lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sat, 22 Feb 2014 10:44:19 +0200 From: Timo Teras <timo.teras@....fi> To: netdev@...r.kernel.org Subject: probe netlink app in NUD_PROBE When a stale or delayed neigh entry is being re-validated the entry goes to NUD_PROBE state. At the moment only unicast probes are sent. This is basically because neigh_max_probes() limits the probe amount so. Now, opennhrp intentionally configures UCAST_PROBES and MCAST_PROBES to zero and APP_PROBES to something meaningful. The idea is that opennhrp replaces arp completely with NHRP implemented in userland. Due to this it seems there is a very small time window, when the NUD_PROBE times out and the neighbour entry gets invalidated, and packets get lost. To remedy this, I would like to have these NUD_PROBE validations sent via netlink too. First choice is to change to just use both unicast and application probes: diff --git a/net/core/neighbour.c b/net/core/neighbour.c index b9e9e0d..36d3f8c 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -836,10 +836,10 @@ out: static __inline__ int neigh_max_probes(struct neighbour *n) { struct neigh_parms *p = n->parms; - return (n->nud_state & NUD_PROBE) ? - NEIGH_VAR(p, UCAST_PROBES) : - NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES) + - NEIGH_VAR(p, MCAST_PROBES); + int max_probes = NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES); + if (!(n->nud_state & NUD_PROBE)) + max_probes += NEIGH_VAR(p, MCAST_PROBES); + return max_probes; } static void neigh_invalidate(struct neighbour *neigh) On default configuration there is no behaviour change, as APP_PROBES defaults zero. I'm not sure if other ARPD programs than opennhrp are currently commonly used. If that feels risky, alternative would be: diff --git a/net/core/neighbour.c b/net/core/neighbour.c index b9e9e0d..8bb320b 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -836,9 +836,11 @@ out: static __inline__ int neigh_max_probes(struct neighbour *n) { struct neigh_parms *p = n->parms; - return (n->nud_state & NUD_PROBE) ? - NEIGH_VAR(p, UCAST_PROBES) : - NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES) + + + if (n->nud_state & NUD_PROBE) + return NEIGH_VAR(p, UCAST_PROBES) ? : NEIGH_VAR(p, APP_PROBES); + + return NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES) + NEIGH_VAR(p, MCAST_PROBES); } In which the netlink would be used only if unicast probes are turned off. Any preference which to send formatted formally? - Timo -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists