lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 28 Nov 2009 16:46:57 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	KOVACS Krisztian <hidden@....bme.hu>
CC:	jamal <hadi@...erus.ca>, KOVACS Krisztian <hidden@...abit.hu>,
	Andreas Schultz <aschultz@...p10.net>, tproxy@...ts.balabit.hu,
	netdev@...r.kernel.org
Subject: Re: [tproxy,regression] tproxy broken in 2.6.32

KOVACS Krisztian wrote:
> Hi,
> 
> On p, nov 27, 2009 at 11:05:32 -0500, jamal wrote:
>> On Fri, 2009-11-27 at 09:26 +0100, KOVACS Krisztian wrote:
>>> Hi,
>>>
>>> On Thu, 2009-11-26 at 18:19 +0100, Andreas Schultz wrote:
>>>> Hi,
>>>>
>>>> git bisect shows that TPROXY has been broken by commit
>>>> f7c6fd2465d8e6f4f89c5d1262da10b4a6d499d0, [PATCH] net: Fix RPF to work
>>>> with policy routing
>>>>
>>>> I had a look at the patch, and it seems logical that this would break TPROXY.
>>> Indeed, that's a good catch. If this is indeed the problem you should be
>>> able to work it around by disabling rpfilter on the ingress interface.
>>> Does it work that way?
>> Not familiar with tproxy, but I suspect the system doesnt see the mark
>> before policy routing happens. So probably the wrong route cache gets
>> created. Easy to validate by dumping the route cache.
>> If thats so, you have to set the mark in pre-route hook if it uses
>> iptables.
> 
> It's already on prerouting, so that's not the problem.
> 
> The problem is that for tproxy to work we've used to have a rule like
> this:
> 
> # ip rule add fwmark 1 lookup 100
> 
> plus a few iptables rules setting mark values.
> 
> The issue is that previously fib_validate_source ignored the mark set on
> the skb, and thus when fib_validate_source() did a FIB lookup, it all went
> fine, because it found a result of type RTN_UNICAST. However, with your
> change, and because of the ip rule above not being specific enough now
> it's returning with type RTN_LOCAL, and that's considered invalid and thus
> the skb is dropped.
> 
> The workaround is using more specific ip rules that include the ingress
> interface name:
> 
> # ip rule add dev eth0 fwmark 1 lookup 100

The root cause seems to be an invalid assumption, marks are often not
used in a symetric fashion as required by RPF.

Since this patch has already proven to break existing setups, I think
it should be reverted or the behaviour made optional with a default to
off.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists