| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20220921074854.48175d87@kernel.org>
Date: Wed, 21 Sep 2022 07:48:54 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: Paul Blakey <paulb@...dia.com>, Vlad Buslov <vladbu@...dia.com>,
Oz Shlomo <ozsh@...dia.com>, Roi Dayan <roid@...dia.com>,
netdev@...r.kernel.org, Saeed Mahameed <saeedm@...dia.com>,
Eric Dumazet <edumazet@...gle.com>,
"David S. Miller" <davem@...emloft.net>,
Paolo Abeni <pabeni@...hat.com>
Subject: Re: [PATCH net 1/1] net: Fix return value of qdisc ingress handling
on success
On Wed, 21 Sep 2022 11:11:03 +0200 Daniel Borkmann wrote:
> On 9/21/22 10:50 AM, Paul Blakey wrote:
> > Currently qdisc ingress handling (sch_handle_ingress()) doesn't
> > set a return value and it is left to the old return value of
> > the caller (__netif_receive_skb_core()) which is RX drop, so if
> > the packet is consumed, caller will stop and return this value
> > as if the packet was dropped.
> >
> > This causes a problem in the kernel tcp stack when having a
> > egress tc rule forwarding to a ingress tc rule.
> > The tcp stack sending packets on the device having the egress rule
> > will see the packets as not successfully transmitted (although they
> > actually were), will not advance it's internal state of sent data,
> > and packets returning on such tcp stream will be dropped by the tcp
> > stack with reason ack-of-unsent-data. See reproduction in [0] below.
> >
> > Fix that by setting the return value to RX success if
> > the packet was handled successfully.
> >
> > [0] Reproduction steps:
> > $ ip link add veth1 type veth peer name peer1
> > $ ip link add veth2 type veth peer name peer2
> > $ ifconfig peer1 5.5.5.6/24 up
> > $ ip netns add ns0
> > $ ip link set dev peer2 netns ns0
> > $ ip netns exec ns0 ifconfig peer2 5.5.5.5/24 up
> > $ ifconfig veth2 0 up
> > $ ifconfig veth1 0 up
> >
> > #ingress forwarding veth1 <-> veth2
> > $ tc qdisc add dev veth2 ingress
> > $ tc qdisc add dev veth1 ingress
> > $ tc filter add dev veth2 ingress prio 1 proto all flower \
> > action mirred egress redirect dev veth1
> > $ tc filter add dev veth1 ingress prio 1 proto all flower \
> > action mirred egress redirect dev veth2
> >
> > #steal packet from peer1 egress to veth2 ingress, bypassing the veth pipe
> > $ tc qdisc add dev peer1 clsact
> > $ tc filter add dev peer1 egress prio 20 proto ip flower \
> > action mirred ingress redirect dev veth1
> >
> > #run iperf and see connection not running
> > $ iperf3 -s&
> > $ ip netns exec ns0 iperf3 -c 5.5.5.6 -i 1
> >
> > #delete egress rule, and run again, now should work
> > $ tc filter del dev peer1 egress
> > $ ip netns exec ns0 iperf3 -c 5.5.5.6 -i 1
> >
> > Fixes: 1f211a1b929c ("net, sched: add clsact qdisc")
> > Signed-off-by: Paul Blakey <paulb@...dia.com>
>
> Looks reasonable and aligns with sch_handle_egress() fwiw. I think your Fixes tag is wrong
> since that commit didn't modify any of the above. This patch should also rather go to net-next
> tree to make sure it has enough soak time to catch potential regressions from this change in
> behavior.
I don't think we do "soak time" in networking. Perhaps we can try
to use the "CC: stable # after 4 weeks" delay mechanism which Greg
promised at LPC?
> Given the change under TC_ACT_REDIRECT is BPF specific, please also add a BPF selftest
> for tc BPF program to assert the new behavior so we can run it in our BPF CI for every patch.
And it would be great to turn the commands from the commit message
into a selftest as well :S
Powered by blists - more mailing lists