lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 4 Feb 2012 13:15:03 -0500
From:	Shawn Lu <shawn.lu@...csson.com>
To:	Eric Dumazet <eric.dumazet@...il.com>
CC:	"davem@...emloft.net" <davem@...emloft.net>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"xiaoclu@...il.com" <xiaoclu@...il.com>
Subject: RE: [PATCH] tcp: RST: binding oif to iif for tcp v4

Hi, Eric:

> From: Eric Dumazet [mailto:eric.dumazet@...il.com] 
> I repeat my question :
> 
> Why do you believe only RST should be handled in a different 
> manner than other TCP messages ?
> 
> If we decide to break asymmetric routing, we should do it 
> completely and document it.
> 
> It might already be broken for IPv6 and nobody cared / noticed.

RST is specical. if a packet caused RST, connection is gone.
We lost all socket option (or bind information) for that socket.
So we build reply only basing on parameters arrived with
The segement.  It's nature to use another one from segment: inet_iif(skb).

In the same time, I agree with you that it breaks asymmetric routing.

It may be more propertly to do it when routing fails.
Will send out another patch to replace this patch. 

> -----Original Message-----
> From: Eric Dumazet [mailto:eric.dumazet@...il.com] 
> Sent: Saturday, February 04, 2012 12:07 AM
> To: Shawn Lu
> Cc: davem@...emloft.net; netdev@...r.kernel.org; xiaoclu@...il.com
> Subject: RE: [PATCH] tcp: RST: binding oif to iif for tcp v4
> 
> Le vendredi 03 février 2012 à 16:43 -0500, Shawn Lu a écrit :
> 
> > [shawn Lu] ok.  Tcp socket is bind to device using 
> SO_BINDTODEVICE  to 
> > Limit traffic to specifc interface.  Sometime, it may not 
> have a valid 
> > Source address to get through ip_route_output_key.
> > 
> 
> Define "Sometime" ?
My case is in router. Forwarding is done in line card. Any packet that can't process by
Forwarding(such as bgp) will "punt" to control plane(another box, we called RP). In RP,
routing is bypassed if packet is from line card, because we know it is target to
local. On egress path, we also need bind traffic to this interface to be able to go back
To line card. In TCP case, when connection is gone, all binding information is gone, we can't
Figure out egress path depend only destination address. 
But we still able to send it back if iif is used. 
> 
> We have to force the oif only if requested by the socket in this case.
> 
> arg.bound_dev_if = sk ? sk->sk_bound_dev_if : 0;
> 
> Thats what we do in tcp_v4_send_ack() :
> 	if (oif)
> 		arg.bound_dev_if = oif;
> 
> 
> 
> 
> 
It won't work.  For RST, socket is gone. In most case, there is no socket
Associated with it.  Only under one case (it fall in to listener that is not bind to specifc
Address), we can only get sk_bound_dev_if from listener. In addition, in this case,
The listener is most likely not bind to any interface to be able to get connection
Request from all interface.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ