lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20180528210250.GA26453@thyrsus.com>
Date:   Mon, 28 May 2018 17:02:50 -0400
From:   "Eric S. Raymond" <esr@...rsus.com>
To:     Michal Kubecek <mkubecek@...e.cz>
Cc:     netdev@...r.kernel.org
Subject: Re: Is it possible to get device information via CMSG?

Michal Kubecek <mkubecek@...e.cz>:
> > 1. Is there a cmsg_level/cmsg_type combination that will return the
> > name of the device the packet arrived through?
> 
> Not name directly, AFAIK, but you can set SOL_IP / IP_PKTINFO (or
> SOL_IPV6 / IPV6_RECVPKTINFO) socket option and get IP_PKTINFO
> (IPV6_PKTINFO) message with recvmsg(). This will tell you incoming
> interface index so that you can look the name up. See ip(7) or ipv6(7)
> for format of the message (struct ip_pktinfo, struct in6_pktinfo).

Thanks, that confirms something I found on Stack Overflow after I
queried your list.

> However, I suspect that userspace application is not really interested
> in incoming interface name but rather in destination address of the
> incoming packet which is also provided in IP_PKTINFO / IPV6_PKTINFO
> message. 

NTP is weird that way.  My group, NTPsec, inherited the reference
Mills codebase (what we now call "NTP Classic") which really does have
a filter-by-interface-name feature *in addition to* local address
filtering.

We want to simplify the way it works without discarding that feature,
because we've made promises about backward compatibility that we mean
to keep.  We don't throw away features unless either they're security
holes or we are *dead certain* they are obsolete.

In case it's of interest to you, NTPsec is a drop-in replacement for
NTP Classic that solves its chronic security problems by stripping out
unused features and legacy code. We've actually shrunk the codebase
size by a factor of 4x.  We have better monitoring and admin tools, too.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ