lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHo-OoyuH=XFFNs+J_s0ws_RsAXkzF5AuafFPaevg8UV35iT+w@mail.gmail.com>
Date:	Tue, 17 Nov 2015 19:57:00 -0800
From:	Maciej Żenczykowski <zenczykowski@...il.com>
To:	Stephen Hemminger <stephen@...workplumber.org>
Cc:	Lorenzo Colitti <lorenzo@...gle.com>,
	Linux NetDev <netdev@...r.kernel.org>,
	Eric Dumazet <edumazet@...gle.com>, ek@...gle.com,
	dtor@...gle.com
Subject: Re: Add a SOCK_DESTROY operation to close sockets from userspace

I don't know what the right fix is...

However, speaking as an end user with laptops on wifi and/or home
gateways on dialup connections where the IP address occasionally (or
constantly) changes, I find it very frustrating that by default as IP
addresses get removed from interfaces all the related state (whether
conntrack or open connections) doesn't get cleaned up.

[side note: I realize there is tooling to do this manually from
userspace for conntrack and that there are even some gateways that
correctly make use of it.]

Sure this might not be desirable on servers (where configuration is
usually static and complex) but on most end user devices (CPE, cell
phone, laptop) - that are prone to roaming in todays world - this (or
something like this) would be super useful.

I would almost argue it should be the default (or controlled by
sysctl) - hung connections are super frustrating, and they often
prevent normal retry logic (ie. establishing a new connection) from
functioning correctly, because the kernel is just waiting for some
enormous tcp (retransmit) timeouts that only make sense if we still
own the IP, and userspace thinks everything is still ok...  If we
don't even own the IP any more often retransmits just get blackholed
so you don't even get notifications from the network of packet
delivery problems.

Something like this either needs to be implemented in kernel, or APIs
need to be provided so that network manager (or your favourite
userspace network management utility) can act on behalf of the user to
clean stuff up.

In general I'm not in favour of embedding logic like this in the
kernel since you usually get more configurability if you leave it in
userspace.

Sure you can hack something together via firewall hacks and routing
hacks or injecting tcp resets via raw sockets, but that requires a lot
of work, and still doesn't cover everything (firewall and routing
hacks won't fix idle sockets, in particular those waiting for a
message from the other side of the connection, ie. push notifications
for a cell phone).

- Maciej
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ