lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sat, 8 May 2021 15:58:49 -0700
From:   Stephen Hemminger <stephen@...workplumber.org>
To:     netdev@...r.kernel.org
Subject: Fw: [Bug 212997] New: /proc/net/dev: netns default route via
 wireguard no longer counted



Begin forwarded message:

Date: Sat, 08 May 2021 16:23:48 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: stephen@...workplumber.org
Subject: [Bug 212997] New: /proc/net/dev: netns default route via wireguard no longer counted


https://bugzilla.kernel.org/show_bug.cgi?id=212997

            Bug ID: 212997
           Summary: /proc/net/dev: netns default route via wireguard no
                    longer counted
           Product: Networking
           Version: 2.5
    Kernel Version: 5.10.33
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Other
          Assignee: stephen@...workplumber.org
          Reporter: steffen@...oden.eu
        Regression: No

Despite 212317 i am "now" seeing another problem which i am pretty sure was not
there "a few weeks ago".  In a box started via

  ip netns exec secweb /usr/bin/env -i TERM=screen-256color /usr/bin/unshare
--ipc --uts --pid --fork --mount --mount-proc --kill-child
--root=/tmp/ports-2BiE7A/root /init

where secweb is a namespaced with routes

  default dev wgsewe scope link
  10.4.0.8/30 dev secweb_peer proto kernel scope link src 10.4.0.10
  10.4.0.9 dev secweb_peer scope link
  10.5.4.0/22 dev wgsewe proto kernel scope link src 10.5.4.2

(where 10.4.0.9 is veth to main namespace, and a local dnsmasq cache is
listening to provide DNS, nothing else is possible) aka

11: secweb_peer@...2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP group default qlen 1000
    link/ether 2e:5d:78:06:bf:94 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.4.0.10/30 brd 10.4.0.11 scope global secweb_peer
       valid_lft forever preferred_lft forever
    inet6 fe80::2c5d:78ff:fe06:bf94/64 scope link
       valid_lft forever preferred_lft forever
13: wgsewe: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state
UNKNOWN group default qlen 1000
    link/none
    inet 10.5.4.2/22 scope global wgsewe
       valid_lft forever preferred_lft forever

the /proc/net/dev counters of secweb no longer count any traffic routed via
wgsewe, only the DNS traffic via 10.4.0.9:

secweb:   29157     382    0    0    0     0          0         0    42301    
308    0    0    0     0       0          0

whereas we see
=== WG wgsewe@...web ===
interface: wgsewe
...
  allowed ips: 0.0.0.0/0
  latest handshake: 7 seconds ago
  transfer: 218.64 MiB received, 7.50 MiB sent

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are the assignee for the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ