lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5AB12A0E.2060704@ORACLE.COM>
Date:   Tue, 20 Mar 2018 17:34:38 +0200
From:   Liran Alon <LIRAN.ALON@...CLE.COM>
To:     David Miller <davem@...emloft.net>
CC:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        idan.brown@...CLE.COM, yuval.shaia@...CLE.COM
Subject: Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info
 only when crossing netns



On 20/03/18 16:47, David Miller wrote:
> From: Liran Alon <liran.alon@...cle.com>
> Date: Tue, 13 Mar 2018 17:07:22 +0200
>
>> Before this commit, dev_forward_skb() always cleared packet's
>> per-network-namespace info. Even if the packet doesn't cross
>> network namespaces.
>
> There was a lot of discussion about this patch.
>
> Particularly whether it could potentially break current
> users or not.
>
> If this is resolved and the patch should still be applied,
> please repost and the folks involved in this dicussion should
> add their ACKs.
>
> Thanks.
>

The problem is that I don't think we have reached an agreement.
I would be happy to here your opinion on the issue at hand here.

I personally don't understand why we should maintain 
backwards-comparability to this behaviour. How would a user rely on the 
fact that skb->mark is scrubbed when it is passed between 2 netdevs on 
the same netns but only when it is passed between very specific netdev 
type (one of them being veth-peers).
This behaviour seems to have been created by mistake.
This feature is not documented to user-mode and I don't see why it is 
legit for the user to rely on it.

In addition, even if we do want to maintain backwards-comparability to 
this behaviour, I think it is enough to have an opt-in flag in 
/proc/sys/net/core/ that when set to 1 will activate the fix in 
dev_forward_skb() provided by this patch. That would also be a very 
simple change to the patch provided here.

Do you agree? Or do you think we should have a flag per netdev like 
suggested in other replies to this thread?

Thanks,
-Liran


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ