lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <46489F5C.4000801@trash.net>
Date:	Mon, 14 May 2007 19:41:48 +0200
From:	Patrick McHardy <kaber@...sh.net>
To:	Janusz Krzysztofik <jkrzyszt@....icnet.pl>
CC:	David Miller <davem@...emloft.net>, horms@...ge.net.au,
	netdev@...r.kernel.org
Subject: Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers
 are removed

Janusz Krzysztofik wrote:
> Patrick McHardy wrote:
> 
>> Janusz Krzysztofik wrote:
>>
>>> ... ICMP port unreachable messages are not generated inside
>>> IPVS code, they are just sent, with help of the patch in question, from
>>> udp_input() or netfilter REJECT.
>>
>>
>> Both use icmp_send(), which should always pick a local source, so I
>> don't understand why this change was needed. Could you describe
>> the specific case when the packet generated by icmp_send() does
>> not have a local source?
> 
> 
> Yes, it happens when a packet with a non-local destination IP address is
> routed localy in order to reach ip_vs_in(), but is not catched there
> because of no associated connection and no matching service, so it is
> passed through and ends up in udp_input(). Then, inside udp_input(),
> icmp_send() is invoked with original non-local destination IP as source
> address.


So you're adding a local route for non-local destination and the
address selection in icmp_send() uses the original destination
address as source because the route has RTCF_LOCAL set, resulting
in an error in ip_route_output_slow().

If thats correct than this patch should also work, it changes
icmp_send() to check if the original destination address is
non-local when deciding whether to pick a new address (and
reverts the routing changes).

Signed-off-by: Patrick McHardy <kaber@...sh.net>

View attachment "x" of type "text/plain" (1311 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ