| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Aug 2015 15:07:31 -0700 From: Jesse Gross <jesse@...ira.com> To: Joe Stringer <joestringer@...ira.com> Cc: Thomas Graf <tgraf@...g.ch>, Hannes Frederic Sowa <hannes@...hat.com>, Linux Netdev List <netdev@...r.kernel.org>, Linux Kernel <linux-kernel@...r.kernel.org>, Pablo Neira Ayuso <pablo@...filter.org>, Patrick McHardy <kaber@...sh.net>, Justin Pettit <jpettit@...ira.com>, Pravin Shelar <pshelar@...ira.com>, Andy Zhou <azhou@...ira.com>, Florian Westphal <fwestpha@...hat.com> Subject: Re: [PATCH net-next 1/9] openvswitch: Scrub packet in ovs_vport_receive() On Tue, Aug 4, 2015 at 9:40 PM, Joe Stringer <joestringer@...ira.com> wrote: > On 1 August 2015 at 12:17, Thomas Graf <tgraf@...g.ch> wrote: >> On 07/31/15 at 10:51am, Joe Stringer wrote: >>> On 31 July 2015 at 07:34, Hannes Frederic Sowa <hannes@...hat.com> wrote: >>> > In general, this shouldn't be necessary as the packet should already be >>> > scrubbed before they arrive here. >>> > >>> > Could you maybe add a WARN_ON and check how those skbs with conntrack >>> > data traverse the stack? I also didn't understand why make it dependent >>> > on the socket. >>> >>> OK, sure. One case I could think of is with an OVS internal port in >>> another namespace, directly attached to the bridge. I'll have a play >>> around with WARN_ON and see if I can come up with something more >>> trimmed down. >> >> The OVS internal port will definitely pass through an unscrubbed >> packet across namespaces. I think the proper thing to do would be >> to scrub but conditionally keep metadata. > > It's only "unscrubbed" when receiving from local stack at the moment. > Some pieces are cleared when handing towards the local stack, and > there's no configuration for that behaviour. Presumably internal port > transmit and receive should mirror each other? > > I don't have a specific use case either way. The remaining code for > this series handles this case correctly, it's just a matter of what > behaviour we're looking for. We could implement the flag as you say, I > presume that userspace would need to specify this during vport > creation and the default should work similar to the existing behaviour > (ie, keep metadata). One thing that's not entirely clear to me is > exactly which metadata should be represented by this flag and whether > the single flag is expressive enough. I would prefer not to have a flag as it seems unnecessarily complicated (doubly so if we try to have multiple flags to express different combinations). The use case for moving internal ports to different namespaces is pretty narrow, so it seems like we can just pick a set of metadata to keep and go with that. Mark seems the primary one to me. I also think that it would be better to use skb->dev to determine the original namespace rather than the socket. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists