| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LFD.2.11.1401222222010.1855@ja.home.ssi.bg> Date: Wed, 22 Jan 2014 23:04:52 +0200 (EET) From: Julian Anastasov <ja@....bg> To: gregory hoggarth <gregory.hoggarth@...iedtelesis.co.nz> cc: netdev@...r.kernel.org Subject: Re: Linux kernel patch: elide fib_validate_source() completely when possible - bad side effect? Hello, On Mon, 20 Jan 2014, gregory hoggarth wrote: > >>> Julian Anastasov <ja@....bg> 17/1/14 09:24 PM >>> > > > > It seems only __fib_validate_source can reject all kind > > of broadcast addresses in saddr. ip_route_input_slow() rejects > > only the well known broadcasts. Without rp_filter may be we > > can at least drop attempts to send replies back to broadcast > > addresses? For example, checking result of ip_route_output_key() in > > icmp_reply(): > > > > if (rt->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST)) > > => ip_rt_put() > Thank you for your reply. > > While I think your solution may work, isn't the proper approach to drop these > rogue packets, rather than wasting CPU and other resources processing them, > and then beginning to craft responses which are in turn dropped? The problem is that it is __fib_validate_source that takes time for every packet. And it is a rare case to see traffic from broadcast addresses. rp_filter set on external interface will drop such packets. It is an option that one can use even for internal interface, if needed. > Also seems better to drop the initial rogue packet, as that should cover all > (?) different types of packets, rather than having to add small patches into > ICMP, TCP and any other places that may need it. Small check looks better compared to FIB lookup for every received packet. Note that output route can be cached for sockets, eg. TCP, so such small checks do not occur for every reply packet. > So my question really is was the original patch correct and there's something > wrong with our device configuration, or is this an overlooked / untested side- > effect from that patch that as a result means the patch should be re-worked? I don't remember someone mentioning about such side-effect, I guess it is overlooked. IMHO, it is not a good reason to restore the old behavior. Lets see other opinions. Regards -- Julian Anastasov <ja@....bg> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists