ip6_skb_dst_mtu if the socket type is not an IPv6 one. > > > > I would still like to look if we could correctly handle *_PMTUDISC_PROBE one > > day and fallback to dst_mtu(dst->path) if possible. So I don't know if > > removing xfrm_skb_dst_mtu is good style and would just make churn in the git > > history. What do you think? > > Currently I think we can call dst_mtu() unconditionally from > __xfrm6_output(), then we would not need xfrm_skb_dst_mtu(). > But this needs further investigation, IPsec pmtu discovery > was frequently broken in the past and I don't want to break > it again. My idea was something like | struct ipv6_pinfo *np = ...; | int mtu = (np && np->pmtudisc == IPV6_PMTUDISC_PROBE) ? | dst_mtu(skb_dst(skb)->path) : dst_mtu(skb_dst(skb)); But I don't know if this does actually anything good and where the dispatch of dst_mtu goes to. My idea was to avoid the dst_metric_raw(dst, RTAX_MTU) call in xfrm_mtu in case of IPV6_PMTUDISC_PROBE. > > [PATCH ipsec 1/2] xfrm: revert ipv4 mtu determination to dst_mtu > > > > In commit 0ea9d5e3e0e03a63b11392f5613378977dae7eca ("xfrm: introduce > > helper for safe determination of mtu") I switched the determination of > > ipv4 mtus from dst_mtu to ip_skb_dst_mtu. This was an error because in > > case of IP_PMTUDISC_PROBE we fall back to the interface mtu, which is > > never correct for ipv4 ipsec. > > > > This patch partly reverts 0ea9d5e3e0e03a63b11392f5613378977dae7eca > > ("xfrm: introduce helper for safe determination of mtu"). > > > > I think with this and you other patch, we get the all the > interfamily tunnel problems fixed for now. Everything else > should be done in ipsec-next. Fully ACK. > Please resend the whole patchset, so we can get it fixed soon. > > Tanks a lot! Sorry for holding back your tree for so long to get merged. Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists