| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Mar 2016 13:49:49 -0800 From: Mahesh Bandewar <mahesh@...dewar.net> To: David Miller <davem@...emloft.net> Cc: Mahesh Bandewar <maheshb@...gle.com>, Eric Dumazet <edumazet@...gle.com>, netdev <netdev@...r.kernel.org> Subject: [PATCH next v2 0/7] Introduce l3_dev pointer for L3 processing From: Mahesh Bandewar <maheshb@...gle.com> One of the major request (for enhancement) that I have received from various users of IPvlan in L3 mode is its inability to handle IPtables. While looking at the code and how we handle ingress, the problem can be attributed to the asymmetry in the way packets get processed for IPvlan devices configured in L3 mode. L3 mode is supposed to be restrictive and all the L3 decisions need to be taken for the traffic in master's ns. This does happen as expected for egress traffic however on ingress traffic, the IPvlan packet-handler changes the skb->dev and this forces packet to be processed with the IPvlan slave and it's associated ns. This causes above mentioned problem and few other which are not yet reported / attempted. e.g. IPsec with L3 mode or even ingress routing. This could have been solved if we had a way to handover packet to slave and associated ns after completing the L3 phase. This is a non-trivial issue to fix especially looking at IPsec code. This patch series attempts to solve this problem by introducing the device pointer l3_dev which resides in net_device structure in the RX cache line. We initialize the l3_dev to self. This would mean there is no complex logic to when-and-how-to initialize it. Now the stack will use this dev pointer during the L3 phase. This should not alter any existing properties / behavior and also there should not be any additional penalties since it resides in the same RX cache line. Now coming back to IPvlan setup. The typical IPvlan L3 setup where master is in default-ns while the slaves are put inside different (slave) net-ns. During the initialization phase, the driver can make l3_dev for each slave to point to its master-device. This will solve the current IPT problem as well as make the packet processing symmetric from stack perspective. For all other packet processing since dev->l3_dev is same as dev, there should not be any behavioral or functional change. Mahesh Bandewar (7): dev: Add netif_get_l3_dev() helper dev: Update packet dispatcher to pass l3_dev as an input device ipv4: Use l3_dev for L3 ingress processing ipv6: Use l3_dev for L3 ingress processing raw: Use l3_dev for L3 ingress raw packet delivery xfrm: Use l3_dev for xfrm policy checks. ipvlan: Implement L3-symmetric mode. drivers/net/ipvlan/ipvlan_main.c | 16 +++++++++------- include/linux/netdevice.h | 6 ++++++ include/net/xfrm.h | 2 +- net/core/dev.c | 10 +++++++--- net/ipv4/ip_input.c | 12 +++++++----- net/ipv4/ip_options.c | 3 ++- net/ipv4/raw.c | 11 +++++------ net/ipv6/ip6_input.c | 14 ++++++++------ net/ipv6/raw.c | 2 +- net/ipv6/route.c | 7 ++++--- net/xfrm/xfrm_policy.c | 4 ++-- 11 files changed, 52 insertions(+), 35 deletions(-) -- 2.7.0.rc3.207.g0ac5344
Powered by blists - more mailing lists