| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Nov 2022 15:01:15 -0500
From: Xin Long <lucien.xin@...il.com>
To: network dev <netdev@...r.kernel.org>, linux-sctp@...r.kernel.org
Cc: davem@...emloft.net, kuba@...nel.org,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
Neil Horman <nhorman@...driver.com>,
David Ahern <dsahern@...il.com>,
Carlo Carraro <colrack@...il.com>
Subject: [PATCHv2 net-next 0/7] sctp: support vrf processing
This patchset adds the VRF processing in SCTP. Simliar to TCP/UDP,
it includes socket bind and socket/association lookup changes.
For socket bind change, it allows sockets to bind to a VRF device
and allows multiple sockets with the same IP and PORT to bind to
different interfaces in patch 1-3.
For socket/association lookup change, it adds dif and sdif check
in both asoc and ep lookup in patch 4 and 5, and when binding to
nodev, users can decide if accept the packets received from one
l3mdev by setup a sysctl option in patch 6.
Note with VRF support, in a netns, an association will be decided
by src ip + src port + dst ip + dst port + bound_dev_if, and it's
possible for ss to have:
# ss --sctp -n
State Local Address:Port Peer Address:Port
ESTAB 192.168.1.2%vrf-s1:1234
`- ESTAB 192.168.1.2%veth1:1234 192.168.1.1:1234
ESTAB 192.168.1.2%vrf-s2:1234
`- ESTAB 192.168.1.2%veth2:1234 192.168.1.1:1234
See the selftest in patch 7 for more usage.
Also, thanks Carlo for testing this patch series on their use.
v1->v2:
- In Patch 5, move sctp_sk_bound_dev_eq() definition to net/sctp/
input.c to avoid a build error when IP_SCTP is disabled, as Paolo
suggested.
- In Patch 7, avoid one sleep by disabling the IPv6 dad, and remove
another sleep by using ss to check if the server's ready, and also
delete two unncessary sleeps in sctp_hello.c, as Paolo suggested.
Xin Long (7):
sctp: verify the bind address with the tb_id from l3mdev
sctp: check ipv6 addr with sk_bound_dev if set
sctp: check sk_bound_dev_if when matching ep in get_port
sctp: add skb_sdif in struct sctp_af
sctp: add dif and sdif check in asoc and ep lookup
sctp: add sysctl net.sctp.l3mdev_accept
selftests: add a selftest for sctp vrf
Documentation/networking/ip-sysctl.rst | 9 ++
include/net/netns/sctp.h | 4 +
include/net/sctp/sctp.h | 6 +-
include/net/sctp/structs.h | 9 +-
net/sctp/diag.c | 3 +-
net/sctp/endpointola.c | 13 +-
net/sctp/input.c | 108 +++++++-------
net/sctp/ipv6.c | 22 ++-
net/sctp/protocol.c | 19 ++-
net/sctp/socket.c | 9 +-
net/sctp/sysctl.c | 11 ++
tools/testing/selftests/net/Makefile | 2 +
tools/testing/selftests/net/sctp_hello.c | 137 +++++++++++++++++
tools/testing/selftests/net/sctp_vrf.sh | 178 +++++++++++++++++++++++
14 files changed, 461 insertions(+), 69 deletions(-)
create mode 100644 tools/testing/selftests/net/sctp_hello.c
create mode 100755 tools/testing/selftests/net/sctp_vrf.sh
--
2.31.1
Powered by blists - more mailing lists