lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 10 Nov 2013 22:51:54 -0800 From: Alexei Starovoitov <ast@...mgrid.com> To: Maciej Żenczykowski <zenczykowski@...il.com> Cc: Nicolas Dichtel <nicolas.dichtel@...nd.com>, "David S. Miller" <davem@...emloft.net>, Linux NetDev <netdev@...r.kernel.org> Subject: Re: spurious ip forwarding inside namespaces On Sun, Nov 10, 2013 at 9:12 PM, Maciej Żenczykowski <zenczykowski@...il.com> wrote: > I've already suggested a month or so back that that patch should be reverted. Isaku's email (author of offending patch) was bouncing whole week. Didn't have time last week to come up with a good fix. Reverting fixes 'spurious ip forwarding', but Isaku's original problem needs to be fixed somehow. May be going through loopback should set pkt_type? Alexei > On Tue, Nov 5, 2013 at 8:32 PM, Alexei Starovoitov <ast@...mgrid.com> wrote: >> Hi All, >> >> commit 06a23fe31c >> "core/dev: set pkt_type after eth_type_trans() in dev_forward_skb()" >> and refactoring 64261f230a >> "dev: move skb_scrub_packet() after eth_type_trans()" >> >> are forcing pkt_type to be PACKET_HOST when skb traverses veth. >> >> which means that ip forwarding will kick in inside netns >> even if skb->eth->h_dest != dev->dev_addr >> >> The way we hit the problem is the following: >> create 4 or more of netns with veth and attach them to a bridge. >> disable learning on a bridge (via setageing 0), so it will flood >> packets to all namespaces. >> Since ip forwarding and icmp redirect by default is on, >> single icmp request packet from one netns creates a storm of packets, >> since every netns receives it and incorrectly does ip forward on it >> and also incorrectly sends icmp redirect which are multiplied once >> again by flooding in the bridge. >> ping -c1 generates 1 outgoing packet and ~13K incoming packets with >> just 4 netns. >> Running any tcp traffic between such namespaces becomes impossible >> and ksoftirqd cpu usage goes to 100% on all cpus. >> >> Please suggest how to fix this cleanly. >> >> Thanks >> Alexei >> -- >> To unsubscribe from this list: send the line "unsubscribe netdev" in >> the body of a message to majordomo@...r.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists