lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sat, 28 Nov 2009 16:46:57 +0100
From:	Patrick McHardy <>
To:	KOVACS Krisztian <>
CC:	jamal <>, KOVACS Krisztian <>,
	Andreas Schultz <>,,
Subject: Re: [tproxy,regression] tproxy broken in 2.6.32

KOVACS Krisztian wrote:
> Hi,
> On p, nov 27, 2009 at 11:05:32 -0500, jamal wrote:
>> On Fri, 2009-11-27 at 09:26 +0100, KOVACS Krisztian wrote:
>>> Hi,
>>> On Thu, 2009-11-26 at 18:19 +0100, Andreas Schultz wrote:
>>>> Hi,
>>>> git bisect shows that TPROXY has been broken by commit
>>>> f7c6fd2465d8e6f4f89c5d1262da10b4a6d499d0, [PATCH] net: Fix RPF to work
>>>> with policy routing
>>>> I had a look at the patch, and it seems logical that this would break TPROXY.
>>> Indeed, that's a good catch. If this is indeed the problem you should be
>>> able to work it around by disabling rpfilter on the ingress interface.
>>> Does it work that way?
>> Not familiar with tproxy, but I suspect the system doesnt see the mark
>> before policy routing happens. So probably the wrong route cache gets
>> created. Easy to validate by dumping the route cache.
>> If thats so, you have to set the mark in pre-route hook if it uses
>> iptables.
> It's already on prerouting, so that's not the problem.
> The problem is that for tproxy to work we've used to have a rule like
> this:
> # ip rule add fwmark 1 lookup 100
> plus a few iptables rules setting mark values.
> The issue is that previously fib_validate_source ignored the mark set on
> the skb, and thus when fib_validate_source() did a FIB lookup, it all went
> fine, because it found a result of type RTN_UNICAST. However, with your
> change, and because of the ip rule above not being specific enough now
> it's returning with type RTN_LOCAL, and that's considered invalid and thus
> the skb is dropped.
> The workaround is using more specific ip rules that include the ingress
> interface name:
> # ip rule add dev eth0 fwmark 1 lookup 100

The root cause seems to be an invalid assumption, marks are often not
used in a symetric fashion as required by RPF.

Since this patch has already proven to break existing setups, I think
it should be reverted or the behaviour made optional with a default to
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists