lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 26 Sep 2016 16:53:33 +0200
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Hannes Frederic Sowa <hannes@...essinduktion.org>,
        Florian Westphal <fw@...len.de>,
        Jamal Hadi Salim <jhs@...atatu.com>
CC:     Shmulik Ladkani <shmulik.ladkani@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        WANG Cong <xiyou.wangcong@...il.com>,
        Eric Dumazet <edumazet@...gle.com>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next 4/4] net/sched: act_mirred: Implement ingress
 actions

On 09/26/2016 04:43 PM, Hannes Frederic Sowa wrote:
> On 26.09.2016 03:35, Florian Westphal wrote:
>> Jamal Hadi Salim <jhs@...atatu.com> wrote:
>>> On 16-09-25 02:31 PM, Florian Westphal wrote:
>>>> Shmulik Ladkani <shmulik.ladkani@...il.com> wrote:
>>>>> We can later address any loop-detection improvements in mirred.
>>>>> WDYT?
>>>>
>>>> You can address this after fixing infamous spinlock recursion hard
>>>> lockup (which has existed forever):
>>>>
>>>> tc qdisc add dev eth0 root handle 1: prio
>>>> tc filter add dev eth0 parent 1: protocol ip u32 match u32 0 0 flowid
>>>> 1:2 action mirred egress redirect dev eth0
>>>>
>>>> (only do this on toy vm)
>>>
>>> Realize didnt respond to this. Seems very simple to fix:
>>> if skb->dev->ifindex and m->tcfm_dev->ifindex are the
>>> same, then you can drop the packet.
>>
>> Yes, but I think we get same issue when we deal with stacked
>> interfaces, and redirect is to e.g. vlan on top of physical device.
>
> We do have the adjacent upper lists in all netdevices, calculating if a
> mirred actions would insert the skb on a stacked device above us should
> be as easy as querying netdev_has_upper_dev and should be possible to
> check that during config time.

But that would still not be enough, no? In the sense that with above
scenario, you could redirect to some arbitrary device that redirects
this back to the original device if on purpose configured as such,
thus they don't necessarily need to have a stacked relationship.

>> And we have such loops even without tc, for instance when placing
>> both veth ends in same bridge :-(
>
> We can't fix that without a ttl in the sk_buff struct.
>
> Bye,
> Hannes

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ