lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 Jun 2019 08:49:07 -0600
From:   David Ahern <dsahern@...il.com>
To:     Stefano Brivio <sbrivio@...hat.com>,
        David Miller <davem@...emloft.net>
Cc:     Jianlin Shi <jishi@...hat.com>, Wei Wang <weiwan@...gle.com>,
        Martin KaFai Lau <kafai@...com>,
        Eric Dumazet <edumazet@...gle.com>,
        Matti Vaittinen <matti.vaittinen@...rohmeurope.com>,
        netdev@...r.kernel.org
Subject: Re: [PATCH net v5 1/6] fib_frontend, ip6_fib: Select routes or
 exceptions dump from RTM_F_CLONED

On 6/18/19 7:20 AM, Stefano Brivio wrote:
> The following patches add back the ability to dump IPv4 and IPv6 exception
> routes, and we need to allow selection of regular routes or exceptions.
> 
> Use RTM_F_CLONED as filter to decide whether to dump routes or exceptions:
> iproute2 passes it in dump requests (except for IPv6 cache flush requests,
> this will be fixed in iproute2) and this used to work as long as
> exceptions were stored directly in the FIB, for both IPv4 and IPv6.
> 
> Caveat: if strict checking is not requested (that is, if the dump request
> doesn't go through ip_valid_fib_dump_req()), we can't filter on protocol,
> tables or route types.
> 
> In this case, filtering on RTM_F_CLONED would be inconsistent: we would
> fix 'ip route list cache' by returning exception routes and at the same
> time introduce another bug in case another selector is present, e.g. on
> 'ip route list cache table main' we would return all exception routes,
> without filtering on tables.
> 
> Keep this consistent by applying no filters at all, and dumping both
> routes and exceptions, if strict checking is not requested. iproute2
> currently filters results anyway, and no unwanted results will be
> presented to the user. The kernel will just dump more data than needed.
> 
> v5: New patch: add dump_routes and dump_exceptions flags in filter and
>     simply clear the unwanted one if strict checking is enabled, don't
>     ignore NLM_F_MATCH and don't set filter_set if NLM_F_MATCH is set.
>     Skip filtering altogether if no strict checking is requested:
>     selecting routes or exceptions only would be inconsistent with the
>     fact we can't filter on tables.
> 
> Suggested-by: David Ahern <dsahern@...il.com>
> Signed-off-by: Stefano Brivio <sbrivio@...hat.com>
> ---
>  include/net/ip_fib.h    | 2 ++
>  net/ipv4/fib_frontend.c | 8 +++++++-
>  net/ipv6/ip6_fib.c      | 3 ++-
>  3 files changed, 11 insertions(+), 2 deletions(-)
> 

Reviewed-by: David Ahern <dsahern@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ