lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZF0QDwICQk9JK90Z@debian> Date: Thu, 11 May 2023 17:55:59 +0200 From: Guillaume Nault <gnault@...hat.com> To: David Ahern <dsahern@...nel.org> Cc: David Miller <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Eric Dumazet <edumazet@...gle.com>, netdev@...r.kernel.org Subject: Re: [PATCH v2 net-next 3/4] selftests: fcnal: Test SO_DONTROUTE on UDP sockets. On Thu, May 11, 2023 at 09:03:44AM -0600, David Ahern wrote: > On 5/11/23 8:39 AM, Guillaume Nault wrote: > > Use nettest --client-dontroute to test the kernel behaviour with UDP > > sockets having the SO_DONTROUTE option. Sending packets to a neighbour > > (on link) host, should work. When the host is behind a router, sending > > should fail. > > > > Signed-off-by: Guillaume Nault <gnault@...hat.com> > > --- > > v2: Use 'nettest -B' instead of invoking two nettest instances for > > client and server. > > > > tools/testing/selftests/net/fcnal-test.sh | 17 +++++++++++++++++ > > 1 file changed, 17 insertions(+) > > > > diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh > > index 3a1f3051321f..08b4b96cbd63 100755 > > --- a/tools/testing/selftests/net/fcnal-test.sh > > +++ b/tools/testing/selftests/net/fcnal-test.sh > > @@ -1641,6 +1641,23 @@ ipv4_udp_novrf() > > log_start > > run_cmd nettest -D -d ${NSA_DEV} -r ${a} > > log_test_addr ${a} $? 2 "No server, device client, local conn" > > + > > + # > > + # Link local connection tests (SO_DONTROUTE). > > + # Connections should succeed only when the remote IP address is > > + # on link (doesn't need to be routed through a gateway). > > + # > > + > > + a=${NSB_IP} > > + log_start > > + do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute > > + log_test_addr ${a} $? 0 "SO_DONTROUTE client" > > + > > + a=${NSB_LO_IP} > > + log_start > > + show_hint "Should fail 'Network is unreachable' since server is not on link" > > + do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute > > + log_test_addr ${a} $? 1 "SO_DONTROUTE client" > > } > > > > ipv4_udp_vrf() > > Reviewed-by: David Ahern <dsahern@...nel.org> > > Have you looked at test cases with VRF - both UDP and TCP? I haven't looked at the VRF cases. I don't really see what kernel path I could cover that isn't already covered by the non-vrf cases: * From ns-B point of view, VRF_IP is just a routed IP, like NSA_LO_IP. So testing SO_DONTROUTE on a socket belonging to ns-B wouldn't cover any new kernel code path. * From ns-A point of view, the routing table content is the same. It just has to use table $VRF_TABLE instead of main. So the test would just ensure that we jump to the right routing table, something that SO_DONTROUTE doesn't influences. But the route lookup itself is actually the same as for the non-vrf test (just using a different table). Therefore I feel that adding vrf tests for SO_DONTROUTE wouldn't bring much value. But I may very well be missing some interesting points. If you have any VRF test case in mind, I can add them.
Powered by blists - more mailing lists