lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Apr 2014 15:55:12 -0700 From: Cong Wang <xiyou.wangcong@...il.com> To: Julian Anastasov <ja@....bg> Cc: David Miller <davem@...emloft.net>, Linux Kernel Network Developers <netdev@...r.kernel.org>, "Eric W. Biederman" <ebiederm@...ssion.com>, Cong Wang <cwang@...pensource.com> Subject: Re: [Patch net] ipv4: fib: check forwarding before checking send_redirects Thanks for your reply, David and Julian! On Tue, Apr 8, 2014 at 3:15 PM, Julian Anastasov <ja@....bg> wrote: > Yes, the code will fail if input route is > tried on loopback device. My first thought was that > you forgot to 'ip route flush cache' after clearing > rp_filter. > route cache is removed after 3.6, so I don't need to do it? >> which looks good to me too, since the packet has src addr == dst addr. >> >> Which part am I missing? > > What kind of packet is that and why the skb lost its > output route and now it is trying for input route? > Yeah, I just noticed that for normal loopback packets its ->dst are forced to be kept so that it will not need to lookup route again on rx. However, in our case, we redirect the packets from veth0 to lo when src_addr == dst_addr, its ->dst is dropped after coming out of the network namespace, therefore goes into the slow path to validate the reverse path and lookup the route. I think David's point is still valid in this case, __fib_validate_source() should not reject the packets. So hmm... the only reason I can find is the following code: if (fib_lookup(net, &fl4, &res) == 0) { if (res.type == RTN_UNICAST) ret = FIB_RES_NH(res).nh_scope >= RT_SCOPE_HOST; } where its nh_scope == RT_SCOPE_HOST? -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists