lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 6 Aug 2020 10:52:41 +0800
From:   Hangbin Liu <liuhangbin@...il.com>
To:     David Miller <davem@...emloft.net>
Cc:     gnault@...hat.com, netdev@...r.kernel.org, pmachata@...il.com,
        roopa@...ulusnetworks.com, dsahern@...nel.org, akaris@...hat.com
Subject: Re: [PATCH net] Revert "vxlan: fix tos value before xmit"

On Wed, Aug 05, 2020 at 12:11:10PM -0700, David Miller wrote:
> From: Hangbin Liu <liuhangbin@...il.com>
> Date: Wed, 5 Aug 2020 18:18:07 +0800
> 
> > Should I re-post the patch with Fixes flag?
> 
> No, I took care the Fixes tag and queued this up for -stable.

Thanks

> 
> But you do need to explain what kind of testing you even did on this
> change we are reverting.  Did you make this change purely on
> theoretical grounds and a code audit?
> 
> Because it is clear now that this commit broke things and did not fix
> anything at all.
> 
> Please explain.

Yes, I do have a bug report about this and did testing before post the patch.
But the test script is long and the reason for the issue is very clear(3 bits
of DSCP are omitted). So I only explained the theory in the commit message.

The rough steps are setting vxlan tunnel on OVS. set inner packet tos to
1011 1010 (0xba) and outer vxlan to 1111 1100(0xfc). The outer packet's tos
should be 0xfe at latest as it inherit the inner ECN bit. But with RT_TOS(tos)
We actually got tos 0x1e as the first 3 bits are omitted.

Now here is detailed testing steps:

1. On Host A (which has commit 71130f29979c "vxlan: fix tos value before
xmit"):

# cat ovs.sh
#!/bin/bash
remoteip=192.168.1.207
ip link set eth1 up
ip addr add 192.168.1.156/24 dev eth1

systemctl restart openvswitch
ovs-vsctl --may-exist add-br br-int -- set Bridge br-int datapath_type=system -- br-set-external-id br-int bridge-id br-int
ovs-vsctl add-port br-int vxlan0 -- set interface vxlan0 type=vxlan options:remote_ip=$remoteip
ip netns add private
ip link add name veth-host type veth peer name veth-guest
ovs-vsctl add-port br-int veth-host
ip link set dev veth-guest netns private
ip link set dev veth-host up
ip -n private link set dev veth-guest up
ip -n private link set dev lo up
ip -n private a a dev veth-guest 192.168.123.1/24
ovs-vsctl set interface vxlan0 options:tos=0xfc

2. On Host B (which has reverted commit 71130f29979c)

# cat ovs.sh
#!/bin/bash
remoteip=192.168.1.156

ip link set eth1 up
ip addr add 192.168.1.207/24 dev eth1

systemctl restart openvswitch
ovs-vsctl --may-exist add-br br-int -- set Bridge br-int datapath_type=system -- br-set-external-id br-int bridge-id br-int
ovs-vsctl add-port br-int vxlan0 -- set interface vxlan0 type=vxlan options:remote_ip=$remoteip
ip netns add private
ip link add name veth-host type veth peer name veth-guest
ovs-vsctl add-port br-int veth-host
ip link set dev veth-guest netns private
ip link set dev veth-host up
ip -n private link set dev veth-guest up
ip -n private link set dev lo up
ip -n private a a dev veth-guest 192.168.123.2/24
ovs-vsctl set interface vxlan0 options:tos=0xfc


3. On Host A, ping host B
# ip netns exec private ping 192.168.123.2 -c1 -W1 -Q 0xba

4. Capture the packets from Host B
# tcpdump -i eth1 -nn -l -vvv
22:34:37.663803 IP (tos 0x1e,ECT(0), ttl 64, id 63743, offset 0, flags [DF], proto UDP (17), length 134)
    192.168.1.156.55502 > 192.168.1.207.4789: [no cksum] VXLAN, flags [I] (0x08), vni 0

	^^ you can see the tos value is 0x1e from Host A
IP (tos 0xba,ECT(0), ttl 64, id 37413, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.123.1 > 192.168.123.2: ICMP echo request, id 22930, seq 1, length 64

22:34:37.664624 IP (tos 0xfe,ECT(0), ttl 64, id 8233, offset 0, flags [DF], proto UDP (17), length 134)
    192.168.1.207.47657 > 192.168.1.156.4789: [no cksum] VXLAN, flags [I] (0x08), vni 0

        ^^ From Host B it's 0xfe
IP (tos 0xba,ECT(0), ttl 64, id 42030, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.123.2 > 192.168.123.1: ICMP echo reply, id 22930, seq 1, length 64
^C

Thanks
Hangbin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ