lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 15 Mar 2020 19:01:26 +0800
From:   Haishuang Yan <yanhaishuang@...s.chinamobile.com>
To:     Julian Anastasov <ja@....bg>
Cc:     Simon Horman <horms@...ge.net.au>,
        Pablo Neira Ayuso <pablo@...filter.org>,
        netdev@...r.kernel.org, lvs-devel@...r.kernel.org,
        netfilter-devel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] ipvs: optimize tunnel dumps for icmp errors


> On 2020年3月15日, at 下午4:17, Julian Anastasov <ja@....bg> wrote:
> 
> 
> 	Hello,
> 
> On Sun, 15 Mar 2020, Haishuang Yan wrote:
> 
>> After strip GRE/UDP tunnel header for icmp errors, it's better to show
>> "ICMP for GRE/UDP" instead of "ICMP for IPIP" in debug message.
>> 
>> Signed-off-by: Haishuang Yan <yanhaishuang@...s.chinamobile.com>
>> ---
>> net/netfilter/ipvs/ip_vs_core.c | 41 +++++++++++++++++++++++------------------
>> 1 file changed, 23 insertions(+), 18 deletions(-)
>> 
>> diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
>> index 512259f..f39ae6b 100644
>> --- a/net/netfilter/ipvs/ip_vs_core.c
>> +++ b/net/netfilter/ipvs/ip_vs_core.c
> 
>> @@ -1703,8 +1707,8 @@ static int ipvs_gre_decap(struct netns_ipvs *ipvs, struct sk_buff *skb,
>> 		return NF_ACCEPT; /* The packet looks wrong, ignore */
>> 	raddr = (union nf_inet_addr *)&cih->daddr;
>> 
>> -	/* Special case for errors for IPIP packets */
>> -	ipip = false;
>> +	/* Special case for errors for IPIP/UDP/GRE tunnel packets */
>> +	tunnel = false;
> 
> 	At this point it is safe to store cih->protocol in some new
> var, eg. outer_proto...
> 
>> @@ -1809,17 +1813,18 @@ static int ipvs_gre_decap(struct netns_ipvs *ipvs, struct sk_buff *skb,
>> 			u32 mtu = ntohs(ic->un.frag.mtu);
>> 			__be16 frag_off = cih->frag_off;
>> 
>> -			/* Strip outer IP and ICMP, go to IPIP header */
>> +			/* Strip outer IP and ICMP, go to IPIP/UDP/GRE header */
>> 			if (pskb_pull(skb, ihl + sizeof(_icmph)) == NULL)
>> -				goto ignore_ipip;
>> +				goto ignore_tunnel;
>> 			offset2 -= ihl + sizeof(_icmph);
>> 			skb_reset_network_header(skb);
>> -			IP_VS_DBG(12, "ICMP for IPIP %pI4->%pI4: mtu=%u\n",
>> -				&ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu);
>> +			IP_VS_DBG(12, "ICMP for %s %pI4->%pI4: mtu=%u\n",
>> +				  ip_vs_proto_name(cih->protocol),
> 
> 	Because here cih points to the embedded UDP/TCP/SCTP IP header, so
> we can not see GRE here. Or it is even better if we do not add more code 
> to ip_vs_proto_name(), just use char *outer_proto and assign it with 
> "IPIP" (where ipip was set) and "UDP"/"GRE" (where ulen was set) and print
> outer_proto here.
Yes, you’re right. I will send v2 commit according to your suggestion, thanks
very much.

> 
>> +				  &ip_hdr(skb)->saddr, &ip_hdr(skb)->daddr, mtu);
> 
> Regards
> 
> --
> Julian Anastasov <ja@....bg>
> 



Powered by blists - more mailing lists