lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1399856097.16759.116198185.2A93B8D8@webmail.messagingengine.com>
Date:	Sun, 11 May 2014 17:54:57 -0700
From:	Hannes Frederic Sowa <hannes@...essinduktion.org>
To:	Duan Jiong <duanj.fnst@...fujitsu.com>,
	David Miller <davem@...emloft.net>
Cc:	netdev <netdev@...r.kernel.org>
Subject: Re: [PATCH] ipv6: update Destination Cache entries when gateway turn
 into host

On Thu, May 8, 2014, at 20:24, Duan Jiong wrote:
> 
> RFC 4861 states in 7.2.5:
> 
> 	The IsRouter flag in the cache entry MUST be set based on the
>          Router flag in the received advertisement.  In those cases
>          where the IsRouter flag changes from TRUE to FALSE as a result
>          of this update, the node MUST remove that router from the
>          Default Router List and update the Destination Cache entries
>          for all destinations using that neighbor as a router as
>          specified in Section 7.3.3.  This is needed to detect when a
>          node that is used as a router stops forwarding packets due to
>          being configured as a host.
> 
> Currently, when dealing with NA Message which IsRouter flag changes from
> TRUE to FALSE, the kernel only removes router from the Default Router List,
> and don't update the Destination Cache entries.
> 
> Now in order to update those Destination Cache entries, i introduce
> function rt6_clean_tohost().
>
> [...]
>
> +/*remove routers and update dst entries when gateway turn into host.*/
> +static int fib6_clean_tohost(struct rt6_info *rt, void *arg)
> +{
> +	struct in6_addr *gateway = (struct in6_addr *)arg;
> +
> +	if (((rt->rt6i_flags & (RTF_ADDRCONF | RTF_DEFAULT | RTF_GATEWAY))
> +	    == (RTF_ADDRCONF | RTF_DEFAULT | RTF_GATEWAY))
> +	    && ipv6_addr_equal(gateway, &rt->rt6i_gateway)) {
> +		return -1;
> +	} else if (((rt->rt6i_flags & (RTF_GATEWAY | RTF_CACHE))
> +		      == (RTF_GATEWAY | RTF_CACHE))
> +		    && ipv6_addr_equal(gateway, &rt->rt6i_gateway)) {
> +		rt->rt6i_flags |= RTF_REJECT;
> +		rt->dst.error = -ENETUNREACH;
> +	}
> +	return 0;
> +}

I am not so happy with that but have not tried that.

The Destination Cache you quote from the RFC (if you follow 7.3.3.) actually refers to the neighbouring
subsystem, where we would need to generate subsequent errors in case we try to forward a packet
through a this particular router.

The reason why I am not that happy is, that the semantics when neighbour nodes are cleared is well
defined but we don't have that semantics when those rt6_nodes get cleared up. E.g. consider a router which just temporarily switches forwarding off and on.

I guess we need to inspect NTF_ROUTER flag in the output path somehow. :/

Greetings,

  Hannes
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ