lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAHgT=KcMoUysPzGL2NkWXbbdUTKZ2EViHyOjsZkTtowVwpM_BA@mail.gmail.com>
Date:   Thu, 20 Feb 2020 23:52:51 -0500
From:   Trev Larock <trev@...ock.ca>
To:     David Ahern <dsahern@...il.com>
Cc:     Trev Larock <trev@...ock.ca>, Ben Greear <greearb@...delatech.com>,
        netdev@...r.kernel.org
Subject: Re: VRF + ip xfrm, egress ESP packet looping when qdisc configured

On Sun, Feb 2, 2020 at 11:04 PM David Ahern <dsahern@...il.com> wrote:
> I understand the problem you are facing. It is limited to xfrm +        qdisc
> on VRF device. I have a proposal for how to fix it:
>
>     https://github.com/dsahern/linux vrf-qdisc-xfrm

Thanks I tried the fixes on fedora31/ kernel 5.3.8, it did resolve
the qdisc looping packet issue.

> Right now I am stuck on debugging related xfrm cases - like xfrm
> devices, vrf device in the selector, and vti device. I feel like I need
> to get all of them working before sending patches, I just lack enough time.
>

Yes the vrf device in selector issue is still a puzzle.
Without the dev in selector the policy is triggered by the ip4_datagram_connect
call to xfrm_lookup, and there seems no xfrm_lookup call from vrf.c.

With a policy having vrf dev vrf0 in selector, just plaintext packets go out.
For that to trigger properly, should vrf.c be calling xfrm_lookup with the
vrf0 oif, or should that happen elsewhere?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ