| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <49d32698-e226-46b5-bee8-46e9aad5754b@redhat.com>
Date: Thu, 19 Sep 2024 12:06:01 +0200
From: Paolo Abeni <pabeni@...hat.com>
To: Guy Avraham <guyavrah1986@...il.com>, davem@...emloft.net,
dsahern@...nel.org, edumazet@...gle.com, kuba@...nel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net:ipv4:ip_route_input_slow: Change behaviour of
routing decision when IP router alert option is present
Hi,
On 9/12/24 16:14, Guy Avraham wrote:
> When an IP packet with the IP router alert (RFC 2113) field arrives
> to some host who is not the destination of that packet (i.e - non of
> its interfaces is the address in the destination IP address field of that
> packet) and, for whatever reason, it does not have a route to this
> destination address, it drops this packet during the "routing decision"
> flow even though it should potentially pass it to the relevant
> application(s) that are interested in this packet's content - which happens
> in the "forwarding decision" flow. The suggested fix changes this behaviour
> by setting the ip_forward as the next "step" in the flow of the packet,
> just before it (previously was) is dropped, so that later the ip_forward,
> as usual, will pass it on to its relevant recipient (socket), by
> invoking the ip_call_ra_chain.
>
> Signed-off-by: Guy Avraham <guyavrah1986@...il.com>
> ---
> The fix was tested and verified on Linux hosts that act as routers in which
> there are kerenls 3.10 and 5.2. The verification was done by simulating
> a scenario in which an RSVP (RFC 2205) Path message (that has the IP
> router alert option set) arrives to a transit RSVP node, and this host
> passes on the RSVP Path message to the relevant socket (of the RSVP
> deamon) even though upon arrival of this packet it does NOT have route
> to the destination IP address of the IP packet (that encapsulates the
> RSVP Path message).
>
> net/ipv4/route.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
> index 13c0f1d455f3..7c416eca84f8 100644
> --- a/net/ipv4/route.c
> +++ b/net/ipv4/route.c
> @@ -2360,8 +2360,12 @@ out: return err;
>
> RT_CACHE_STAT_INC(in_slow_tot);
> if (res->type == RTN_UNREACHABLE) {
> - rth->dst.input= ip_error;
> - rth->dst.error= -err;
> + if (IPCB(skb)->opt.router_alert)
> + rth->dst.input = ip_forward;
> + else
> + rth->dst.input = ip_error;
> +
> + rth->dst.error = -err;
> rth->rt_flags &= ~RTCF_LOCAL;
> }
>
I think this is not the correct solution. At very least you should check
the host is actually a router (forwarding is enabled) and someone has
registered to receive router alerts. At that point you will be better
off processing the router alert in place directly calling
ip_call_ra_chain().
However I'm unsure all the above is actually required. It can be argued
your host has a bad configuration.
If it's a AS border router, and there is no route for the destination,
the packet not matching any route is invalid and should be indeed
dropped/not processed.
Otherwise you should have/add a catch-up default route - at very least
to handle this cases. If you really want to forward packets only to
known destination, you could make such route as blackhole one.
Cheers,
Paolo
Powered by blists - more mailing lists