lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Tue, 5 Jan 2021 09:08:04 +0100
From:   Steffen Klassert <steffen.klassert@...unet.com>
To:     Eyal Birger <eyal.birger@...il.com>
CC:     <herbert@...dor.apana.org.au>, <davem@...emloft.net>,
        <kuba@...nel.org>, <lorenzo@...gle.com>, <benedictwong@...gle.com>,
        <netdev@...r.kernel.org>, <shmulik.ladkani@...il.com>
Subject: Re: [PATCH ipsec] xfrm: fix disable_xfrm sysctl when used on xfrm
 interfaces

On Wed, Dec 23, 2020 at 05:00:46PM +0200, Eyal Birger wrote:
> The disable_xfrm flag signals that xfrm should not be performed during
> routing towards a device before reaching device xmit.
> 
> For xfrm interfaces this is usually desired as they perform the outbound
> policy lookup as part of their xmit using their if_id.
> 
> Before this change enabling this flag on xfrm interfaces prevented them
> from xmitting as xfrm_lookup_with_ifid() would not perform a policy lookup
> in case the original dst had the DST_NOXFRM flag.
> 
> This optimization is incorrect when the lookup is done by the xfrm
> interface xmit logic.
> 
> Fix by performing policy lookup when invoked by xfrmi as if_id != 0.
> 
> Similarly it's unlikely for the 'no policy exists on net' check to yield
> any performance benefits when invoked from xfrmi.
> 
> Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
> Signed-off-by: Eyal Birger <eyal.birger@...il.com>

Applied, thanks a lot Eyal!

Powered by blists - more mailing lists