lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <b5469234-8667-7f7e-f119-13fb50d19d2d@lab.ntt.co.jp>
Date:   Tue, 15 Jan 2019 15:35:32 +0900
From:   Toshiaki Makita <makita.toshiaki@....ntt.co.jp>
To:     Fredrik Gustavsson <gustfred@...il.com>
Cc:     netdev <netdev@...r.kernel.org>,
        David Miller <davem@...emloft.net>,
        Daniel Borkmann <daniel@...earbox.net>
Subject: Re: [PATCH v1 1/1] veth: Do not drop packets larger then the mtu set
 on the receiving side

On 2019/01/11 22:13, Fredrik Gustavsson wrote:
> Den fre 11 jan. 2019 kl 05:23 skrev Toshiaki Makita
> <makita.toshiaki@....ntt.co.jp>:
>>
>> On 2019/01/10 22:26, Fredrik Gustavsson wrote:
>>> commit affede4a779420bd8510ab937251a3796d3228df
>>> Author: Fredrik Gustavsson <gustfred@...il.com>
>>> Date:   Tue Jan 8 11:21:39 2019 +0100
>>>
>>> veth: Do not drop packets larger then the mtu set on the receiving side
>>>
>>> Currently veth drops all packets larger then the mtu set on the receiving
>>> end of the pair. This is inconsistent with most hardware ethernet drivers
>>> that happily receives packets up the the ethernet MTU independent of the
>>> configured MTU.
>>>
>>> There should not be a need for dropping IP packets at receiver with
>>> size > configured IP MTU, IP MTU is for fragmentation at sender side.
>>> And IP packets with size > receiver L2 MTU will be dropped at sub-IP layer.
>>
>> But with current veth behavior setting MTU effectively sets MRU as well.
>> This may be being used to drop unexpectedly long packets e.g. from
>> containers on container host. If we unconditionally change this behavior
>> it can cause regression on some environment. This should be an option at
>> least.
>>
>> BTW there was a similar precedent attempt. You might want to take a look.
>>
>> https://www.mail-archive.com/netdev@vger.kernel.org/msg167636.html
>> https://www.mail-archive.com/netdev@vger.kernel.org/msg167899.html
>>
> Good argument, but do you agree that it shouldn't be working like it
> does?

Not sure. As discussed in the previous thread I think some hardware can
limit MRU < 1500 by configuring MTU, so to me it is not especially odd.

> But not sure if such a case would exist but breaking
> compatitbility have been discussed in other threads. So your saying
> that people have actually used it as a receiving limit for IP packets?

No, I'm saying it can be used in that way. Even though we did not
confirm if there really are people using features in a certain way, we
usually assume there are, as long as the usage is possible, because so
many people use Linux.

-- 
Toshiaki Makita

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ