| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAF=yD-KaG=SS5ujdYyeYXh6528SawgNBHteVf1ywDhMugV64Og@mail.gmail.com>
Date: Wed, 1 Jul 2020 12:28:13 -0400
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: Hans Wippel <ndev@...pl.net>,
WireGuard mailing list <wireguard@...ts.zx2c4.com>,
Netdev <netdev@...r.kernel.org>
Subject: Re: wireguard: problem sending via libpcap's packet socket
> > header_ops looks like the best approach to me, too. The protocol field
> > needs to reflect the protocol of the *outer* packet, of course, but if
> > I read wg_allowedips_lookup_dst correctly, wireguard maintains the
> > same outer protocol as the inner protocol, no sit (6-in-4) and such.
>
> WireGuard does allow 6-in-4 and 4-in-6 actually. But parse_protocol is
> only ever called on the inner packet. The only code paths leading to
> it are af_packet-->ndo_start_xmit, and ndo_start_xmit examines
> skb->protocol of that inner packet, which means it entirely concerns
> the inner packet.
Of course, you are right. This inspects the packet before passing to
the device ndo_start_xmit, so before any encapsulation would take
place.
> And generally, for wireguard, userspace only ever
> deals with the inner packet. That inner packet then gets encrypted and
> poked at in strange ways, and then the encrypted blob of sludge gets
> put into a udp packet and sent some place. So I'm quite sure that the
> behavior just committed is right.
>
> And from writing a few libpcap examples, things seem to be working
> very well, including Hans' example.
Definitely. Thanks again.
Powered by blists - more mailing lists