| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Nov 2015 19:57:00 -0800 From: Maciej Żenczykowski <zenczykowski@...il.com> To: Stephen Hemminger <stephen@...workplumber.org> Cc: Lorenzo Colitti <lorenzo@...gle.com>, Linux NetDev <netdev@...r.kernel.org>, Eric Dumazet <edumazet@...gle.com>, ek@...gle.com, dtor@...gle.com Subject: Re: Add a SOCK_DESTROY operation to close sockets from userspace I don't know what the right fix is... However, speaking as an end user with laptops on wifi and/or home gateways on dialup connections where the IP address occasionally (or constantly) changes, I find it very frustrating that by default as IP addresses get removed from interfaces all the related state (whether conntrack or open connections) doesn't get cleaned up. [side note: I realize there is tooling to do this manually from userspace for conntrack and that there are even some gateways that correctly make use of it.] Sure this might not be desirable on servers (where configuration is usually static and complex) but on most end user devices (CPE, cell phone, laptop) - that are prone to roaming in todays world - this (or something like this) would be super useful. I would almost argue it should be the default (or controlled by sysctl) - hung connections are super frustrating, and they often prevent normal retry logic (ie. establishing a new connection) from functioning correctly, because the kernel is just waiting for some enormous tcp (retransmit) timeouts that only make sense if we still own the IP, and userspace thinks everything is still ok... If we don't even own the IP any more often retransmits just get blackholed so you don't even get notifications from the network of packet delivery problems. Something like this either needs to be implemented in kernel, or APIs need to be provided so that network manager (or your favourite userspace network management utility) can act on behalf of the user to clean stuff up. In general I'm not in favour of embedding logic like this in the kernel since you usually get more configurability if you leave it in userspace. Sure you can hack something together via firewall hacks and routing hacks or injecting tcp resets via raw sockets, but that requires a lot of work, and still doesn't cover everything (firewall and routing hacks won't fix idle sockets, in particular those waiting for a message from the other side of the connection, ie. push notifications for a cell phone). - Maciej -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists