lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <m2a8rs7crl.wl@gmail.com>
Date:	Fri, 09 Oct 2015 15:54:22 +0900
From:	Hajime Tazaki <thehajime@...il.com>
To:	dsa@...ulusnetworks.com
Cc:	netdev@...r.kernel.org, steffen.klassert@...unet.com
Subject: Re: [PATCH net-next] net: Fix vti use case with oif in dst lookups for IPv6


Hello David,

At Mon,  5 Oct 2015 08:32:51 -0600,
David Ahern wrote:

> 
> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index 30caa289c5db..5cedfda4b241 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -37,6 +37,7 @@ static struct dst_entry *xfrm6_dst_lookup(struct net *net, int tos, int oif,
>  
>  	memset(&fl6, 0, sizeof(fl6));
>  	fl6.flowi6_oif = oif;
> +	fl6.flowi6_flags = FLOWI_FLAG_SKIP_NH_OIF;
>  	memcpy(&fl6.daddr, daddr, sizeof(fl6.daddr));
>  	if (saddr)
>  		memcpy(&fl6.saddr, saddr, sizeof(fl6.saddr));

I found that this fix is still not sufficient with the mip6
(Mobile IPv6) use case.

FLOWI_FLAG_SKIP_NH_OIF is not checked anywhere else in ipv6
code, in ip6_route_output() etc.

Even if I added the check (like below), MH packets are not
sent at all from mobile node, home agent.

do you have any idea ?

I have a reproducible setup here with mip6. let me know if
you need further information.


diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 8c0898796ffb..0aba308b5ea3 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1169,9 +1169,9 @@ struct dst_entry *ip6_route_output(struct net *net, const struct sock *sk,
 
        fl6->flowi6_iif = LOOPBACK_IFINDEX;
 
-       if ((sk && sk->sk_bound_dev_if) || rt6_need_strict(&fl6->daddr))
+       if ((sk && sk->sk_bound_dev_if) || rt6_need_strict(&fl6->daddr) ||
+           (!(fl6->flowi6_flags & FLOWI_FLAG_SKIP_NH_OIF) && fl6->flowi6_oif))
                flags |= RT6_LOOKUP_F_IFACE;

        if (!ipv6_addr_any(&fl6->saddr))
                flags |= RT6_LOOKUP_F_HAS_SADDR;
        else if (sk)

-- Hajime
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ