lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 6 May 2024 17:57:23 +0200
From: Antony Antony <antony@...nome.org>
To: Sabrina Dubroca <sd@...asysnail.net>
Cc: Antony Antony <antony.antony@...unet.com>,
	Jakub Kicinski <kuba@...nel.org>,
	Steffen Klassert <steffen.klassert@...unet.com>,
	netdev@...r.kernel.org, linux-kselftest@...r.kernel.org,
	"David S. Miller" <davem@...emloft.net>,
	David Ahern <dsahern@...nel.org>,
	Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Shuah Khan <shuah@...nel.org>, devel@...ux-ipsec.org
Subject: Re: [PATCH net-next v3 0/2] fix icmp error source address over xfrm
 tunnel

Hi Sabrina,

On Mon, May 06, 2024 at 03:36:15PM +0200, Sabrina Dubroca via Devel wrote:
> 2024-05-06, 09:58:26 +0200, Antony Antony wrote:
> > Hi,
> > This fix, originally intended for XFRM/IPsec, has been recommended by
> > Steffen Klassert to submit to the net tree.
> > 
> > The patch addresses a minor issue related to the IPv4 source address of
> > ICMP error messages, which originated from an old 2011 commit:
> > 
> > 415b3334a21a ("icmp: Fix regression in nexthop resolution during replies.")
> > 
> > The omission of a "Fixes" tag  in the following commit is deliberate
> > to prevent potential test failures and subsequent regression issues
> > that may arise from backporting this patch all stable kerenels.
> 
> What kind of regression do you expect? If there's a risk of

For example, an old testing scripts with hardcoded source IP address assume
that the "Unreachable response" will have the previous behavior. Such 
testing script may trigger regression when this patch is backported.  
Consequently, there may be discussions on whether this patch has broken the 
10-year-old test scripts, which may be hard to fix.

> regression, I'm not sure net-next is that much "better" than net or
> stable. If a user complains about the new behavior breaking their
> setup, my understanding is that you would likely have to revert the
> patch anyway, or at least add some way to toggle the behavior.

My hope is that if this patch is applied to net-next without a "Fixes" tag,
users would fix their testing scripts properly. Additionally, another piece
of the puzzle for a complete fix is "forwarding of ICMP Error messages" 
patch that is in the kerenl 6.8, which is new feature and applied via 
ipsec-next.

-antony

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ