lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 4 Aug 2015 21:40:56 -0700
From:	Joe Stringer <joestringer@...ira.com>
To:	Thomas Graf <tgraf@...g.ch>
Cc:	Hannes Frederic Sowa <hannes@...hat.com>,
	Linux Netdev List <netdev@...r.kernel.org>,
	Linux Kernel <linux-kernel@...r.kernel.org>,
	Pablo Neira Ayuso <pablo@...filter.org>,
	Patrick McHardy <kaber@...sh.net>,
	Justin Pettit <jpettit@...ira.com>,
	Pravin Shelar <pshelar@...ira.com>,
	Andy Zhou <azhou@...ira.com>, Jesse Gross <jesse@...ira.com>,
	Florian Westphal <fwestpha@...hat.com>
Subject: Re: [PATCH net-next 1/9] openvswitch: Scrub packet in ovs_vport_receive()

On 1 August 2015 at 12:17, Thomas Graf <tgraf@...g.ch> wrote:
> On 07/31/15 at 10:51am, Joe Stringer wrote:
>> On 31 July 2015 at 07:34, Hannes Frederic Sowa <hannes@...hat.com> wrote:
>> > In general, this shouldn't be necessary as the packet should already be
>> > scrubbed before they arrive here.
>> >
>> > Could you maybe add a WARN_ON and check how those skbs with conntrack
>> > data traverse the stack? I also didn't understand why make it dependent
>> > on the socket.
>>
>> OK, sure. One case I could think of is with an OVS internal port in
>> another namespace, directly attached to the bridge. I'll have a play
>> around with WARN_ON and see if I can come up with something more
>> trimmed down.
>
> The OVS internal port will definitely pass through an unscrubbed
> packet across namespaces. I think the proper thing to do would be
> to scrub but conditionally keep metadata.

It's only "unscrubbed" when receiving from local stack at the moment.
Some pieces are cleared when handing towards the local stack, and
there's no configuration for that behaviour. Presumably internal port
transmit and receive should mirror each other?

I don't have a specific use case either way. The remaining code for
this series handles this case correctly, it's just a matter of what
behaviour we're looking for. We could implement the flag as you say, I
presume that userspace would need to specify this during vport
creation and the default should work similar to the existing behaviour
(ie, keep metadata). One thing that's not entirely clear to me is
exactly which metadata should be represented by this flag and whether
the single flag is expressive enough.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ