lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3586fbc4.12f75.1451de4826d.Coremail.asuka.com@163.com>
Date:	Tue, 1 Apr 2014 23:24:46 +0800 (CST)
From:	"wei zhang" <asuka.com@....com>
To:	"Jesse Gross" <jesse@...ira.com>
Cc:	"David Miller" <davem@...emloft.net>,
	"dev@...nvswitch.org" <dev@...nvswitch.org>,
	netdev <netdev@...r.kernel.org>,
	"Linux Kernel Mailing List" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] openvswitch: supply a dummy err_handler of
 gre_cisco_protocol to prevent kernel crash

At 2014-04-01 08:49:53,"Jesse Gross" <jesse@...ira.com> wrote:
>On Sun, Mar 30, 2014 at 5:12 AM, wei zhang <asuka.com@....com> wrote:
>> At 2014-03-29 06:02:25,"Jesse Gross" <jesse@...ira.com> wrote:

>> Maybe I misunderstand something? I think if we discard all packet pass to us
>> when we use gre vport, new gre_cisco_protocol which has lower priority could
>> not see the packet intended to it.
>
>That's true but in this case it would also not see any data packets,
>so I don't think that situation would work well anyways.
>
>> I checked the implementation of the ipgre_err(), which has be called before
>> the err_handler of gre vport. It use the the (local address, remote address, key)
>> to distinguish the packet which is realy intended to it, although it could not
>> always get the key from the icmp packet. Should we do as the same as it?
>> I'm not sure this is feasible, any advice is appreciate.
>
>OVS does flow based matching rather than using a static set of
>configuration parameters, so everything "matches" in some way
>(although the result might be to drop). 

So the flow based match could dynamically determine by the ovs daemon, we could
not find out the belonging of the packet as far as we call ovs_dp_upcall(), isn't it?

>This generally means that OVS
>is the receiver of last resort and nothing currently has a lower
>priority. 

Thanks for your kind help, this clarify my misunderstanding!

>That actually means the difference between the patches is
>somewhat academic but it seems more robust for the logic to be
>consistent.

Regards,
Wei Zhang 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ