lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <1182337041.15676.23.camel@bzorp.balabit> Date: Wed, 20 Jun 2007 10:57:20 +0000 From: Balazs Scheidler <bazsi@...abit.hu> To: Julian Anastasov <ja@....bg> Cc: KOVACS Krisztian <hidden@...abit.hu>, David Miller <davem@...emloft.net>, kaber@...sh.net, horms@...ge.net.au, jkrzyszt@....icnet.pl, netdev@...r.kernel.org Subject: Re: [IPV4] LVS: Allow to send ICMP unreachable responses when real-servers are removed Hi, Is there a chance that this, or a patch with similar spirit (e.g. a way to send packets from non-local IP addresses) could be merged? On Fri, 2007-06-01 at 02:18 +0300, Julian Anastasov wrote: > Hello, > > On Thu, 31 May 2007, KOVACS Krisztian wrote: > > > So what about this one? > > May be we can try with better coding style. Also, this version > adds undefined behavior for using FLOWI_FLAG_ANYSRC with multicast > oldflp->fl4_dst > > > Loosen source address check on IPv4 output > > > > From: KOVACS Krisztian <hidden@...abit.hu> > > > > ip_route_output() contains a check to make sure that no flows with > > non-local source IP addresses are routed. This obviously makes using > > such addresses impossible. > > > > This patch introduces a flowi flag which makes omitting this check > > possible. The new flag provides a way of handling transparent and > > non-transparent connections differently. > > > > Signed-off-by: KOVACS Krisztian <hidden@...abit.hu> > > --- > > > > include/net/flow.h | 1 + > > net/ipv4/route.c | 47 +++++++++++++++++++++++++---------------------- > > 2 files changed, 26 insertions(+), 22 deletions(-) > > > > diff --git a/include/net/flow.h b/include/net/flow.h > > index f3cc1f8..1bfc0dc 100644 > > --- a/include/net/flow.h > > +++ b/include/net/flow.h > > @@ -49,6 +49,7 @@ struct flowi { > > __u8 proto; > > __u8 flags; > > #define FLOWI_FLAG_MULTIPATHOLDROUTE 0x01 > > +#define FLOWI_FLAG_ANYSRC 0x02 > > union { > > struct { > > __be16 sport; > > diff --git a/net/ipv4/route.c b/net/ipv4/route.c > > index 8603cfb..88d0a79 100644 > > --- a/net/ipv4/route.c > > +++ b/net/ipv4/route.c > > @@ -2396,7 +2396,7 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp) > > > > /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */ > > dev_out = ip_dev_find(oldflp->fl4_src); > > - if (dev_out == NULL) > > + if (dev_out == NULL && !(oldflp->flags & FLOWI_FLAG_ANYSRC)) > > goto out; > > > > /* I removed check for oif == dev_out->oif here. > > @@ -2407,29 +2407,32 @@ static int ip_route_output_slow(struct rtable **rp, const struct flowi *oldflp) > > of another iface. --ANK > > */ > > > > - if (oldflp->oif == 0 > > - && (MULTICAST(oldflp->fl4_dst) || oldflp->fl4_dst == htonl(0xFFFFFFFF))) { > > - /* Special hack: user can direct multicasts > > - and limited broadcast via necessary interface > > - without fiddling with IP_MULTICAST_IF or IP_PKTINFO. > > - This hack is not just for fun, it allows > > - vic,vat and friends to work. > > - They bind socket to loopback, set ttl to zero > > - and expect that it will work. > > - From the viewpoint of routing cache they are broken, > > - because we are not allowed to build multicast path > > - with loopback source addr (look, routing cache > > - cannot know, that ttl is zero, so that packet > > - will not leave this host and route is valid). > > - Luckily, this hack is good workaround. > > - */ > > + if (dev_out) { > > + if (oldflp->oif == 0 > > + && (MULTICAST(oldflp->fl4_dst) > > + || oldflp->fl4_dst == htonl(0xFFFFFFFF))) { > > + /* Special hack: user can direct multicasts > > + and limited broadcast via necessary interface > > + without fiddling with IP_MULTICAST_IF or IP_PKTINFO. > > + This hack is not just for fun, it allows > > + vic,vat and friends to work. > > + They bind socket to loopback, set ttl to zero > > + and expect that it will work. > > + From the viewpoint of routing cache they are broken, > > + because we are not allowed to build multicast path > > + with loopback source addr (look, routing cache > > + cannot know, that ttl is zero, so that packet > > + will not leave this host and route is valid). > > + Luckily, this hack is good workaround. > > + */ > > + > > + fl.oif = dev_out->ifindex; > > + goto make_route; > > + } > > > > - fl.oif = dev_out->ifindex; > > - goto make_route; > > - } > > - if (dev_out) > > dev_put(dev_out); > > - dev_out = NULL; > > + dev_out = NULL; > > + } > > } > > What about something like this, it even reduces checks > in the fast path. You can post new version if the following change > looks good to you and to other developers. If additional sign line is > needed here it is: > > Signed-off-by: Julian Anastasov <ja@....bg> > > @@ -2396,8 +2396,6 @@ static int ip_route_output_slow(struct r > > /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */ > dev_out = ip_dev_find(oldflp->fl4_src); > - if (dev_out == NULL) > - goto out; > > /* I removed check for oif == dev_out->oif here. > It was wrong for two reasons: > @@ -2409,6 +2407,8 @@ static int ip_route_output_slow(struct r > > if (oldflp->oif == 0 > && (MULTICAST(oldflp->fl4_dst) || oldflp->fl4_dst == htonl(0xFFFFFFFF))) { > + if (dev_out == NULL) > + goto out; > /* Special hack: user can direct multicasts > and limited broadcast via necessary interface > without fiddling with IP_MULTICAST_IF or IP_PKTINFO. > @@ -2427,9 +2427,11 @@ static int ip_route_output_slow(struct r > fl.oif = dev_out->ifindex; > goto make_route; > } > - if (dev_out) > + if (dev_out) { > dev_put(dev_out); > - dev_out = NULL; > + dev_out = NULL; > + } else if (!(oldflp->flags & FLOWI_FLAG_ANYSRC)) > + goto out; > } > > > > Or we can go further and to avoid ip_dev_find? For me, this > second variant is preferred because calling ip_dev_find() is useless for > FLOWI_FLAG_ANYSRC. > > @@ -2394,11 +2394,6 @@ static int ip_route_output_slow(struct r > ZERONET(oldflp->fl4_src)) > goto out; > > - /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */ > - dev_out = ip_dev_find(oldflp->fl4_src); > - if (dev_out == NULL) > - goto out; > - > /* I removed check for oif == dev_out->oif here. > It was wrong for two reasons: > 1. ip_dev_find(saddr) can return wrong iface, if saddr is > @@ -2409,6 +2404,11 @@ static int ip_route_output_slow(struct r > > if (oldflp->oif == 0 > && (MULTICAST(oldflp->fl4_dst) || oldflp->fl4_dst == htonl(0xFFFFFFFF))) { > + /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */ > + dev_out = ip_dev_find(oldflp->fl4_src); > + if (dev_out == NULL) > + goto out; > + > /* Special hack: user can direct multicasts > and limited broadcast via necessary interface > without fiddling with IP_MULTICAST_IF or IP_PKTINFO. > @@ -2427,9 +2427,14 @@ static int ip_route_output_slow(struct r > fl.oif = dev_out->ifindex; > goto make_route; > } > - if (dev_out) > + if (!(oldflp->flags & FLOWI_FLAG_ANYSRC)) { > + /* It is equivalent to inet_addr_type(saddr) == RTN_LOCAL */ > + dev_out = ip_dev_find(oldflp->fl4_src); > + if (dev_out == NULL) > + goto out; > dev_put(dev_out); > - dev_out = NULL; > + dev_out = NULL; > + } > } > > > - > To unsubscribe from this list: send the line "unsubscribe netdev" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- Bazsi - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists