lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Apr 2014 14:17:08 -0700 From: Cong Wang <xiyou.wangcong@...il.com> To: David Miller <davem@...emloft.net> Cc: Linux Kernel Network Developers <netdev@...r.kernel.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, Julian Anastasov <ja@....bg>, Cong Wang <cwang@...pensource.com> Subject: Re: [Patch net] ipv4: fib: check forwarding before checking send_redirects On Tue, Apr 8, 2014 at 1:43 PM, David Miller <davem@...emloft.net> wrote: > From: Cong Wang <xiyou.wangcong@...il.com> > Date: Tue, 8 Apr 2014 12:31:22 -0700 > >> From: Cong Wang <cwang@...pensource.com> >> >> We have seen in a weird case we had to disable send_redirects in order >> to pass rp filter check even though we don't set forwarding at all. >> This looks wrong, at least according to ip-sysctl.txt send_redirects should >> only make sense when we enable forwarding. >> >> Cc: Eric Biederman <ebiederm@...ssion.com> >> Cc: Julian Anastasov <ja@....bg> >> Cc: David S. Miller <davem@...emloft.net> >> Signed-off-by: Cong Wang <xiyou.wangcong@...il.com> >> Signed-off-by: Cong Wang <cwang@...pensource.com> > > I'm not so sure about this. > > This test here is just an optimization, which bypasses the long path > processing of FIB source address validation if certain strict > conditions are met. > > __fib_validate_source() should do the right thing if it is executed, > it is just the slow path, and you should determine why it is rejecting > your traffic instead. > > Your change is a valid optimization perhaps, but not a bug fix. In our case, we have the following setting: 1) rp_filter = 0 (set manually) 2) forwarding = 0 (default) 3) send_redirects = 1 (default) We are not supposed even to execute __fib_validate_source() in such case, are we? :) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists