| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Nov 2009 16:46:57 +0100 From: Patrick McHardy <kaber@...sh.net> To: KOVACS Krisztian <hidden@....bme.hu> CC: jamal <hadi@...erus.ca>, KOVACS Krisztian <hidden@...abit.hu>, Andreas Schultz <aschultz@...p10.net>, tproxy@...ts.balabit.hu, netdev@...r.kernel.org Subject: Re: [tproxy,regression] tproxy broken in 2.6.32 KOVACS Krisztian wrote: > Hi, > > On p, nov 27, 2009 at 11:05:32 -0500, jamal wrote: >> On Fri, 2009-11-27 at 09:26 +0100, KOVACS Krisztian wrote: >>> Hi, >>> >>> On Thu, 2009-11-26 at 18:19 +0100, Andreas Schultz wrote: >>>> Hi, >>>> >>>> git bisect shows that TPROXY has been broken by commit >>>> f7c6fd2465d8e6f4f89c5d1262da10b4a6d499d0, [PATCH] net: Fix RPF to work >>>> with policy routing >>>> >>>> I had a look at the patch, and it seems logical that this would break TPROXY. >>> Indeed, that's a good catch. If this is indeed the problem you should be >>> able to work it around by disabling rpfilter on the ingress interface. >>> Does it work that way? >> Not familiar with tproxy, but I suspect the system doesnt see the mark >> before policy routing happens. So probably the wrong route cache gets >> created. Easy to validate by dumping the route cache. >> If thats so, you have to set the mark in pre-route hook if it uses >> iptables. > > It's already on prerouting, so that's not the problem. > > The problem is that for tproxy to work we've used to have a rule like > this: > > # ip rule add fwmark 1 lookup 100 > > plus a few iptables rules setting mark values. > > The issue is that previously fib_validate_source ignored the mark set on > the skb, and thus when fib_validate_source() did a FIB lookup, it all went > fine, because it found a result of type RTN_UNICAST. However, with your > change, and because of the ip rule above not being specific enough now > it's returning with type RTN_LOCAL, and that's considered invalid and thus > the skb is dropped. > > The workaround is using more specific ip rules that include the ingress > interface name: > > # ip rule add dev eth0 fwmark 1 lookup 100 The root cause seems to be an invalid assumption, marks are often not used in a symetric fashion as required by RPF. Since this patch has already proven to break existing setups, I think it should be reverted or the behaviour made optional with a default to off. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists