lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 26 Jan 2023 15:08:18 +0530
From:   Pavan Chebbi <pavan.chebbi@...adcom.com>
To:     Wolfgang Nothdurft <wolfgang@...ogate.de>
Cc:     Steffen Klassert <steffen.klassert@...unet.com>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: Problem with xfrm interface and bridged devices

The SubmittingPatches and the Netdev FAQ documents can help in getting
this patch in the proper format.


On Thu, Jan 26, 2023 at 2:20 PM Wolfgang Nothdurft <wolfgang@...ogate.de> wrote:
>
> Hi there,
>
> when using a xfrm interface in a bridged setup (the outgoing device is
> bridged), the incoming packets in the xfrm interface inherit the bridge
> info and confuses the netfilter connection tracking.
>
> brctl show
> bridge name     bridge id               STP enabled     interfaces
> br_eth1         8000.000c29fe9646       no              eth1
>
> This messes up the connection tracking so that only the outgoing packets
> shows up and the connections through the xfrm interface are UNREPLIED.
> When using stateful netfilter rules, the response packet will be blocked
> as state invalid.
>
> telnet 192.168.12.1 7
> Trying 192.168.12.1...
>
> conntrack -L
> tcp      6 115 SYN_SENT src=192.168.11.1 dst=192.168.12.1 sport=52476
> dport=7 packets=2 bytes=104 [UNREPLIED] src=192.168.12.1
> dst=192.168.11.1 sport=7 dport=52476 packets=0 bytes=0 mark=0
> secctx=system_u:object_r:unlabeled_t:s0 use=1
>
> Chain INPUT (policy DROP 0 packets, 0 bytes)
>      2   104 DROP_invalid  all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            state INVALID
>
> Jan 26 09:28:12 defendo kernel: fw-chk drop [STATE=invalid] IN=ipsec0
> OUT= PHYSIN=eth1 MAC= SRC=192.168.12.1 DST=192.168.11.1 LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=7 DPT=52476 WINDOW=64240 RES=0x00
> ACK SYN URGP=0 MARK=0x1000000
>
> The attached patch removes the bridge info from the incoming packets on
> the xfrm interface, so the packet can be properly assigned to the
> connection.
>
> Kind Regards,
> Wolfgang

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4209 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ