lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Fri, 15 Jan 2021 20:03:17 +0100
From:   <diniboy@...vitia.xyz>
To:     <netdev@...r.kernel.org>
Subject: Potential bug with uidrange based routing over IPv6

Good day,
 
I have recently tried to set up a Hurricane Electronic IPv6 tunnel
(https://tunnelbroker.net) as they provide a /48 block whilst my hosting
provider doesn't support IPv6 out of the box. They offered the following
commands to establish a connection:
 
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote heipv4washere local myipv4washere ttl
255
ip link set he-ipv6 up
ip addr add 2001:470:1f0a:1394::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr
 
I didn't quite like this approach as this adds a default route that will be
used everywhere then and most of my services will keep using the tunnel too
for their traffic instead of using the IPv4 address over my physical network
interface. I simply just wanted to have the opportunity to run specific
daemons with ipv6 support but didn't want to have it applied the whole
server wide. So I decided to create a user called ipv6 and wanted to use
uidrange to define the default routing for it:
 
adduser ipv6; id ipv6 # outputs 1004 as gid and 1005 as uid in my case
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote heipv4washere local myexternalipv4 ttl
255
ip link set he-ipv6 up
ip addr add 2001:470:1f0a:1394::2/64 dev he-ipv6
# the commands above this line were untouched and copied from the he
recommended config
ip -6 rule add uidrange 1004-1004 table he-ipv6
ip -6 rule add default dev he-ipv6 table he-ipv6
 
And then if I log in as the ipv6 user, ping6 shows a 100% packet loss to
Google's IPv6 address. A HTTP GET curl request with the -6 flag to their
direct IP also hangs indefinitely. However if I use "from all" instead of
the uidrange, everything starts to work as expected though then all traffic
is routed not just the specific user's. I confirmed the same setup works
with a wireguard based IPv4 VPN. So I assume IPv6 is broken with uidrange.
Could you confirm that it's indeed the case?
 
Might be useful for debugging:
 
# ip -6 rule list
0: from all lookup local
32765: from all uidrange 1004-1004 lookup he-ipv6
32766: from all lookup main
 
(I have also tried setting the uidrange rule's priority to 60000, same issue
with the packet loss)
 
# ip -6 rule list table he-ipv6
32765: from all uidrange 1004-1004 lookup he-ipv6
 
My "ip6tables-save -c" is literally empty therefore I don't think it's worth
pasting here. I use Fedora Server 32 with kernel version
5.9.13-100.fc32.x86_64 and firewalld + selinux active. Altough I have tried
disabling selinux and the issue still persist there.
 
Thank you!
 
PS: Apologies if something wasn't clear, it is my first time writing to this
mailing list and neither am I a network nerd. Feel free to ask for further
command outputs if needed!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ