| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Sep 2015 21:59:50 +0200
From: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
To: Roopa Prabhu <roopa@...ulusnetworks.com>, davem@...emloft.net
Cc: nicolas.dichtel@...nd.com, mkubecek@...e.cz,
Mazziesaccount@...il.com, hannes@...essinduktion.org,
kuznet@....inr.ac.ru, jmorris@...ei.org, yoshfuji@...ux-ipv6.org,
netdev@...r.kernel.org
Subject: Re: [PATCH net v4] ipv6: fix multipath route replace error recovery
On 09/08/2015 07:53 PM, Roopa Prabhu wrote:
> From: Roopa Prabhu <roopa@...ulusnetworks.com>
>
> Problem:
> The ecmp route replace support for ipv6 in the kernel, deletes the
> existing ecmp route too early, ie when it installs the first nexthop.
> If there is an error in installing the subsequent nexthops, its too late
> to recover the already deleted existing route leaving the fib
> in an inconsistent state.
>
> This patch reduces the possibility of this by doing the following:
> a) Changes the existing multipath route add code to a two stage process:
> build rt6_infos + insert them
> ip6_route_add rt6_info creation code is moved into
> ip6_route_info_create.
> b) This ensures that most errors are caught during building rt6_infos
> and we fail early
> c) Separates multipath add and del code. Because add needs the special
> two stage mode in a) and delete essentially does not care.
> d) In any event if the code fails during inserting a route again, a
> warning is printed (This should be unlikely)
>
> Before the patch:
> $ip -6 route show
> 3000:1000:1000:1000::2 via fe80::202:ff:fe00:b dev swp49s0 metric 1024
> 3000:1000:1000:1000::2 via fe80::202:ff:fe00:d dev swp49s1 metric 1024
> 3000:1000:1000:1000::2 via fe80::202:ff:fe00:f dev swp49s2 metric 1024
>
> /* Try replacing the route with a duplicate nexthop */
> $ip -6 route change 3000:1000:1000:1000::2/128 nexthop via
> fe80::202:ff:fe00:b dev swp49s0 nexthop via fe80::202:ff:fe00:d dev
> swp49s1 nexthop via fe80::202:ff:fe00:d dev swp49s1
> RTNETLINK answers: File exists
>
> $ip -6 route show
> /* previously added ecmp route 3000:1000:1000:1000::2 dissappears from
> * kernel */
>
> After the patch:
> $ip -6 route show
> 3000:1000:1000:1000::2 via fe80::202:ff:fe00:b dev swp49s0 metric 1024
> 3000:1000:1000:1000::2 via fe80::202:ff:fe00:d dev swp49s1 metric 1024
> 3000:1000:1000:1000::2 via fe80::202:ff:fe00:f dev swp49s2 metric 1024
>
> /* Try replacing the route with a duplicate nexthop */
> $ip -6 route change 3000:1000:1000:1000::2/128 nexthop via
> fe80::202:ff:fe00:b dev swp49s0 nexthop via fe80::202:ff:fe00:d dev
> swp49s1 nexthop via fe80::202:ff:fe00:d dev swp49s1
> RTNETLINK answers: File exists
>
> $ip -6 route show
> 3000:1000:1000:1000::2 via fe80::202:ff:fe00:b dev swp49s0 metric 1024
> 3000:1000:1000:1000::2 via fe80::202:ff:fe00:d dev swp49s1 metric 1024
> 3000:1000:1000:1000::2 via fe80::202:ff:fe00:f dev swp49s2 metric 1024
>
> Fixes: 27596472473a ("ipv6: fix ECMP route replacement")
> Signed-off-by: Roopa Prabhu <roopa@...ulusnetworks.com>
>
> v1 - v2 : fix leak
> v2 - v3: fix 'Fixes' tag and warn msg (feedback from nicolas)
> resending against net
> v3 - v4: reword warn msg (feedback from nicolas). I still print the
> nexthops in the warning to help user know the offending
> route replace. The msg is printed for each nexthop which I
> think should be ok because this is consistent with all other cases
> (notifications etc) where IPV6 multipath nexthops are
> treated as individual routes and this warn should be very
> unlikely.
> ---
> net/ipv6/route.c | 201 ++++++++++++++++++++++++++++++++++++++++++++++++-------
> 1 file changed, 175 insertions(+), 26 deletions(-)
>
I went over it and also ran a few tests with the change, IMO printing
the offending entry is helpful to analyze the problem.
FWIW,
Reviewed-by: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists