| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <62162DF05402B341B3DB59932A1FA992B5B5C9FCF6@EUSAACMS0702.eamcs.ericsson.se> Date: Sat, 4 Feb 2012 13:15:03 -0500 From: Shawn Lu <shawn.lu@...csson.com> To: Eric Dumazet <eric.dumazet@...il.com> CC: "davem@...emloft.net" <davem@...emloft.net>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "xiaoclu@...il.com" <xiaoclu@...il.com> Subject: RE: [PATCH] tcp: RST: binding oif to iif for tcp v4 Hi, Eric: > From: Eric Dumazet [mailto:eric.dumazet@...il.com] > I repeat my question : > > Why do you believe only RST should be handled in a different > manner than other TCP messages ? > > If we decide to break asymmetric routing, we should do it > completely and document it. > > It might already be broken for IPv6 and nobody cared / noticed. RST is specical. if a packet caused RST, connection is gone. We lost all socket option (or bind information) for that socket. So we build reply only basing on parameters arrived with The segement. It's nature to use another one from segment: inet_iif(skb). In the same time, I agree with you that it breaks asymmetric routing. It may be more propertly to do it when routing fails. Will send out another patch to replace this patch. > -----Original Message----- > From: Eric Dumazet [mailto:eric.dumazet@...il.com] > Sent: Saturday, February 04, 2012 12:07 AM > To: Shawn Lu > Cc: davem@...emloft.net; netdev@...r.kernel.org; xiaoclu@...il.com > Subject: RE: [PATCH] tcp: RST: binding oif to iif for tcp v4 > > Le vendredi 03 février 2012 à 16:43 -0500, Shawn Lu a écrit : > > > [shawn Lu] ok. Tcp socket is bind to device using > SO_BINDTODEVICE to > > Limit traffic to specifc interface. Sometime, it may not > have a valid > > Source address to get through ip_route_output_key. > > > > Define "Sometime" ? My case is in router. Forwarding is done in line card. Any packet that can't process by Forwarding(such as bgp) will "punt" to control plane(another box, we called RP). In RP, routing is bypassed if packet is from line card, because we know it is target to local. On egress path, we also need bind traffic to this interface to be able to go back To line card. In TCP case, when connection is gone, all binding information is gone, we can't Figure out egress path depend only destination address. But we still able to send it back if iif is used. > > We have to force the oif only if requested by the socket in this case. > > arg.bound_dev_if = sk ? sk->sk_bound_dev_if : 0; > > Thats what we do in tcp_v4_send_ack() : > if (oif) > arg.bound_dev_if = oif; > > > > > It won't work. For RST, socket is gone. In most case, there is no socket Associated with it. Only under one case (it fall in to listener that is not bind to specifc Address), we can only get sk_bound_dev_if from listener. In addition, in this case, The listener is most likely not bind to any interface to be able to get connection Request from all interface. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists