lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 7 Jun 2016 16:28:18 -0600
From:	Philip Prindeville <philipp_subx@...fish-solutions.com>
To:	Hannes Frederic Sowa <hannes@...essinduktion.org>,
	netdev@...r.kernel.org
Cc:	Stephen Hemminger <stephen@...workplumber.org>
Subject: Re: [PATCH net-next] net: ipv4: Add ability to have GRE ignore DF bit
 in IPv4 payloads



On 06/07/2016 04:23 PM, Hannes Frederic Sowa wrote:
> On 07.06.2016 22:42, Philip Prindeville wrote:
>> On 06/07/2016 02:23 PM, Hannes Frederic Sowa wrote:
>>> On Tue, Jun 7, 2016, at 21:48, Philip Prindeville wrote:
>>>>    static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
>>>> diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
>>>> index d8f5e0a..95649eb 100644
>>>> --- a/net/ipv4/ip_tunnel.c
>>>> +++ b/net/ipv4/ip_tunnel.c
>>>> @@ -682,7 +682,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct
>>>> net_device *dev,
>>>>        }
>>>>          df = tnl_params->frag_off;
>>>> -       if (skb->protocol == htons(ETH_P_IP))
>>>> +       if (skb->protocol == htons(ETH_P_IP) && !tunnel->ignore_df)
>>>>            df |= (inner_iph->frag_off&htons(IP_DF));
>>>>          max_headroom = LL_RESERVED_SPACE(rt->dst.dev) + sizeof(struct
>>>> iphdr)
>>> Is still enforce that we inherit the ttl from the inner header to the
>>> outer header if we don't set df bit?
>>>
>>> Thanks,
>>> Hannes
>> That's correct.  That happens a few lines above and we don't change that
>> behavior with this patch.
> It should be discouraged to use this feature, but I have to admit that I
> already used stripping of DF bit, too.
>
> Acked-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
>
> Thanks,
> Hannes

Yeah, it's admittedly a kludge to get around broken customer firewalls 
which are discarding ICMP's they have no business filtering.

It's the "least ugly workaround" in this scenario.

If you have control over the offending firewalls, it's easier (and 
better) to fix them than configuring this option... but sometimes you 
have to put up with other people having broken equipment on your network.

-Philip

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ