| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Dec 2015 11:15:29 +0100 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Konstantin Shemyak <konstantin@...myak.com>, netdev@...r.kernel.org, pshelar@...ira.com Subject: Re: IPv4 tunnels: why IP-IP and SIT enforce DF bit, but GRE does not? Hello, On Thu, Nov 26, 2015, at 19:28, Konstantin Shemyak wrote: > The kernel has taken the decision to always enforce DF bit on IPv4 > tunnels, which have fixed (not inherited) TTL (e.g. > net/ipv4/ipip.c:ipip_tunnel_ioctl()). Commment by Alexey Kuznetsov in > the head of ip_gre.c explains that the reason is attempting to avoid > network loops. > > But the commit c54419321455631 removed this enforcing from GRE tunnels, > not changing this behavior for IP-IP (net/ipv4/ipip.c) and SIT > (net/ipv6/sit.c). > > It can be discussed whether such enforcing of DF bit is exactly the > desired behavior, but shouldn't it at least be identical across IPv4 > tunnels? Very simple, I would like to see DF bit being enforced in case we have a static TTL. Parvin, any reasons you removed this code? It is currently the only way to make sure the network does not kill itself in an endless loop on configuration mistakes. Thanks for noticing, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists