lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20220921074854.48175d87@kernel.org>
Date:   Wed, 21 Sep 2022 07:48:54 -0700
From:   Jakub Kicinski <kuba@...nel.org>
To:     Daniel Borkmann <daniel@...earbox.net>
Cc:     Paul Blakey <paulb@...dia.com>, Vlad Buslov <vladbu@...dia.com>,
        Oz Shlomo <ozsh@...dia.com>, Roi Dayan <roid@...dia.com>,
        netdev@...r.kernel.org, Saeed Mahameed <saeedm@...dia.com>,
        Eric Dumazet <edumazet@...gle.com>,
        "David S. Miller" <davem@...emloft.net>,
        Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH net 1/1] net: Fix return value of qdisc ingress handling
 on success

On Wed, 21 Sep 2022 11:11:03 +0200 Daniel Borkmann wrote:
> On 9/21/22 10:50 AM, Paul Blakey wrote:
> > Currently qdisc ingress handling (sch_handle_ingress()) doesn't
> > set a return value and it is left to the old return value of
> > the caller (__netif_receive_skb_core()) which is RX drop, so if
> > the packet is consumed, caller will stop and return this value
> > as if the packet was dropped.
> > 
> > This causes a problem in the kernel tcp stack when having a
> > egress tc rule forwarding to a ingress tc rule.
> > The tcp stack sending packets on the device having the egress rule
> > will see the packets as not successfully transmitted (although they
> > actually were), will not advance it's internal state of sent data,
> > and packets returning on such tcp stream will be dropped by the tcp
> > stack with reason ack-of-unsent-data. See reproduction in [0] below.
> > 
> > Fix that by setting the return value to RX success if
> > the packet was handled successfully.
> > 
> > [0] Reproduction steps:
> >   $ ip link add veth1 type veth peer name peer1
> >   $ ip link add veth2 type veth peer name peer2
> >   $ ifconfig peer1 5.5.5.6/24 up
> >   $ ip netns add ns0
> >   $ ip link set dev peer2 netns ns0
> >   $ ip netns exec ns0 ifconfig peer2 5.5.5.5/24 up
> >   $ ifconfig veth2 0 up
> >   $ ifconfig veth1 0 up
> > 
> >   #ingress forwarding veth1 <-> veth2
> >   $ tc qdisc add dev veth2 ingress
> >   $ tc qdisc add dev veth1 ingress
> >   $ tc filter add dev veth2 ingress prio 1 proto all flower \
> >     action mirred egress redirect dev veth1
> >   $ tc filter add dev veth1 ingress prio 1 proto all flower \
> >     action mirred egress redirect dev veth2
> > 
> >   #steal packet from peer1 egress to veth2 ingress, bypassing the veth pipe
> >   $ tc qdisc add dev peer1 clsact
> >   $ tc filter add dev peer1 egress prio 20 proto ip flower \
> >     action mirred ingress redirect dev veth1
> > 
> >   #run iperf and see connection not running
> >   $ iperf3 -s&
> >   $ ip netns exec ns0 iperf3 -c 5.5.5.6 -i 1
> > 
> >   #delete egress rule, and run again, now should work
> >   $ tc filter del dev peer1 egress
> >   $ ip netns exec ns0 iperf3 -c 5.5.5.6 -i 1
> > 
> > Fixes: 1f211a1b929c ("net, sched: add clsact qdisc")
> > Signed-off-by: Paul Blakey <paulb@...dia.com>
>
> Looks reasonable and aligns with sch_handle_egress() fwiw. I think your Fixes tag is wrong
> since that commit didn't modify any of the above. This patch should also rather go to net-next
> tree to make sure it has enough soak time to catch potential regressions from this change in
> behavior.

I don't think we do "soak time" in networking. Perhaps we can try 
to use the "CC: stable # after 4 weeks" delay mechanism which Greg
promised at LPC?

> Given the change under TC_ACT_REDIRECT is BPF specific, please also add a BPF selftest
> for tc BPF program to assert the new behavior so we can run it in our BPF CI for every patch.

And it would be great to turn the commands from the commit message
into a selftest as well :S

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ