| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1259437442.3864.61.camel@bigi> Date: Sat, 28 Nov 2009 14:44:02 -0500 From: jamal <hadi@...erus.ca> To: KOVACS Krisztian <hidden@....bme.hu> Cc: Patrick McHardy <kaber@...sh.net>, KOVACS Krisztian <hidden@...abit.hu>, Andreas Schultz <aschultz@...p10.net>, tproxy@...ts.balabit.hu, netdev@...r.kernel.org Subject: Re: [tproxy,regression] tproxy broken in 2.6.32 On Sat, 2009-11-28 at 20:05 +0100, KOVACS Krisztian wrote: > Hi, > > The source address *is* unicast. Sorry - I meant the route type is unicast. The fact that an address is unicast or not is already dealt with by the time you get to source address validation (in ip_input()) > The problem is that the routing setup is > asymmetrical, as Patrick has already mentioned: we're using a mark to > force certain packets (those that have matching sockets on the host) being > delivered locally. > > In the other direction, reply packets won't be marked by the iptables > rules and thus will be routed on egress just fine. In that case i dont understand the reluctance to use unicast routes. Maybe you can explain and put me at ease because i see youve put extra effort to use local addresses. > Your modification has > the assumption that routing is symmetrical, and that reply packets will > have the same mark. That assumption is not necessarily right, and I think > it's not entirely unreasonable to think that not only tproxy setups will > be broken by the change. > > > So i didnt introduce that logic thats causing this pain. > > Well, it depends whether or not you consider the initial setup valid. > Based on what i see - I frankly dont. If i looked up the source address and found that it belonged to something other than unicast route - we drop it. It doesnt matter whether you use policy routing, rpf or not. It may be the solution is to allow local routes under certain conditions although i dont understand why. > > If it worked before it was hack or fluke imo ;-> If we think that > > source address validation needs to check for something else > > additionally, i think thats a separate topic (but doesnt > > seem worth a change) > > My only concern is that this definitely breaks current setups, and while > we do have a workaround we don't have a way to let all users know what > needs to be done... This code just went in i think. And really this is a user space issue; i am not unreasonable - please convince me i am just having a technical challenge understanding your desire to use local instead of unicast. cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists