| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20130214082616.44ad070c@nehalam.linuxnetplumber.net>
Date: Thu, 14 Feb 2013 08:26:16 -0800
From: Stephen Hemminger <stephen@...workplumber.org>
To: netdev@...r.kernel.org
Subject: Fw: [Bug 53821] New: ip rules (policy routing) no longer applied
consistency
Begin forwarded message:
Date: Thu, 14 Feb 2013 01:26:32 -0800
From: "bugzilla-daemon@...zilla.kernel.org" <bugzilla-daemon@...zilla.kernel.org>
To: "stephen@...workplumber.org" <stephen@...workplumber.org>
Subject: [Bug 53821] New: ip rules (policy routing) no longer applied consistency
https://bugzilla.kernel.org/show_bug.cgi?id=53821
Summary: ip rules (policy routing) no longer applied
consistency
Product: Networking
Version: 2.5
Kernel Version: 3.7
Platform: All
OS/Version: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: IPV4
AssignedTo: shemminger@...ux-foundation.org
ReportedBy: korn-kernel.org@...n.rulez.org
Regression: Yes
Hi,
on upgrading to 3.7.x, I noticed that some of my ip rules were no longer
applied.
For example, I had:
# ip ru sh
0: from all lookup local
32762: from 192.168.0.15 lookup foo
32763: from 1.2.3.4 lookup foo
32764: from 10.74.91.0/24 lookup foo
32765: from 192.168.0.19 lookup vpntunnel
32766: from all lookup main
32767: from all lookup default
# ip ro sh table vpntunnel
default via 192.168.0.144 dev br0
192.168.0.0/24 dev br0 scope link
The 'lookup foo' rules were applied, but 'lookup vpntunnel' was not.
I then tried to use an fwmark based rule to achieve the same result:
# ip ru sh
0: from all lookup local
32761: from all fwmark 0x2 lookup vpntunnel
32762: from 192.168.0.15 lookup foo
32763: from 1.2.3.4 lookup foo
32764: from 10.74.91.0/24 lookup foo
32765: from 192.168.0.19 lookup vpntunnel
32766: from all lookup main
32767: from all lookup default
Of course I made sure the appropriate packets were marked with 0x2. This worked
a lot better and most packets go out via 192.168.0.144 now, but strangely, not
all. I have a netfilter rule that catches the ones going the wrong way, and I
get quite a few log messages along the lines of:
kernel: FW: DROP: IN= OUT=eth1 SRC=192.168.0.19 DST=2.3.4.5 LEN=131 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17504 DPT=42834 LEN=111 UID=1007
GID=1007 MARK=0x2
As you can see, the packet is logged as having the correct fwmark, but is still
sent out through eth1 instead of br0. (And the IP based rule should have
applied to, but didn't.)
This particular result was obtained with 3.7.6-vs2.3.5.5 (linux-vserver patch),
but I've seen similar behaviour with 3.7.anything.
Source IP based rules worked fine with kernels up to 3.6. Confusingly, _some_
of them still work, but not all.
Maybe something was broken by the removal of the route cache?
--
Configure bugmail: https://bugzilla.kernel.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists