lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 29 Oct 2014 09:49:57 +0100
From:	Pierre Pfister <pierre@...ou.fr>
To:	Pierre Pfister <pierre@...ou.fr>
Cc:	Daniel Borkmann <dborkman@...hat.com>, netdev@...r.kernel.org,
	liuhangbin@...il.com
Subject: Re: ipv6 mld: packets are not looped back to/from kernel/querier

It doesn’t work with 3.16 neither.

Cheers,

- Pierre

Le 29 oct. 2014 à 09:14, Pierre Pfister <pierre@...ou.fr> a écrit :

> Thanks for the quick answer,
> 
> See inline,
> 
> Le 28 oct. 2014 à 19:17, Daniel Borkmann <dborkman@...hat.com> a écrit :
> 
>> On 10/28/2014 05:32 PM, Pierre Pfister wrote:
>>> Hello,
>>> 
>>> I’m implementing a dual-stack multicast querier (IGMPv3 and MLDv2) along with the PIM protocol.
>>> So I’ve got two multicast sockets, one for each protocol.
>>> 
>>> I open the two sockets like this:
>>> 
>>> ——————————————————
>>> fd = socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);
>>> val = 1;
>>> setsockopt(fd, IPPROTO_IP, MRT_INIT, &val, sizeof(val));
>>> setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &val, sizeof(val));
>>> setsockopt(fd, IPPROTO_IP, IP_MULTICAST_TTL, &val, sizeof(val));
>>> val = 0xc0;
>>> setsockopt(fd, IPPROTO_IP, IP_TOS, &val, sizeof(val));
>>> setsockopt(fd, IPPROTO_IP, IP_OPTIONS, &ipv4_rtr_alert, sizeof(ipv4_rtr_alert))
>>> 
>>> fd = socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6);
>>> val = 1;
>>> setsockopt(fd, IPPROTO_IPV6, MRT6_INIT, &val, sizeof(val));
>>> setsockopt(fd, IPPROTO_IPV6, IPV6_RECVHOPOPTS, &val, sizeof(val));
>>> setsockopt(fd, IPPROTO_IPV6, IPV6_RECVHOPLIMIT, &val, sizeof(val));
>>> setsockopt(fd, IPPROTO_IPV6, IPV6_MULTICAST_HOPS, &val, sizeof(val));
>>> val = 2;
>>> setsockopt(fd, IPPROTO_RAW, IPV6_CHECKSUM, &val, sizeof(val));
>>> setsockopt(fd, IPPROTO_IPV6, IPV6_HOPOPTS, &ipv6_rtr_alert, sizeof(ipv6_rtr_alert));
>> 
>> What kernel are you using? How do you setup ipv6_rtr_alert here?
>> 
>> For inbound queries in IPv6, the kernel might be more picky after
>> [correct] commit e940f5d6ba6a ("ipv6: Fix MLD Query message check"),
>> so you need to make sure you have hop limit of 1 and a proper set
>> up RA option …
> 
> I can reproduce the problem with both 3.10.28 and 3.14-0. I will try to try a later version.
> I don’t think the packet itself can be a problem as other routers correctly receive it.
> The problem comes with loopbacking to kernel and userspace (Depending whether the kernel or querier sent it).
> 
> Here is the router alert struct.
> static struct {
> 	struct ip6_hbh hdr;
> 	struct ip6_opt_router rt;
> 	uint8_t pad[2];
> } ipv6_rtr_alert = {
> 	.hdr = {0, 0},
> 	.rt = {IP6OPT_ROUTER_ALERT, 2, {0, IP6_ALERT_MLD}},
> 	.pad = {0, 0}
> }
> 
> I also checked what that commit checks (wiresharked), and everything seems correct.
> 
> Thanks,
> 
> - Pierre
> 
> 
> 
>> 
>>> struct icmp6_filter flt;
>>> ICMP6_FILTER_SETBLOCKALL(&flt);
>>> ICMP6_FILTER_SETPASS(ICMPV6_MGM_QUERY, &flt);
>>> ICMP6_FILTER_SETPASS(ICMPV6_MGM_REPORT, &flt);
>>> ICMP6_FILTER_SETPASS(ICMPV6_MGM_REDUCTION, &flt);
>>> ICMP6_FILTER_SETPASS(ICMPV6_MLD2_REPORT, &flt);
>>> setsockopt(fd, IPPROTO_ICMPV6, ICMP6_FILTER, &flt, sizeof(flt));
>>> ——————————————————————
>>> 
>>> I’ve got two issues with the IPv6 socket.
>>> When I send an MLD query, it is sent on the wire, but the kernel doesn’t interpret it (It doesn’t send MLD Reports as reply).
>>> Similarly, when the kernel sends a Report, my MLD Querier socket doesn’t receive the message.
>>> 
>>> The resulting problem is that everything works fine as long as the router doesn’t want to join a group. When it does, my Querier can’t know it, and the kernel doesn’t reply to Querier’s requests.
>>> 
>>> It works well in IPv4.
>>> 
>>> I tried removing the ICMPV6 filter as well as using IPV6_MULTICAST_LOOP.
>>> 
>>> Am I doing something wrong or is it an actual bug ?
>>> If you need more information, please ask.
>>> 
>>> Thanks,
>>> 
>>> 
>>> Pierre
>>> 
>>> 
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>>> the body of a message to majordomo@...r.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>> 
>> --
>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>> the body of a message to majordomo@...r.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ