lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <cover.1668628394.git.lucien.xin@gmail.com>
Date:   Wed, 16 Nov 2022 15:01:15 -0500
From:   Xin Long <lucien.xin@...il.com>
To:     network dev <netdev@...r.kernel.org>, linux-sctp@...r.kernel.org
Cc:     davem@...emloft.net, kuba@...nel.org,
        Eric Dumazet <edumazet@...gle.com>,
        Paolo Abeni <pabeni@...hat.com>,
        Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
        Neil Horman <nhorman@...driver.com>,
        David Ahern <dsahern@...il.com>,
        Carlo Carraro <colrack@...il.com>
Subject: [PATCHv2 net-next 0/7] sctp: support vrf processing

This patchset adds the VRF processing in SCTP. Simliar to TCP/UDP,
it includes socket bind and socket/association lookup changes.

For socket bind change, it allows sockets to bind to a VRF device
and allows multiple sockets with the same IP and PORT to bind to
different interfaces in patch 1-3.

For socket/association lookup change, it adds dif and sdif check
in both asoc and ep lookup in patch 4 and 5, and when binding to
nodev, users can decide if accept the packets received from one
l3mdev by setup a sysctl option in patch 6.

Note with VRF support, in a netns, an association will be decided
by src ip + src port + dst ip + dst port + bound_dev_if, and it's
possible for ss to have:

# ss --sctp -n
  State       Local Address:Port      Peer Address:Port
   ESTAB     192.168.1.2%vrf-s1:1234
   `- ESTAB   192.168.1.2%veth1:1234   192.168.1.1:1234
   ESTAB     192.168.1.2%vrf-s2:1234
   `- ESTAB   192.168.1.2%veth2:1234   192.168.1.1:1234

See the selftest in patch 7 for more usage.

Also, thanks Carlo for testing this patch series on their use.

v1->v2:
  - In Patch 5, move sctp_sk_bound_dev_eq() definition to net/sctp/
    input.c to avoid a build error when IP_SCTP is disabled, as Paolo
    suggested.
  - In Patch 7, avoid one sleep by disabling the IPv6 dad, and remove
    another sleep by using ss to check if the server's ready, and also
    delete two unncessary sleeps in sctp_hello.c, as Paolo suggested.

Xin Long (7):
  sctp: verify the bind address with the tb_id from l3mdev
  sctp: check ipv6 addr with sk_bound_dev if set
  sctp: check sk_bound_dev_if when matching ep in get_port
  sctp: add skb_sdif in struct sctp_af
  sctp: add dif and sdif check in asoc and ep lookup
  sctp: add sysctl net.sctp.l3mdev_accept
  selftests: add a selftest for sctp vrf

 Documentation/networking/ip-sysctl.rst   |   9 ++
 include/net/netns/sctp.h                 |   4 +
 include/net/sctp/sctp.h                  |   6 +-
 include/net/sctp/structs.h               |   9 +-
 net/sctp/diag.c                          |   3 +-
 net/sctp/endpointola.c                   |  13 +-
 net/sctp/input.c                         | 108 +++++++-------
 net/sctp/ipv6.c                          |  22 ++-
 net/sctp/protocol.c                      |  19 ++-
 net/sctp/socket.c                        |   9 +-
 net/sctp/sysctl.c                        |  11 ++
 tools/testing/selftests/net/Makefile     |   2 +
 tools/testing/selftests/net/sctp_hello.c | 137 +++++++++++++++++
 tools/testing/selftests/net/sctp_vrf.sh  | 178 +++++++++++++++++++++++
 14 files changed, 461 insertions(+), 69 deletions(-)
 create mode 100644 tools/testing/selftests/net/sctp_hello.c
 create mode 100755 tools/testing/selftests/net/sctp_vrf.sh

-- 
2.31.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ