lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 Apr 2023 11:33:39 -0700
From:   Kuniyuki Iwashima <kuniyu@...zon.com>
To:     <maheshb@...gle.com>
CC:     <corbet@....net>, <davem@...emloft.net>, <dsahern@...nel.org>,
        <edumazet@...gle.com>, <kuba@...nel.org>, <mahesh@...dewar.net>,
        <maze@...gle.com>, <netdev@...r.kernel.org>, <pabeni@...hat.com>,
        <kuniyu@...zon.com>
Subject: Re: [PATCH next] ipv6: add icmpv6_error_anycast_as_unicast for ICMPv6

From:   Mahesh Bandewar <maheshb@...gle.com>
Date:   Mon, 17 Apr 2023 13:44:07 -0700
> ICMPv6 error packets are not sent to the anycast destinations and this
> prevents things like traceroute from working. So create a setting similar
> to ECHO when dealing with Anycast sources (icmpv6_echo_ignore_anycast).
> 
> Signed-off-by: Mahesh Bandewar <maheshb@...gle.com>
> CC: Maciej Żenczykowski <maze@...gle.com>
> ---
>  Documentation/networking/ip-sysctl.rst |  7 +++++++
>  include/net/netns/ipv6.h               |  1 +
>  net/ipv6/af_inet6.c                    |  1 +
>  net/ipv6/icmp.c                        | 13 +++++++++++--
>  4 files changed, 20 insertions(+), 2 deletions(-)
> 
> diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
> index 87dd1c5283e6..e97896d38e9f 100644
> --- a/Documentation/networking/ip-sysctl.rst
> +++ b/Documentation/networking/ip-sysctl.rst
> @@ -2719,6 +2719,13 @@ echo_ignore_anycast - BOOLEAN
>  
>  	Default: 0
>  
> +error_anycast_as_unicast - BOOLEAN
> +	If set non-zero, then the kernel will respond with ICMP Errors

s/non-zero/1/, see below to limit 0-1.


> +	resulting from requests sent to it over the IPv6 protocol destined
> +	to anycast address essentially treating anycast as unicast.
> +
> +	Default: 0
> +
>  xfrm6_gc_thresh - INTEGER
>  	(Obsolete since linux-4.14)
>  	The threshold at which we will start garbage collecting for IPv6
> diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
> index b4af4837d80b..3cceb3e9320b 100644
> --- a/include/net/netns/ipv6.h
> +++ b/include/net/netns/ipv6.h
> @@ -55,6 +55,7 @@ struct netns_sysctl_ipv6 {
>  	u64 ioam6_id_wide;
>  	bool skip_notify_on_dev_down;
>  	u8 fib_notify_on_flag_change;
> +	u8 icmpv6_error_anycast_as_unicast;
>  };
>  
>  struct netns_ipv6 {
> diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
> index 38689bedfce7..2b7ac752afc2 100644
> --- a/net/ipv6/af_inet6.c
> +++ b/net/ipv6/af_inet6.c
> @@ -952,6 +952,7 @@ static int __net_init inet6_net_init(struct net *net)
>  	net->ipv6.sysctl.icmpv6_echo_ignore_all = 0;
>  	net->ipv6.sysctl.icmpv6_echo_ignore_multicast = 0;
>  	net->ipv6.sysctl.icmpv6_echo_ignore_anycast = 0;
> +	net->ipv6.sysctl.icmpv6_error_anycast_as_unicast = 0;
>  
>  	/* By default, rate limit error messages.
>  	 * Except for pmtu discovery, it would break it.
> diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
> index f32bc98155bf..db2aef50fdf5 100644
> --- a/net/ipv6/icmp.c
> +++ b/net/ipv6/icmp.c
> @@ -362,9 +362,10 @@ static struct dst_entry *icmpv6_route_lookup(struct net *net,
>  
>  	/*
>  	 * We won't send icmp if the destination is known
> -	 * anycast.
> +	 * anycast unless we need to treat anycast as unicast.
>  	 */
> -	if (ipv6_anycast_destination(dst, &fl6->daddr)) {
> +	if (!net->ipv6.sysctl.icmpv6_error_anycast_as_unicast &&

Please use READ_ONCE() to silence KCSAN.


> +	    ipv6_anycast_destination(dst, &fl6->daddr)) {
>  		net_dbg_ratelimited("icmp6_send: acast source\n");
>  		dst_release(dst);
>  		return ERR_PTR(-EINVAL);
> @@ -1192,6 +1193,13 @@ static struct ctl_table ipv6_icmp_table_template[] = {
>  		.mode		= 0644,
>  		.proc_handler = proc_do_large_bitmap,
>  	},
> +	{
> +		.procname	= "error_anycast_as_unicast",
> +		.data		= &init_net.ipv6.sysctl.icmpv6_error_anycast_as_unicast,
> +		.maxlen		= sizeof(u8),
> +		.mode		= 0644,
> +		.proc_handler = proc_dou8vec_minmax,

		.extra1		= SYSCTL_ZERO,
		.extra2		= SYSCTL_ONE

> +	},
>  	{ },
>  };
>  
> @@ -1209,6 +1217,7 @@ struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
>  		table[2].data = &net->ipv6.sysctl.icmpv6_echo_ignore_multicast;
>  		table[3].data = &net->ipv6.sysctl.icmpv6_echo_ignore_anycast;
>  		table[4].data = &net->ipv6.sysctl.icmpv6_ratemask_ptr;
> +		table[5].data = &net->ipv6.sysctl.icmpv6_error_anycast_as_unicast;
>  	}
>  	return table;
>  }
> -- 
> 2.40.0.634.g4ca3ef3211-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ