lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20180305213406.13628-1-dsahern@gmail.com>
Date:   Mon,  5 Mar 2018 13:34:01 -0800
From:   David Ahern <dsahern@...il.com>
To:     netdev@...r.kernel.org
Cc:     idosch@...sch.org, David Ahern <dsahern@...il.com>
Subject: [PATCH v2 net-next 0/5] net/ipv6: Address checks need to consider the L3 domain

IPv6 prohibits a local address from being used as a gateway for a route.
However, it is ok for the local address to be in a different L3 domain
(e.g., VRF); this allows, for example, veth pairs to connect VRFs.

ip6_route_info_create calls ipv6_chk_addr_and_flags for gateway addresses
to determine if the address is a local one, but ipv6_chk_addr_and_flags
does not currently consider L3 domains. As a result routes can not be
added in one VRF with a nexthop that points to a local address in a
second VRF.

Resolve by comparing the l3mdev for the passed in device and requiring an
l3mdev match with the device containing an address. The intent of checking
for an address on the specified device versus any device in the domain is
mantained by a new argument to skip the check between the passed in device
and the device with the address.

Patch 1 moves the gateway validation from ip6_route_info_create into a
helper; the function is long enough and refactoring drops the indent
level.

Patch 2 adds l3mdev checks to ipv6_chk_addr_and_flags and fixes up
a few ipv6_chk_addr callers that pass a NULL device.

Patches 3 and 4 do some refactoring to the fib_tests script and then
patch 5 adds nexthop validation tests.

v2
- handle 2 variations of route spec with sane error path
- add test cases

David Ahern (5):
  net/ipv6: Refactor gateway validation on route add
  net/ipv6: Address checks need to consider the L3 domain
  selftests: fib_tests: Use an alias for ip command
  selftests: fib_tests: Allow user to run a specific test
  selftests: fib_tests: Add IPv6 nexthop spec tests

 include/net/addrconf.h                   |   4 +-
 net/ipv6/addrconf.c                      |  26 ++-
 net/ipv6/anycast.c                       |   9 +-
 net/ipv6/datagram.c                      |   5 +-
 net/ipv6/ip6_tunnel.c                    |  12 +-
 net/ipv6/ndisc.c                         |   2 +-
 net/ipv6/route.c                         | 139 +++++++-----
 tools/testing/selftests/net/fib_tests.sh | 359 +++++++++++++++++++++++--------
 8 files changed, 397 insertions(+), 159 deletions(-)

-- 
2.11.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ