lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aa5f1c11-4528-4d53-91f3-5ce8c02363ac@gmail.com>
Date: Tue, 27 Feb 2024 10:02:51 +0100
From: Richard Gobert <richardbgobert@...il.com>
To: Eyal Birger <eyal.birger@...il.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, idosch@...dia.com, razor@...ckwall.org,
 amcohen@...dia.com, petrm@...dia.com, jbenc@...hat.com, b.galvani@...il.com,
 bpoirier@...dia.com, gavinl@...dia.com, martin.lau@...nel.org,
 daniel@...earbox.net, herbert@...dor.apana.org.au, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next 2/2] net: geneve: enable local address bind for
 geneve sockets

Eyal Birger wrote:
> Hi,
> 
> On Thu, Feb 22, 2024 at 12:54 PM Richard Gobert
> <richardbgobert@...il.com> wrote:
>>
>> This patch adds support for binding to a local address in geneve sockets.
> 
> Thanks for adding this.
> 
>> It achieves this by adding a geneve_addr union to represent local address
>> to bind to, and copying it to udp_port_cfg in geneve_create_sock.
> 
> AFICT in geneve_sock_add(), geneve_socket_create() is only called if there's
> no existing open socket with the GENEVE destination port. As such, wouldn't
> this bind work only for the first socket in the namespace?
> 
> If that is the case, then perhaps binding the socket isn't the right
> approach, and instead geneve_lookup() should search for the tunnel based on
> both the source and destination IPs.
> 
> Am I missing something?
> 
> Eyal

You are right, I missed it.
Binding the socket is the main reason for the patch, to prevent exposing
the geneve port on all interfaces.
I think it should be searched in geneve{6}_lookup and in geneve_find_sock:

static struct geneve_sock *geneve_find_sock(struct geneve_net *gn,
					    sa_family_t family,
					    union geneve_addr *saddr)
 {
 	struct geneve_sock *gs;

 	list_for_each_entry(gs, &gn->sock_list, list) {
		struct inet_sock *inet = inet_sk(gs->sock->sk);

		if (inet->inet_sport == dst_port && geneve_get_sk_family(gs) == family) {
			if (family == AF_INET && inet->inet_rcv_saddr == saddr->sin.sin_addr.s_addr)
				return gs;
        ...

This is also true for VXLAN
What do you think?
Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ