lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YkBfQqz66FxYmGVV@ssuryadesk>
Date:   Sun, 27 Mar 2022 08:57:38 -0400
From:   Stephen Suryaputra <ssuryaextr@...il.com>
To:     David Ahern <dsahern@...il.com>
Cc:     netdev@...r.kernel.org
Subject: Re: Matching unbound sockets for VRF

On Fri, Mar 25, 2022 at 08:13:55AM -0600, David Ahern wrote:
> On 3/24/22 11:19 AM, Stephen Suryaputra wrote:
> > Hello,
> > 
> > After upgrading to a kernel version that has commit 3c82a21f4320c ("net:
> > allow binding socket in a VRF when there's an unbound socket") several
> > of our applications don't work anymore. We are relying on the previous
> > behavior, i.e. when packets arrive on an l3mdev enslaved device, the
> > unbound sockets are matched.
> > 
> > I understand the use case for the commit but given that the previous
> > behavior has been there for quite some time since the VRF introduction,
> > should there be a configurable option to get the previous behavior? The
> > option could be having the default be the behavior achieved by the
> > commit.
> > 
> 
> I thought the behavior was controlled by the l3mdev sysctl knobs.

The addresses for Mike and Robert bounced. So, removing them from the
thread.

The problem is that our system uses a fallback rule to a vrf, e.g.:

1000:   from all lookup [l3mdev-table]
32765:  from all lookup local
32766:  from all lookup main
32767:  from all lookup default
32768:  from all lookup 256

to force traffic to go out of the vrf-enslaved interface. When the host
with the vrf initiates tcp connection, the received SYN+ACK fails to
find a matching socket after the commit. See the traffic dump:

08:51:28.625806 IP 10.1.1.1.48076 > 10.1.1.2.1499: Flags [S], seq 2060777757, win 64240, options [mss 1460,sackOK,TS val 3307983770 ecr 0,nop,wscale 7], length 0
08:51:28.625831 IP 10.1.1.2.1499 > 10.1.1.1.48076: Flags [S.], seq 4017990855, ack 2060777758, win 65160, options [mss 1460,sackOK,TS val 1658979570 ecr 3307983770,nop,wscale 7], length 0
08:51:28.625837 IP 10.1.1.1.48076 > 10.1.1.2.1499: Flags [R], seq 2060777758, win 0, length 0

The reproducer script is attached.

Thanks,

Stephen.

Download attachment "socket.sh" of type "application/x-sh" (1660 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ