lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Nov 2017 12:52:20 -0800 From: Girish Moodalbail <girish.moodalbail@...cle.com> To: Stefano Brivio <sbrivio@...hat.com> Cc: Nicolas Dichtel <nicolas.dichtel@...nd.com>, davem@...emloft.net, netdev@...r.kernel.org, Matteo Croce <mcroce@...hat.com>, Erik Kline <ek@...gle.com> Subject: Re: [PATCH net v2] ipv6: set all.accept_dad to 0 by default On 11/14/17 11:10 AM, Stefano Brivio wrote: > On Tue, 14 Nov 2017 10:30:33 -0800 > Girish Moodalbail <girish.moodalbail@...cle.com> wrote: > >> On 11/14/17 5:21 AM, Nicolas Dichtel wrote: >>> With commits 35e015e1f577 and a2d3f3e33853, the global 'accept_dad' flag >>> is also taken into account (default value is 1). If either global or >>> per-interface flag is non-zero, DAD will be enabled on a given interface. >>> >>> This is not backward compatible: before those patches, the user could >>> disable DAD just by setting the per-interface flag to 0. Now, the >>> user instead needs to set both flags to 0 to actually disable DAD. >>> >>> Restore the previous behaviour by setting the default for the global >>> 'accept_dad' flag to 0. This way, DAD is still enabled by default, >>> as per-interface flags are set to 1 on device creation, but setting >>> them to 0 is enough to disable DAD on a given interface. >>> >>> - Before 35e015e1f57a7 and a2d3f3e33853: >>> global per-interface DAD enabled >>> [default] 1 1 yes >>> X 0 no >>> X 1 yes >>> >>> - After 35e015e1f577 and a2d3f3e33853: >>> global per-interface DAD enabled >>> [default] 1 1 yes >>> 0 0 no >>> 0 1 yes >>> 1 0 yes >>> >>> - After this fix: >>> global per-interface DAD enabled >>> 1 1 yes >>> 0 0 no >>> [default] 0 1 yes >>> 1 0 yes >> >> Above table can be summarized to.. >> >> - After this fix: >> global per-interface DAD enabled >> 1 X yes >> 0 0 no >> [default] 0 1 yes >> >> So, if global is set to '1', then irrespective of what the per-interface value >> is DAD will be enabled. Is it not confusing. Shouldn't the more specific value >> override the general value? > > Might be a bit confusing, yes, but in order to implement an overriding > mechanism you would need to implement a tristate option as Eric K. > proposed. That is, by default you would have -1 (meaning "don't care") > on per-interface flags, and if this value is changed then the > per-interface value wins over the global one. > > Sensible, but I think it's outside of the scope of this patch, which is > just intended to restore a specific pre-existing userspace expectation. > >> On the other hand, if the global is set to '0', then per-interface value will be >> honored (overrides global). So, the meaning of global varies based on its value. >> Isn't that confusing as well. > > I don't find this confusing though. Setting the global flag always has > the meaning of "force enabling DAD on all interfaces". > > You would have the same problem if you chose a logical AND between > global and per-interface flag. There, setting the global flag would mean > "force disabling DAD on all interfaces". > > So the only indisputable improvement I see here would be to implement a > "don't care" value (either for global or for per-interface flags). But > I'd rather agree with Nicolas that we should fix a potentially broken > userspace assumption first. Agree. Thanks, ~Girish
Powered by blists - more mailing lists