lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAHsH6GspzSsSJX2Xuerp3NApJnobv7_eoNdwMSX=Mqw3EVhAzg@mail.gmail.com>
Date: Wed, 28 Feb 2024 09:51:14 -0800
From: Eyal Birger <eyal.birger@...il.com>
To: Richard Gobert <richardbgobert@...il.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, 
	pabeni@...hat.com, idosch@...dia.com, razor@...ckwall.org, amcohen@...dia.com, 
	petrm@...dia.com, jbenc@...hat.com, b.galvani@...il.com, bpoirier@...dia.com, 
	gavinl@...dia.com, martin.lau@...nel.org, daniel@...earbox.net, 
	herbert@...dor.apana.org.au, netdev@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next 2/2] net: geneve: enable local address bind for
 geneve sockets

On Tue, Feb 27, 2024 at 1:03 AM Richard Gobert <richardbgobert@...il.com> wrote:
>
> Eyal Birger wrote:
> > Hi,
> >
> > On Thu, Feb 22, 2024 at 12:54 PM Richard Gobert
> > <richardbgobert@...il.com> wrote:
> >>
> >> This patch adds support for binding to a local address in geneve sockets.
> >
> > Thanks for adding this.
> >
> >> It achieves this by adding a geneve_addr union to represent local address
> >> to bind to, and copying it to udp_port_cfg in geneve_create_sock.
> >
> > AFICT in geneve_sock_add(), geneve_socket_create() is only called if there's
> > no existing open socket with the GENEVE destination port. As such, wouldn't
> > this bind work only for the first socket in the namespace?
> >
> > If that is the case, then perhaps binding the socket isn't the right
> > approach, and instead geneve_lookup() should search for the tunnel based on
> > both the source and destination IPs.
> >
> > Am I missing something?
> >
> > Eyal
>
> You are right, I missed it.
> Binding the socket is the main reason for the patch, to prevent exposing
> the geneve port on all interfaces.

I see. The use case I had in mind is allowing to differentiate between
tunnels based on local IP, but not exposing the port sounds like
a good use case too.

> I think it should be searched in geneve{6}_lookup and in geneve_find_sock:

If the socket is bound to a specific IP, i'm not sure you'd need to
change geneve{6}_lookup() - only packets matching that IP would arrive
there no? In that case I think the change you suggested to geneve_find_sock()
should be enough.

>
> static struct geneve_sock *geneve_find_sock(struct geneve_net *gn,
>                                             sa_family_t family,
>                                             union geneve_addr *saddr)
>  {
>         struct geneve_sock *gs;
>
>         list_for_each_entry(gs, &gn->sock_list, list) {
>                 struct inet_sock *inet = inet_sk(gs->sock->sk);
>
>                 if (inet->inet_sport == dst_port && geneve_get_sk_family(gs) == family) {
>                         if (family == AF_INET && inet->inet_rcv_saddr == saddr->sin.sin_addr.s_addr)
>                                 return gs;
>         ...
>
> This is also true for VXLAN

I haven't looked at the VXLAN code, but if the lookup is similar there
I would guess the same.

Eyal.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ