lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 27 Mar 2024 14:05:17 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Jakub Kicinski <kuba@...nel.org>
Cc: Neal Cardwell <ncardwell@...gle.com>, Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org
Subject: Re: ICMP_PARAMETERPROB and ICMP_TIME_EXCEEDED during connect

On Wed, Mar 27, 2024 at 12:55 AM Jakub Kicinski <kuba@...nel.org> wrote:
>
> On Tue, 26 Mar 2024 23:03:26 +0100 Neal Cardwell wrote:
> > On Tue, Mar 26, 2024 at 9:34 PM Jakub Kicinski <kuba@...nel.org> wrote:
> > >
> > > Hi!
> > >
> > > I got a report from a user surprised/displeased that ICMP_TIME_EXCEEDED
> > > breaks connect(), while TCP RFCs say it shouldn't. Even pointing a
> > > finger at Linux, RFC5461:
> > >
> > >    A number of TCP implementations have modified their reaction to all
> > >    ICMP soft errors and treat them as hard errors when they are received
> > >    for connections in the SYN-SENT or SYN-RECEIVED states.  For example,
> > >    this workaround has been implemented in the Linux kernel since
> > >    version 2.0.0 (released in 1996) [Linux].  However, it should be
> > >    noted that this change violates section 4.2.3.9 of [RFC1122], which
> > >    states that these ICMP error messages indicate soft error conditions
> > >    and that, therefore, TCP MUST NOT abort the corresponding connection.
> > >
> > > Is there any reason we continue with this behavior or is it just that
> > > nobody ever sent a patch?
> >
> > Back in November of 2023 Eric did merge a patch to bring the
> > processing in line with section 4.2.3.9 of [RFC1122]:
> >
> > 0a8de364ff7a tcp: no longer abort SYN_SENT when receiving some ICMP
> >
> > However, the fixed behavior did not meet some expectations of Vagrant
> > (see the netdev thread "Bug report connect to VM with Vagrant"), so
> > for now it got reverted:
> >
> > b59db45d7eba tcp: Revert no longer abort SYN_SENT when receiving some ICMP
> >
> > I think the hope was to root-cause the Vagrant issue, fix Vagrant's
> > assumptions, then resubmit Eric's commit. Eric mentioned on Jan 8,
> > 2024: "We will submit the patch again for 6.9, once we get to the root
> > cause." But I don't think anyone has had time to do that yet.
>
> Ah.
>
> Thank you!!

For the record, Leon Romanovsky brought this issue directly to Linus
Torvalds, stating that I broke things.

It tooks weeks before Shachar did some debugging, but with no
conclusion I recall.

This kind of stuff makes me not very eager to work on this point.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ