| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210817111940.GA7430@moon.secunet.de>
Date: Tue, 17 Aug 2021 13:19:40 +0200
From: Antony Antony <antony.antony@...unet.com>
To: Nicolas Dichtel <nicolas.dichtel@...nd.com>
CC: <antony.antony@...unet.com>,
Steffen Klassert <steffen.klassert@...unet.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
Christian Langrock <christian.langrock@...unet.com>,
"David S. Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, <netdev@...r.kernel.org>
Subject: Re: [PATCH v2 ipsec-next] xfrm: Add possibility to set the default
to block if we have no policy
On Wed, Aug 11, 2021 at 18:14:08 +0200, Nicolas Dichtel wrote:
> Le 18/07/2021 à 09:11, Antony Antony a écrit :
> > From: Steffen Klassert <steffen.klassert@...unet.com>
> Sorry for my late reply, I was off.
>
> >
> > As the default we assume the traffic to pass, if we have no
> > matching IPsec policy. With this patch, we have a possibility to
> > change this default from allow to block. It can be configured
> > via netlink. Each direction (input/output/forward) can be
> > configured separately. With the default to block configuered,
> > we need allow policies for all packet flows we accept.
> > We do not use default policy lookup for the loopback device.
> >
>
> [snip]
>
> > diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
> > index e946366e8ba5..88c647302977 100644
> > --- a/include/net/netns/xfrm.h
> > +++ b/include/net/netns/xfrm.h
> > @@ -65,6 +65,13 @@ struct netns_xfrm {
> > u32 sysctl_aevent_rseqth;
> > int sysctl_larval_drop;
> > u32 sysctl_acq_expires;
> > +
> > + u8 policy_default;
> > +#define XFRM_POL_DEFAULT_IN 1
> > +#define XFRM_POL_DEFAULT_OUT 2
> > +#define XFRM_POL_DEFAULT_FWD 4
> > +#define XFRM_POL_DEFAULT_MASK 7
> > +
>
> [snip]
>
> > diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
> > index ffc6a5391bb7..6e8095106192 100644
> > --- a/include/uapi/linux/xfrm.h
> > +++ b/include/uapi/linux/xfrm.h
> > @@ -213,6 +213,11 @@ enum {
> > XFRM_MSG_GETSPDINFO,
> > #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
> >
> > + XFRM_MSG_SETDEFAULT,
> > +#define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
> > + XFRM_MSG_GETDEFAULT,
> > +#define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
> > +
> > XFRM_MSG_MAPPING,
> > #define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
> > __XFRM_MSG_MAX
> > @@ -508,6 +513,11 @@ struct xfrm_user_offload {
> > #define XFRM_OFFLOAD_IPV6 1
> > #define XFRM_OFFLOAD_INBOUND 2
> >
> > +struct xfrm_userpolicy_default {
> > + __u8 dirmask;
> > + __u8 action;
> > +};
> > +
> Should XFRM_POL_DEFAULT_* be moved in the uapi?
It is good point. Thanks for the feedback.
> How can a user knows what value is expected in dirmask?
>
> Same question for action. We should avoid magic values. 0 means drop or accept?
I have an iproute2 patch I want to sent out, moving to uapi would avoid using
hardcoded magic values there.
> Maybe renaming this field to 'drop' is enough.
action is a bitwise flag, one direction it may drop and ther other might
be allow.
Powered by blists - more mailing lists