lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 4 Aug 2020 07:54:36 -0600
From:   David Ahern <dsahern@...il.com>
To:     Stefano Brivio <sbrivio@...hat.com>,
        "David S. Miller" <davem@...emloft.net>
Cc:     Florian Westphal <fw@...len.de>, Aaron Conole <aconole@...hat.com>,
        Numan Siddique <nusiddiq@...hat.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Pravin B Shelar <pshelar@....org>,
        Roopa Prabhu <roopa@...ulusnetworks.com>,
        Nikolay Aleksandrov <nikolay@...ulusnetworks.com>,
        Lourdes Pedrajas <lu@...o.net>, netdev@...r.kernel.org
Subject: Re: [PATCH net-next v2 1/6] ipv4: route: Ignore output interface in
 FIB lookup for PMTU route

On 8/3/20 11:53 PM, Stefano Brivio wrote:
> Currently, processes sending traffic to a local bridge with an
> encapsulation device as a port don't get ICMP errors if they exceed
> the PMTU of the encapsulated link.
> 
> David Ahern suggested this as a hack, but it actually looks like
> the correct solution: when we update the PMTU for a given destination
> by means of updating or creating a route exception, the encapsulation
> might trigger this because of PMTU discovery happening either on the
> encapsulation device itself, or its lower layer. This happens on
> bridged encapsulations only.
> 
> The output interface shouldn't matter, because we already have a
> valid destination. Drop the output interface restriction from the
> associated route lookup.
> 
> For UDP tunnels, we will now have a route exception created for the
> encapsulation itself, with a MTU value reflecting its headroom, which
> allows a bridge forwarding IP packets originated locally to deliver
> errors back to the sending socket.
> 
> The behaviour is now consistent with IPv6 and verified with selftests
> pmtu_ipv{4,6}_br_{geneve,vxlan}{4,6}_exception introduced later in
> this series.
> 
> v2:
> - reset output interface only for bridge ports (David Ahern)
> - add and use netif_is_any_bridge_port() helper (David Ahern)
> 
> Suggested-by: David Ahern <dsahern@...il.com>
> Signed-off-by: Stefano Brivio <sbrivio@...hat.com>
> ---
>  include/linux/netdevice.h | 5 +++++
>  net/ipv4/route.c          | 5 +++++
>  2 files changed, 10 insertions(+)
> 

Reviewed-by: David Ahern <dsahern@...il.com>


Powered by blists - more mailing lists