lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 16 Apr 2019 19:26:27 +0800
From:   linmiaohe <linmiaohe@...wei.com>
To:     David Ahern <dsa@...ulusnetworks.com>, <shrijeet@...il.com>,
        <davem@...emloft.net>, <netdev@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>
CC:     Mingfangsen <mingfangsen@...wei.com>
Subject: some trouble when using vrf

Hi all:
    I meet some trouble when using vrf, it's very nice of you if you
can help me fix it.

    1.If I bind a vrf address before I set SO_BINDTODEVICE opts to bind an
enslaved device, "Cannot assign requested address" will occurs. It's
because only after we set SO_BINDTODEVICE opts to bind an enslaved device,
then we can lookup the route in the specified l3mdev domain.
    I think we couldn't limit the order of bind ip addr and SO_BINDTODEVICE opts
otherwise many vrf unaware apps many need to change their code.
    I can't find a convenient way to fix it.Here is an example:

    ...
    bind(sock_fd, (struct sockaddr *)&addr_serv, sizeof(addr_serv));
    ...
    ret = setsockopt(sock_fd, SOL_SOCKET, SO_BINDTODEVICE, bind_dev, strlen(bind_dev)+1);
    ...
    This code snipet doesn't work if the ip address of addr_serv is not in default vrf. And
"Cannot assign requested address" will occurs.

    2.When I run a udp server in default vrf and set net.ipv4.udp_l3mdev_accept=1,
it's supposed to work accorss VRFs.
    But it occurs when udp server received a packet, it sends back with the source
ip address from default vrf which is supposed to from the specified l3mdev domain.
And the connection between server and client is broken. It's because udp server
run in default vrf and doesn't bind the enslaved device, so only the route table in
default vrf is avaliable.

    For example,I run a udp server in default vrf and set net.ipv4.udp_l3mdev_accept=1:
    [root@...alhost vrf]# sysctl -a | grep l3mdev
    net.ipv4.raw_l3mdev_accept = 1
    net.ipv4.tcp_l3mdev_accept = 1
    net.ipv4.udp_l3mdev_accept = 1

    Then connect the server and send a udp packet to the specified vrf. Here is tcpdump output:
    17:28:54.925417 IP 10.0.0.2.43003 > 10.0.0.1.irdmi: UDP, length 17
    17:28:54.925953 IP 9.85.153.236.irdmi > 10.0.0.2.43003: UDP, length 17
    ps. 10.0.0.2 is client ip, 10.0.0.1 is specified vrf ip, and 9.85.153.236 is default vrf ip.
    10.0.0.1 and 9.85.153.236 are in the same host.

Thanks a lot if you can help me fix these. Have a nice day.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ