lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALnjE+pQnUGiiuWPGt7fNnBetwdn7SQReDqCHDforX7ykQQR8Q@mail.gmail.com>
Date:	Wed, 19 Nov 2014 11:08:35 -0800
From:	Pravin Shelar <pshelar@...ira.com>
To:	Joe Stringer <joestringer@...ira.com>
Cc:	"dev@...nvswitch.org" <dev@...nvswitch.org>,
	netdev <netdev@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>
Subject: Re: [ovs-dev] [PATCH net] openvswitch: Fix mask generation for IPv6 labels.

On Wed, Nov 19, 2014 at 9:48 AM, Joe Stringer <joestringer@...ira.com> wrote:
> On Wednesday, November 19, 2014 00:11:01 Pravin Shelar wrote:
>> On Tue, Nov 18, 2014 at 11:25 PM, Joe Stringer <joestringer@...ira.com>
> wrote:
>> > On 18 November 2014 22:09, Pravin Shelar <pshelar@...ira.com> wrote:
>> >> On Tue, Nov 18, 2014 at 10:54 AM, Joe Stringer <joestringer@...ira.com>
>> >>
>> >> wrote:
>> >> > When userspace doesn't provide a mask, OVS datapath generates a fully
>> >> > unwildcarded mask for the flow. This is done by taking a copy of the
>> >> > flow key, then iterating across its attributes, setting all values to
>> >> > 0xff. This works for most attributes, as the length of the netlink
>> >> > attribute typically matches the length of the value. However, IPv6
>> >> > labels only use the lower 20 bits of the field. This patch makes a
>> >> > special case to handle this.
>> >> >
>> >> > This fixes the following error seen when installing IPv6 flows without
>> >> > a mask:
>> >> >
>> >> > openvswitch: netlink: Invalid IPv6 flow label value (value=ffffffff,
>> >> > max=fffff)
>> >>
>> >> We should allow exact match mask here rather than generating
>> >> wildcarded mask. So that ovs can catch invalid ipv6.label.
>> >
>> > I don't quite follow, I thought this was exact-match? (The existing
>> > function sets all bits to 1)
>>
>> With 0xffffffff value we can exact match on all ipv6.lable bits.
>
> The label field is only 20 bits. The other bits in the same word of the IPv6
> header are for version (fixed) and traffic class (handled separately). We don't
> do anything with the other bits.

This is just to make sure that we do not use those field for any thing
else. Masking those extra bits can hide incorrect ipv6 key extraction.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ