lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <552E3B7A.2040701@6wind.com>
Date:	Wed, 15 Apr 2015 12:20:42 +0200
From:	Nicolas Dichtel <nicolas.dichtel@...nd.com>
To:	Herbert Xu <herbert@...dor.apana.org.au>, netdev@...r.kernel.org,
	"Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Re: ip_tunnel: Remove gratuitous skb scrubbing

Le 15/04/2015 12:01, Herbert Xu a écrit :
> The commit ea23192e8e577dfc51e0f4fc5ca113af334edff9 ("tunnels:
> harmonize cleanup done on skb on rx path") broke anyone trying to
> use netfilter marking across IPv4 tunnels.  As the commit message
> did not give any justification for this (in fact it shouldn't
> even be touching the tx path), I can only assume that it was a typo.
If I remember well, this was discussed on netdev (CC Eric). The goal of this
patch was, like the title said, to hamonize packets processing in tunnels.
I'm not against to keep the mark, but I think patching skb_scrub_packet is
better. With your patch, ip6tnl, gre6, etc. still drops the mark. And at the
end, it's not consistant.

What about something like this:

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 3b6e5830256e..1d5f6bd0e383 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4124,14 +4124,15 @@ EXPORT_SYMBOL(skb_try_coalesce);
   */
  void skb_scrub_packet(struct sk_buff *skb, bool xnet)
  {
-	if (xnet)
+	if (xnet) {
  		skb_orphan(skb);
+		skb->mark = 0;
+	}
  	skb->tstamp.tv64 = 0;
  	skb->pkt_type = PACKET_HOST;
  	skb->skb_iif = 0;
  	skb->ignore_df = 0;
  	skb_dst_drop(skb);
-	skb->mark = 0;
  	skb_sender_cpu_clear(skb);
  	skb_init_secmark(skb);
  	secpath_reset(skb);
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ