lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200705311450.36492@nienna>
Date:	Thu, 31 May 2007 14:50:35 +0200
From:	KOVACS Krisztian <hidden@...abit.hu>
To:	Julian Anastasov <ja@....bg>
Cc:	David Miller <davem@...emloft.net>, kaber@...sh.net,
	horms@...ge.net.au, jkrzyszt@....icnet.pl, netdev@...r.kernel.org
Subject: Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed


  Hi,

On Thursday 31 May 2007 02:21, Julian Anastasov wrote:
> >   I've posted a few patches making omitting this check possible
> > selectively back in March. Do those changes look acceptable?
> >
> >   http://marc.info/?l=linux-netdev&m=117310979823297&w=3
> 	Also, i'm not sure if FLOWI_FLAG_TRANSPARENT should cause
> different values for flags to be cached many times. Users without this
> flag get EINVAL when fl4_src is not configured, other failures are not
> cached too. And as fl4_src is considered in both cases (both kinds of
> callers get same path on success) we don't need changes except in
> ip_route_output_slow()? By this way I hope we can avoid any possible
> forking of cache entries just by different flags.

  Indeed, for output it probably does not matter, I've removed the flags
check from the flow index compare routine.

> 	Then we can use some more generic name, only for the flowi flag,
> eg. FLOWI_FLAG_ANYSRC or something better?

  You're right, _TRANSPARENT was a bad idea. I'm not very good at
choosing names.

  So what about this one?



Loosen source address check on IPv4 output

From: KOVACS Krisztian <hidden@...abit.hu>

ip_route_output() contains a check to make sure that no flows with
non-local source IP addresses are routed. This obviously makes using
such addresses impossible.

This patch introduces a flowi flag which makes omitting this check
possible. The new flag provides a way of handling transparent and
non-transparent connections differently.

Signed-off-by: KOVACS Krisztian <hidden@...abit.hu>
---

 include/net/flow.h |    1 +
 net/ipv4/route.c   |   47 +++++++++++++++++++++++++----------------------
 2 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/include/net/flow.h b/include/net/flow.h
index f3cc1f8..1bfc0dc 100644
--- a/include/net/flow.h
+++ b/include/net/flow.h
@@ -49,6 +49,7 @@ struct flowi {
 	__u8	proto;
 	__u8	flags;
 #define FLOWI_FLAG_MULTIPATHOLDROUTE 0x01
+#define FLOWI_FLAG_ANYSRC 0x02
 	union {
 		struct {
 			__be16	sport;
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 8603cfb..88d0a79 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -2396,7 +2396,7 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
 
 		/* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */
 		dev_out = ip_dev_find(oldflp->fl4_src);
-		if (dev_out == NULL)
+		if (dev_out == NULL && !(oldflp->flags & FLOWI_FLAG_ANYSRC))
 			goto out;
 
 		/* I removed check for oif == dev_out->oif here.
@@ -2407,29 +2407,32 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp)
 		      of another iface. --ANK
 		 */
 
-		if (oldflp->oif == 0
-		    && (MULTICAST(oldflp->fl4_dst) || oldflp->fl4_dst == htonl(0xFFFFFFFF))) {
-			/* Special hack: user can direct multicasts
-			   and limited broadcast via necessary interface
-			   without fiddling with IP_MULTICAST_IF or IP_PKTINFO.
-			   This hack is not just for fun, it allows
-			   vic,vat and friends to work.
-			   They bind socket to loopback, set ttl to zero
-			   and expect that it will work.
-			   From the viewpoint of routing cache they are broken,
-			   because we are not allowed to build multicast path
-			   with loopback source addr (look, routing cache
-			   cannot know, that ttl is zero, so that packet
-			   will not leave this host and route is valid).
-			   Luckily, this hack is good workaround.
-			 */
+		if (dev_out) {
+			if (oldflp->oif == 0
+			    && (MULTICAST(oldflp->fl4_dst)
+				|| oldflp->fl4_dst == htonl(0xFFFFFFFF))) {
+				/* Special hack: user can direct multicasts
+				   and limited broadcast via necessary interface
+				   without fiddling with IP_MULTICAST_IF or IP_PKTINFO.
+				   This hack is not just for fun, it allows
+				   vic,vat and friends to work.
+				   They bind socket to loopback, set ttl to zero
+				   and expect that it will work.
+				   From the viewpoint of routing cache they are broken,
+				   because we are not allowed to build multicast path
+				   with loopback source addr (look, routing cache
+				   cannot know, that ttl is zero, so that packet
+				   will not leave this host and route is valid).
+				   Luckily, this hack is good workaround.
+				*/
+
+				fl.oif = dev_out->ifindex;
+				goto make_route;
+			}
 
-			fl.oif = dev_out->ifindex;
-			goto make_route;
-		}
-		if (dev_out)
 			dev_put(dev_out);
-		dev_out = NULL;
+			dev_out = NULL;
+		}
 	}
 
 
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ