lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140327053231.GL22086@order.stressinduktion.org>
Date:	Thu, 27 Mar 2014 06:32:31 +0100
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	wangyufen <wangyufen@...wei.com>
Cc:	davem@...emloft.net, netdev@...r.kernel.org,
	Alexey Kuznetsov <kuznet@....inr.ac.ru>
Subject: Re: [PATCH net-next v3 2/2] net: tcp_ipv6 policy route issue

On Thu, Mar 27, 2014 at 10:00:34AM +0800, wangyufen wrote:
> On 2014/3/26 15:05, Hannes Frederic Sowa wrote:
> > On Mon, Mar 24, 2014 at 02:25:22PM +0800, Wangyufen wrote:
> >> From: Wang Yufen <wangyufen@...wei.com>
> >>
> >> The issue raises when adding policy route, specify a particular
> >> NIC as oif, the policy route did not take effect. The reason is
> >> that fl6.oif is not set and route map failed. From the 
> >> tcp_v6_send_response function, if the binding address is linklocal,
> >> fl6.oif is set, but not for global address.
> >>
> >> Signed-off-by: Wang Yufen <wangyufen@...wei.com>
> > 
> > Acked-by: Hannes Frederic Sowa <hannes@...essinduktion.org>
> > 
> > But this looks like a bug to me, so maybe this is something for net
> > inclusion.
> I checked the commit log, I think, changes to ipv6 was incompleted in 
> commit 4c67525849e0b7f4bd4fab leded to this issue . 
> In tcp_v6_send_response, fl6.oif can't be directly set to iif for global
> address, but it should not be 0.

Actually, I wonder if

if (rt6_need_strict(&fl6.daddr) || !oif)
	fl6.flowi6_oif = inet6_iif(skb);
else
	fl6.flowi6_oif = oif;

would be ok, too, and would ensure that errors with no sockets would
reach their target with higher probability in case of policy routes.

In routing code we don't do strict lookup unless either we have the
indication by the socket (if available) or destination address is
multicast, linklocal or loopback. Otherwise we only favour flowi6_oif
interfaces.

Bye,

  Hannes

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ