| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 May 2007 11:40:54 +0300 (EEST) From: Julian Anastasov <ja@....bg> To: Patrick McHardy <kaber@...sh.net> cc: Simon Horman <horms@...ge.net.au>, Janusz Krzysztofik <jkrzyszt@....icnet.pl>, David Miller <davem@...emloft.net>, netdev@...r.kernel.org Subject: Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed Hello, On Thu, 17 May 2007, Patrick McHardy wrote: > > But what is preferred is to use VIP in ICMP. > > > > ip route add local VIP dev lo table user_defined > > > > returns RTCF_LOCAL but inet_addr_type() does not return RTN_LOCAL, > > we fix one thing but break another :) > > > Actually thats exactly the case that my patch handles. Why does it > matter which source address the ICMP packet uses, as long as its > routed properly? It should work for most of the cases but it can cause problems in closely connected hosts where using the right subnet matters. If inet_addr_type is not considered slow for routers and this local route justifies it then i have no more objections. May be Janusz should test it first without sysctl_ip_nonlocal_bind change. > In any case some better solution than the current one needs to be > found, allowing users to send spoofed packets is far worse than > using a non-desired source address for ICMP packets. yes, I would prefer the sysctl_ip_nonlocal_bind change to be removed until such solution is found. Regards -- Julian Anastasov <ja@....bg> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists