lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 12 Jan 2022 12:59:37 -0700
From:   David Ahern <dsahern@...il.com>
To:     Ignat Korchagin <ignat@...udflare.com>, netdev@...r.kernel.org,
        "David S . Miller" <davem@...emloft.net>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        David Ahern <dsahern@...nel.org>
Cc:     kernel-team@...udflare.com, Amir Razmjou <arazmjou@...udflare.com>
Subject: Re: [PATCH] sit: allow encapsulated IPv6 traffic to be delivered
 locally

On 1/7/22 5:38 AM, Ignat Korchagin wrote:
> While experimenting with FOU encapsulation Amir noticed that encapsulated IPv6
> traffic fails to be delivered, if the peer IP address is configured locally.
> 
> It can be easily verified by creating a sit interface like below:
> 
> $ sudo ip link add name fou_test type sit remote 127.0.0.1 encap fou encap-sport auto encap-dport 1111
> $ sudo ip link set fou_test up
> 
> and sending some IPv4 and IPv6 traffic to it
> 
> $ ping -I fou_test -c 1 1.1.1.1
> $ ping6 -I fou_test -c 1 fe80::d0b0:dfff:fe4c:fcbc
> 
> "tcpdump -i any udp dst port 1111" will confirm that only the first IPv4 ping
> was encapsulated and attempted to be delivered.
> 
> This seems like a limitation: for example, in a cloud environment the "peer"
> service may be arbitrarily scheduled on any server within the cluster, where all
> nodes are trying to send encapsulated traffic. And the unlucky node will not be
> able to. Moreover, delivering encapsulated IPv4 traffic locally is allowed.
> 
> But I may not have all the context about this restriction and this code predates
> the observable git history.
> 
> Reported-by: Amir Razmjou <arazmjou@...udflare.com>
> Signed-off-by: Ignat Korchagin <ignat@...udflare.com>
> ---
>  net/ipv6/sit.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
> index 8a3618a30632..72968d4188b9 100644
> --- a/net/ipv6/sit.c
> +++ b/net/ipv6/sit.c
> @@ -956,7 +956,7 @@ static netdev_tx_t ipip6_tunnel_xmit(struct sk_buff *skb,
>  		dst_cache_set_ip4(&tunnel->dst_cache, &rt->dst, fl4.saddr);
>  	}
>  
> -	if (rt->rt_type != RTN_UNICAST) {
> +	if (rt->rt_type != RTN_UNICAST && rt->rt_type != RTN_LOCAL) {
>  		ip_rt_put(rt);
>  		dev->stats.tx_carrier_errors++;
>  		goto tx_error_icmp;

Reviewed-by: David Ahern <dsahern@...nel.org>

Powered by blists - more mailing lists