lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20161017.101730.383079449821386550.davem@davemloft.net>
Date:   Mon, 17 Oct 2016 10:17:30 -0400 (EDT)
From:   David Miller <davem@...emloft.net>
To:     dsa@...ulusnetworks.com
Cc:     netdev@...r.kernel.org, eric.dumazet@...il.com
Subject: Re: [PATCH] net: Require exact match for TCP socket lookups if dif
 is l3mdev

From: David Ahern <dsa@...ulusnetworks.com>
Date: Sun, 16 Oct 2016 20:02:52 -0700

> Currently, socket lookups for l3mdev (vrf) use cases can match a socket
> that is bound to a port but not a device (ie., a global socket). If the
> sysctl tcp_l3mdev_accept is not set this leads to ack packets going out
> based on the main table even though the packet came in from an L3 domain.
> The end result is that the connection does not establish creating
> confusion for users since the service is running and a socket shows in
> ss output. Fix by requiring an exact dif to sk_bound_dev_if match if the
> skb came through an interface enslaved to an l3mdev device and the
> tcp_l3mdev_accept is not set.
> 
> skb's through an l3mdev interface are marked by setting a flag in
> inet{6}_skb_parm. The IPv6 variant is already set; this patch adds the
> flag for IPv4. Using an skb flag avoids a device lookup on the dif. The
> flag is set in the VRF driver using the IP{6}CB macros. For IPv4, the
> inet_skb_parm struct is moved in the cb per commit 971f10eca186, so the
> match function in the TCP stack needs to use TCP_SKB_CB. For IPv6, the
> move is done after the socket lookup, so IP6CB is used.
> 
> The flags field in inet_skb_parm struct needs to be increased to add
> another flag. There is currently a 1-byte hole following the flags,
> so it can be expanded to u16 without increasing the size of the struct.
> 
> Fixes: 193125dbd8eb ("net: Introduce VRF device driver")
> Signed-off-by: David Ahern <dsa@...ulusnetworks.com>

Applied, thanks David.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ