lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <86fce02b-7485-ebfa-b4ba-da9ebf7a11b7@6wind.com>
Date:   Tue, 3 May 2022 23:43:20 +0200
From:   Nicolas Dichtel <nicolas.dichtel@...nd.com>
To:     David Ahern <dsahern@...nel.org>,
        David Miller <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Eric Dumazet <edumazet@...gle.com>
Cc:     netdev@...r.kernel.org, stable@...r.kernel.org
Subject: Re: [PATCH net v2] ping: fix address binding wrt vrf

Le 29/04/2022 à 16:31, David Ahern a écrit :
> On 4/29/22 2:20 AM, Nicolas Dichtel wrote:
>> When ping_group_range is updated, 'ping' uses the DGRAM ICMP socket,
>> instead of an IP raw socket. In this case, 'ping' is unable to bind its
>> socket to a local address owned by a vrflite.
>>
>> Before the patch:
>> $ sysctl -w net.ipv4.ping_group_range='0  2147483647'
>> $ ip link add blue type vrf table 10
>> $ ip link add foo type dummy
>> $ ip link set foo master blue
>> $ ip link set foo up
>> $ ip addr add 192.168.1.1/24 dev foo
>> $ ip vrf exec blue ping -c1 -I 192.168.1.1 192.168.1.2
>> ping: bind: Cannot assign requested address
>>
>> CC: stable@...r.kernel.org
>> Fixes: 1b69c6d0ae90 ("net: Introduce L3 Master device abstraction")
>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@...nd.com>
>> ---
>>
>> v1 -> v2:
>>  add the tag "Cc: stable@...r.kernel.org" for correct stable submission
>>
>>  net/ipv4/ping.c | 4 +++-
>>  1 file changed, 3 insertions(+), 1 deletion(-)
>>
> 
> please add a test case to fcnal-test.sh. Does ipv6 work ok?
Indeed, ipv6 is missing.

I will add some test cases.
Modifying the sysctl before the vrf tests produce a lot of failures:

With VRF

SYSCTL: net.ipv4.raw_l3mdev_accept=1

SYSCTL: net.ipv4.ping_group_range=0 2147483647

TEST: ping out, VRF bind - ns-B IP                                        [ OK ]
TEST: ping out, device bind - ns-B IP                                     [FAIL]
TEST: ping out, vrf device + dev address bind - ns-B IP                   [FAIL]
TEST: ping out, vrf device + dev address bind - ns-B IP                   [FAIL]
TEST: ping out, vrf device + vrf address bind - ns-B IP                   [FAIL]
TEST: ping out, VRF bind - ns-B loopback IP                               [ OK ]
TEST: ping out, device bind - ns-B loopback IP                            [FAIL]
TEST: ping out, vrf device + dev address bind - ns-B loopback IP          [FAIL]
TEST: ping out, vrf device + dev address bind - ns-B loopback IP          [FAIL]
TEST: ping out, vrf device + vrf address bind - ns-B loopback IP          [FAIL]


Regards,
Nicolas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ