lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAF2d9jihubh_MJ+FwKfX3g45LidbBnU_cyF2ADEMdDZ3X3kTFQ@mail.gmail.com>
Date:   Tue, 18 Apr 2023 16:14:17 -0700
From:   Mahesh Bandewar (महेश बंडेवार) 
        <maheshb@...gle.com>
To:     Kuniyuki Iwashima <kuniyu@...zon.com>
Cc:     corbet@....net, davem@...emloft.net, dsahern@...nel.org,
        edumazet@...gle.com, kuba@...nel.org, mahesh@...dewar.net,
        maze@...gle.com, netdev@...r.kernel.org, pabeni@...hat.com
Subject: Re: [PATCH next] ipv6: add icmpv6_error_anycast_as_unicast for ICMPv6

On Tue, Apr 18, 2023 at 11:34 AM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
>
> From:   Mahesh Bandewar <maheshb@...gle.com>
> Date:   Mon, 17 Apr 2023 13:44:07 -0700
> > ICMPv6 error packets are not sent to the anycast destinations and this
> > prevents things like traceroute from working. So create a setting similar
> > to ECHO when dealing with Anycast sources (icmpv6_echo_ignore_anycast).
> >
> > Signed-off-by: Mahesh Bandewar <maheshb@...gle.com>
> > CC: Maciej Żenczykowski <maze@...gle.com>
> > ---
> >  Documentation/networking/ip-sysctl.rst |  7 +++++++
> >  include/net/netns/ipv6.h               |  1 +
> >  net/ipv6/af_inet6.c                    |  1 +
> >  net/ipv6/icmp.c                        | 13 +++++++++++--
> >  4 files changed, 20 insertions(+), 2 deletions(-)
> >
> > diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
> > index 87dd1c5283e6..e97896d38e9f 100644
> > --- a/Documentation/networking/ip-sysctl.rst
> > +++ b/Documentation/networking/ip-sysctl.rst
> > @@ -2719,6 +2719,13 @@ echo_ignore_anycast - BOOLEAN
> >
> >       Default: 0
> >
> > +error_anycast_as_unicast - BOOLEAN
> > +     If set non-zero, then the kernel will respond with ICMP Errors
>
> s/non-zero/1/, see below to limit 0-1.
>
>
> > +     resulting from requests sent to it over the IPv6 protocol destined
> > +     to anycast address essentially treating anycast as unicast.
> > +
> > +     Default: 0
> > +
> >  xfrm6_gc_thresh - INTEGER
> >       (Obsolete since linux-4.14)
> >       The threshold at which we will start garbage collecting for IPv6
> > diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
> > index b4af4837d80b..3cceb3e9320b 100644
> > --- a/include/net/netns/ipv6.h
> > +++ b/include/net/netns/ipv6.h
> > @@ -55,6 +55,7 @@ struct netns_sysctl_ipv6 {
> >       u64 ioam6_id_wide;
> >       bool skip_notify_on_dev_down;
> >       u8 fib_notify_on_flag_change;
> > +     u8 icmpv6_error_anycast_as_unicast;
> >  };
> >
> >  struct netns_ipv6 {
> > diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
> > index 38689bedfce7..2b7ac752afc2 100644
> > --- a/net/ipv6/af_inet6.c
> > +++ b/net/ipv6/af_inet6.c
> > @@ -952,6 +952,7 @@ static int __net_init inet6_net_init(struct net *net)
> >       net->ipv6.sysctl.icmpv6_echo_ignore_all = 0;
> >       net->ipv6.sysctl.icmpv6_echo_ignore_multicast = 0;
> >       net->ipv6.sysctl.icmpv6_echo_ignore_anycast = 0;
> > +     net->ipv6.sysctl.icmpv6_error_anycast_as_unicast = 0;
> >
> >       /* By default, rate limit error messages.
> >        * Except for pmtu discovery, it would break it.
> > diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
> > index f32bc98155bf..db2aef50fdf5 100644
> > --- a/net/ipv6/icmp.c
> > +++ b/net/ipv6/icmp.c
> > @@ -362,9 +362,10 @@ static struct dst_entry *icmpv6_route_lookup(struct net *net,
> >
> >       /*
> >        * We won't send icmp if the destination is known
> > -      * anycast.
> > +      * anycast unless we need to treat anycast as unicast.
> >        */
> > -     if (ipv6_anycast_destination(dst, &fl6->daddr)) {
> > +     if (!net->ipv6.sysctl.icmpv6_error_anycast_as_unicast &&
>
> Please use READ_ONCE() to silence KCSAN.
>
thanks for the comments. I'll integrate them in v2.
>
> > +         ipv6_anycast_destination(dst, &fl6->daddr)) {
> >               net_dbg_ratelimited("icmp6_send: acast source\n");
> >               dst_release(dst);
> >               return ERR_PTR(-EINVAL);
> > @@ -1192,6 +1193,13 @@ static struct ctl_table ipv6_icmp_table_template[] = {
> >               .mode           = 0644,
> >               .proc_handler = proc_do_large_bitmap,
> >       },
> > +     {
> > +             .procname       = "error_anycast_as_unicast",
> > +             .data           = &init_net.ipv6.sysctl.icmpv6_error_anycast_as_unicast,
> > +             .maxlen         = sizeof(u8),
> > +             .mode           = 0644,
> > +             .proc_handler = proc_dou8vec_minmax,
>
>                 .extra1         = SYSCTL_ZERO,
>                 .extra2         = SYSCTL_ONE
>
> > +     },
> >       { },
> >  };
> >
> > @@ -1209,6 +1217,7 @@ struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
> >               table[2].data = &net->ipv6.sysctl.icmpv6_echo_ignore_multicast;
> >               table[3].data = &net->ipv6.sysctl.icmpv6_echo_ignore_anycast;
> >               table[4].data = &net->ipv6.sysctl.icmpv6_ratemask_ptr;
> > +             table[5].data = &net->ipv6.sysctl.icmpv6_error_anycast_as_unicast;
> >       }
> >       return table;
> >  }
> > --
> > 2.40.0.634.g4ca3ef3211-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ