| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e0c347a0-f7d4-e1ef-51a8-2d8b65bccbbc@6wind.com>
Date: Wed, 11 Aug 2021 18:14:08 +0200
From: Nicolas Dichtel <nicolas.dichtel@...nd.com>
To: antony.antony@...unet.com,
Steffen Klassert <steffen.klassert@...unet.com>,
Herbert Xu <herbert@...dor.apana.org.au>
Cc: Christian Langrock <christian.langrock@...unet.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org
Subject: Re: [PATCH v2 ipsec-next] xfrm: Add possibility to set the default to
block if we have no policy
Le 18/07/2021 à 09:11, Antony Antony a écrit :
> From: Steffen Klassert <steffen.klassert@...unet.com>
Sorry for my late reply, I was off.
>
> As the default we assume the traffic to pass, if we have no
> matching IPsec policy. With this patch, we have a possibility to
> change this default from allow to block. It can be configured
> via netlink. Each direction (input/output/forward) can be
> configured separately. With the default to block configuered,
> we need allow policies for all packet flows we accept.
> We do not use default policy lookup for the loopback device.
>
[snip]
> diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
> index e946366e8ba5..88c647302977 100644
> --- a/include/net/netns/xfrm.h
> +++ b/include/net/netns/xfrm.h
> @@ -65,6 +65,13 @@ struct netns_xfrm {
> u32 sysctl_aevent_rseqth;
> int sysctl_larval_drop;
> u32 sysctl_acq_expires;
> +
> + u8 policy_default;
> +#define XFRM_POL_DEFAULT_IN 1
> +#define XFRM_POL_DEFAULT_OUT 2
> +#define XFRM_POL_DEFAULT_FWD 4
> +#define XFRM_POL_DEFAULT_MASK 7
> +
[snip]
> diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
> index ffc6a5391bb7..6e8095106192 100644
> --- a/include/uapi/linux/xfrm.h
> +++ b/include/uapi/linux/xfrm.h
> @@ -213,6 +213,11 @@ enum {
> XFRM_MSG_GETSPDINFO,
> #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
>
> + XFRM_MSG_SETDEFAULT,
> +#define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
> + XFRM_MSG_GETDEFAULT,
> +#define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
> +
> XFRM_MSG_MAPPING,
> #define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
> __XFRM_MSG_MAX
> @@ -508,6 +513,11 @@ struct xfrm_user_offload {
> #define XFRM_OFFLOAD_IPV6 1
> #define XFRM_OFFLOAD_INBOUND 2
>
> +struct xfrm_userpolicy_default {
> + __u8 dirmask;
> + __u8 action;
> +};
> +
Should XFRM_POL_DEFAULT_* be moved in the uapi?
How can a user knows what value is expected in dirmask?
Same question for action. We should avoid magic values. 0 means drop or accept?
Maybe renaming this field to 'drop' is enough.
Regards,
Nicolas
Powered by blists - more mailing lists