| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2b55ef32-812c-25ec-7715-595380344689@blackwall.org>
Date: Tue, 14 Mar 2023 17:43:39 +0200
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: Vladimir Nikishkin <vladimir@...ishkin.pw>, netdev@...r.kernel.org
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, eng.alaamohamedsoliman.am@...il.com,
gnault@...hat.com
Subject: Re: [PATCH net-next v3] Make vxlan try to send a packet normally if
local bypass fails.
On 14/03/2023 03:34, Vladimir Nikishkin wrote:
> In vxlan_core, if an fdb entry is pointing to a local
> address with some port, the system tries to get the packet to
> deliver the packet to the vxlan directly, bypassing the network
> stack.
>
> This patch makes it still try canonical delivery, if there is no
> linux kernel vxlan listening on this port. This will be useful
> for the cases when there is some userspace daemon expecting
> vxlan packets for post-processing, or some other implementation
> of vxlan.
>
> Signed-off-by: Vladimir Nikishkin <vladimir@...ishkin.pw>
> ---
> drivers/net/vxlan/vxlan_core.c | 10 ++--------
> 1 file changed, 2 insertions(+), 8 deletions(-)
>
Hi Vladimir,
You should structure the subject to driver: change, in this case
you can use something like
vxlan: try to send a packet normally if local bypass fails
> diff --git a/drivers/net/vxlan/vxlan_core.c b/drivers/net/vxlan/vxlan_core.c
> index b1b179effe2a..0379902da766 100644
> --- a/drivers/net/vxlan/vxlan_core.c
> +++ b/drivers/net/vxlan/vxlan_core.c
> @@ -2422,19 +2422,13 @@ static int encap_bypass_if_local(struct sk_buff *skb, struct net_device *dev,
> if (rt_flags & RTCF_LOCAL &&
> !(rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))) {
> struct vxlan_dev *dst_vxlan;
> -
> - dst_release(dst);
> dst_vxlan = vxlan_find_vni(vxlan->net, dst_ifindex, vni,
> daddr->sa.sa_family, dst_port,
> vxlan->cfg.flags);
> if (!dst_vxlan) {
you can drop the {} for a single line
> - dev->stats.tx_errors++;
> - vxlan_vnifilter_count(vxlan, vni, NULL,
> - VXLAN_VNI_STATS_TX_ERRORS, 0);
> - kfree_skb(skb);
> -
> - return -ENOENT;
> + return 0;
> }
> + dst_release(dst);
> vxlan_encap_bypass(skb, vxlan, dst_vxlan, vni, true);
> return 1;
> }
This also changes such packet delivery expectations so these packets are not
dropped anymore which might surprise people and allow traffic that would've been
dropped otherwise. IMO it should be hidden behind a new vxlan option that defaults
to the old behaviour.
Cheers,
Nik
Powered by blists - more mailing lists