lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 23 Jun 2014 10:28:41 -0700
From:	Ben Greear <greearb@...delatech.com>
To:	Hannes Frederic Sowa <hannes@...essinduktion.org>
CC:	netdev@...r.kernel.org
Subject: Re: [PATCH 2/2] ipv6:  Allow accepting RA from local IP addresses.

On 06/23/2014 01:29 AM, Hannes Frederic Sowa wrote:
> On Fr, 2014-06-20 at 09:31 -0700, Ben Greear wrote:
>> On 06/20/2014 08:40 AM, Hannes Frederic Sowa wrote:
>>> On Mi, 2014-06-18 at 10:50 -0700, greearb@...delatech.com wrote:
>>>> From: Ben Greear <greearb@...delatech.com>
>>>>
>>>> This can be used in virtual networking applications, and
>>>> may have other uses as well.  The option is disabled by
>>>> default, so no change to current operating behaviour
>>>> without the user explicitly changing the behaviour.
>>>
>>> Can you give a specific example for its use case? I currently don't see
>>> the need for such an option.
>>
>> I put radvd on one veth endpoint, and use other veth endpoint to act
>> as normal-ish endpoint with IPv6.
>>
>> The one with radvd enables routing, using specific rules so that it
>> can only route to a few other interfaces.
>>
>> Basically, I can emulate multi-hop routed and bridged networks, including with
>> OSPF and such on a single machine without the use of network
>> namespaces or virtual machines.
>>
>> We use this to make network testing products, but I figure someone somewhere
>> will find a different reason to want this.  As far as I know, this used to
>> work w/out any kernel hacks, though I have not specifically verified
>> this.  It did show up as a regression in our testing, but possibly we
>> failed to test it properly years ago...
> 
> Ok, I see your point.
> 
> The forwarding knob is not always handled on a per-interface basis
> because in some situations we don't know which interface we need to
> process the packet on beforehand.
> 
> I don't know... In the end, it doesn't seem to cause any problems to me,
> even if enabled, and you actually seem to use this feature, so should be
> fine by me. Also, we already have some strange sysctls to play with.
> 
>>>> -	if (ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
>>>> +	if (!(in6_dev->cnf.accept_ra_from_local ||
>>>> +	      dev_net(in6_dev->dev)->ipv6.devconf_all->accept_ra_from_local) &&
>>>> +	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
>>>>  			  NULL, 0)) {
>>>>  		ND_PRINTK(2, info,
>>>>  			  "RA: %s, chk_addr failed for dev: %s\n",
>>>> @@ -1293,7 +1295,9 @@ skip_linkparms:
>>>>  	}
>>>>  
>>>>  #ifdef CONFIG_IPV6_ROUTE_INFO
>>>> -	if (ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
>>>> +	if (!(in6_dev->cnf.accept_ra_from_local ||
>>>> +	      dev_net(in6_dev->dev)->ipv6.devconf_all->accept_ra_from_local) &&
>>>> +	    ipv6_chk_addr(dev_net(in6_dev->dev), &ipv6_hdr(skb)->saddr,
>>>>  			  NULL, 0)) {
>>>>  		ND_PRINTK(2, info,
>>>>  			  "RA: %s, chk-addr (route info) is false for dev: %s\n",
>>>
>>> Maybe ipv6_accept_ra_local() like ipv6_accept_ra() static local to the
>>> file?
>>
>> I don't have a preference either way, but will make the change if it helps
>> upstream acceptance.
> 
> Just thought it would make the code a bit more readable.
> 
>>> Also I am not sure if we want to provide an devconf_all for this setting
>>> at all, like we don't evaluate it for accept_ra, too. At least I
>>> wouldn't do so with the current state of ipv6/conf/{all,default}.
>>
>> We often have thousands of interfaces on a system, it saves effort to
>> set this globally.  Note that it will not over-ride any other restraints,
>> so a routed interface will still not accept RA unless additional
>> existing procfs config changes are made, etc.
>>
>> Both global and per-interface default to disabling this new feature,
>> so I think it is safe as I have written it.
> 
> How do you handle the forwarding flag? You enable forwarding globally
> and afterwards you disable it again on some interfaces? Otherwise you
> won't get correct forwarding behavior.
> 
> Hm, I still don't like it to be a possible global setting (I am in favor
> that it gets handled like ipv6_accept_ra). It looks much clearer to me
> if it would behave like the accept_ra knob. Is it a problem to enable it
> only on a per interface basis regarding races when the interfaces get
> instantiated?

I disable forwarding on all interfaces, then specifically enable it on the
ones in virtual routers.  It seems to work as expected.  I recall we do
have a multicast bug open for ipv6, but it's low priority and I have not
looked at the problem in detail yet.  Possibly it is related to some
of this...

I can make accept-local-ra a strictly per-interface setting.

I'll post a new patch soon-ish.

Thanks,
Ben


-- 
Ben Greear <greearb@...delatech.com>
Candela Technologies Inc  http://www.candelatech.com

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ