| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 4 Jan 2014 11:55:15 +0100 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: Jiri Pirko <jiri@...nulli.us> Cc: netdev@...r.kernel.org, stephen@...workplumber.org, thaller@...hat.com Subject: Re: [patch iproute2 v2 0/2] add support for IFA_F_MANAGETEMPADDR On Sat, Jan 04, 2014 at 11:43:31AM +0100, Jiri Pirko wrote: > Thu, Jan 02, 2014 at 06:29:49PM CET, hannes@...essinduktion.org wrote: > >On Thu, Jan 02, 2014 at 04:34:37PM +0100, Jiri Pirko wrote: > >> v1->v2: Removed 0xff masking of ifa_flags > >> > >> Jiri Pirko (2): > >> add support for extended ifa_flags > >> add support for IFA_F_MANAGETEMPADDR > >> > >> include/linux/if_addr.h | 2 ++ > >> ip/ipaddress.c | 50 +++++++++++++++++++++++++++++++++++-------------- > >> 2 files changed, 38 insertions(+), 14 deletions(-) > > > >I still wonder how source address selection should work for > >IFA_F_MANAGETEMPADDR if use_tempaddr != 2 mode is not available for > >those addresses. > > > >Up until now applications can bind to those addresses and traffic can be > >received for them, but there is now way how a user can specify to favor them > >in case of use_tempaddr == 0. > > I'm not sure I understand you. Can you please elaborate more? Not sure > how this is related to iproute2. Sorry, it is not related to this patch set at all but more to IFA_F_MANAGETEMPADDR as a whole (maybe it could be a follow-up feature). > Anyway, the kernel behaviour wrt use_tempaddr settings remains unchanged > with the addition of IFA_F_MANAGETEMPADDR. It only allows to create temp > addresses for other addresses than the ones created by kernel (by RA). I assume that systems with NetworkManager won't activate use_tempaddr. If you look at ipv6_get_saddr_eval we only prefer privacy addresses to normal ones, if use_tempaddr == 2, which also implies that kernel does generate privacy addresses. So currently privacy addresses are correctly installed, but we cannot control if we want prefer them to global addresses for outgoing connections where the socket is not bound to a specific address. Also, I saw that NetworkManager switched to install autoconf addresses as /128, doesn't this break with IFA_F_MANAGETEMPADDR, as you expect a /64 prefixlen? I guess NetworkManager wants a way to add /64 addresses without installing the on-link prefix route? Hope that makes sense? Greetings, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists