lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 24 Jul 2013 09:57:59 +0200
From:	Stefan Tomanek <stefan.tomanek@...tarbyte.de>
To:	netdev@...r.kernel.org
Cc:	Hannes Frederic Sowa <hannes@...essinduktion.org>
Subject: Re: [PATCH] fib_rules: add minimum prefix length

Dies schrieb Hannes Frederic Sowa (hannes@...essinduktion.org):

> Yeah, it is sometimes pretty hideous to set up, especially if one uses
> ppp stuff and such. But I am unsure if this change does actually improve
> that considerable. Static setups should be easily doable right now and for
> ppp/vpn stuff, I fear, it would still lack a bit of flexibility.

Well, it does work for me. I am using a dynamic PPP uplink and an OpenVPN
tunnel where some marked traffic is guided through.

To achieve this, I always had to configure pppd with "nodefaultroute" just to
add the default route it manually in a separate table, complicating the
configuration process.

With my patches added, I can just reference a "masked" version of the main
routing table at first, ignoring the default route placed there by pppd:

echo "vpn" >> /etc/iproute2/rt_tables
ip route add table vpn default via tun0
ip rule add pref 100 lookup main prefixlength 0
ip rule add pref 200 fwmark 0xA lookup vpn

             |
             V
[ table main prefixlength >0 ]
             |
             V
       <fwmark 0xA?>   ->  [ table vpn ]
             |                   |
	     |    ,--------------ยด
	     V    V
        [ table main ]

That way, there is no need to reconfigure pppd, dhclient etc. If a specific
route of the main table matches, it will we used. If the main table just points
to the default route (prefixlengt == 0), it will be ignored and the packet
travels to the next rule. In the end, the complete main table might still be
consulted, including the previously shunned default route.

Works great and requires little to no hacking around distribution specific
network scripts.

> I would try to factor the prefixlen_min check out into a
> e.g. fib4_rule_constrain function for which a new field in fib_rules_ops
> needs to be created as callback. Also it would be nice to have IPv6
> support, too. ;)

Why not, sure. Working solutions today, better solutions tomorrow :-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ