lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140222104419.6b4daa44@vostro>
Date:	Sat, 22 Feb 2014 10:44:19 +0200
From:	Timo Teras <timo.teras@....fi>
To:	netdev@...r.kernel.org
Subject: probe netlink app in NUD_PROBE

When a stale or delayed neigh entry is being re-validated the entry
goes to NUD_PROBE state. At the moment only unicast probes are sent.
This is basically because neigh_max_probes() limits the probe amount so.

Now, opennhrp intentionally configures UCAST_PROBES and MCAST_PROBES to
zero and APP_PROBES to something meaningful. The idea is that opennhrp
replaces arp completely with NHRP implemented in userland.

Due to this it seems there is a very small time window, when the
NUD_PROBE times out and the neighbour entry gets invalidated, and
packets get lost.

To remedy this, I would like to have these NUD_PROBE validations sent
via netlink too.

First choice is to change to just use both unicast and application
probes:

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index b9e9e0d..36d3f8c 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -836,10 +836,10 @@ out:
 static __inline__ int neigh_max_probes(struct neighbour *n)
 {
 	struct neigh_parms *p = n->parms;
-	return (n->nud_state & NUD_PROBE) ?
-		NEIGH_VAR(p, UCAST_PROBES) :
-		NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES) +
-		NEIGH_VAR(p, MCAST_PROBES);
+	int max_probes = NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES);
+	if (!(n->nud_state & NUD_PROBE))
+		max_probes += NEIGH_VAR(p, MCAST_PROBES);
+	return max_probes;
 }
 
 static void neigh_invalidate(struct neighbour *neigh)

On default configuration there is no behaviour change, as APP_PROBES
defaults zero. I'm not sure if other ARPD programs than opennhrp are
currently commonly used.

If that feels risky, alternative would be:

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index b9e9e0d..8bb320b 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -836,9 +836,11 @@ out:
 static __inline__ int neigh_max_probes(struct neighbour *n)
 {
 	struct neigh_parms *p = n->parms;
-	return (n->nud_state & NUD_PROBE) ?
-		NEIGH_VAR(p, UCAST_PROBES) :
-		NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES) +
+
+	if (n->nud_state & NUD_PROBE)
+		return NEIGH_VAR(p, UCAST_PROBES) ? : NEIGH_VAR(p, APP_PROBES);
+
+	return NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES) + 
 		NEIGH_VAR(p, MCAST_PROBES);
 }
 
In which the netlink would be used only if unicast probes are turned
off.

Any preference which to send formatted formally?

- Timo
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ