lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 20 Jul 2012 04:10:12 +0300 (EEST)
From:	Julian Anastasov <ja@....bg>
To:	David Miller <davem@...emloft.net>
cc:	netdev@...r.kernel.org, Patrick McHardy <kaber@...sh.net>
Subject: Re: [PATCH 14/16] ipv4: Kill rt->rt_oif


	Hello,

	Added CC to Patrick McHardy as mrule author...

On Thu, 19 Jul 2012, David Miller wrote:

> Never actually used.
> 
> It was being set on output routes to the original OIF specified in the
> flow key used for the lookup.
> 
> But the only user was in ipmr_rt_fib_lookup() which always runs on an
> input route.

	It can also work with output route, it seems
copy of locally originated traffic can be sent to local
mrouter for forwarding to remote recipients. Now we search
this mrouter with rules. We can loopback traffic to
local applications or to local multicast router (even
when no local applications are listening).

> diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
> index eee3bf6..fa75f73 100644
> --- a/net/ipv4/ipmr.c
> +++ b/net/ipv4/ipmr.c
> @@ -1795,7 +1795,6 @@ static struct mr_table *ipmr_rt_fib_lookup(struct net *net, struct sk_buff *skb)
>  		.daddr = iph->daddr,
>  		.saddr = iph->saddr,
>  		.flowi4_tos = RT_TOS(iph->tos),
> -		.flowi4_oif = rt->rt_oif,
>  		.flowi4_iif = rt->rt_iif,
>  		.flowi4_mark = skb->mark,

	But it was wrong at first place to use rt_iif
here. May be we should provide devices to "mrule" just
like we do for "rule", with the only difference that
oif now is possible to match outdev instead of preferred
device, i.e. oif is always set for output routes.

	.flowi4_oif = rt_is_output_route(rt) ?
			skb->dev->ifindex : 0,
	.flowi4_iif = rt_is_output_route(rt) ?
			net->loopback_dev->ifindex :
			skb->dev->ifindex;

	Before now it was risky to use just "mrule iif XXX"
because rt_iif contains the output device for output
routes and we can match output route by mistake.

	With above code it is now safe to use just
"iif eth0" for input routes and "iif lo" for output
routes. Here is what will see the mrule now:

local_app -> mrouter: lo->dev
remote_app -> mrouter: dev->0 (only iif match is possible)

	Let me know if patch is needed

> @@ -1802,7 +1799,6 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
>  	rth->rt_type	= type;
>  	rth->rt_route_iif = 0;
>  	rth->rt_iif	= orig_oif ? : dev_out->ifindex;
> -	rth->rt_oif	= orig_oif;
>  	rth->rt_pmtu	= 0;
>  	rth->rt_gateway = 0;
>  	rth->fi = NULL;

Regards

--
Julian Anastasov <ja@....bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ