lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b3b6158e-bb8f-42cd-879c-b246300ca04c@openvpn.net>
Date: Mon, 23 Sep 2024 16:36:46 +0200
From: Antonio Quartulli <antonio@...nvpn.net>
To: sd@...asysnail.net
Cc: kuba@...nel.org, netdev@...r.kernel.org, pabeni@...hat.com,
 ryazanov.s.a@...il.com, edumazet@...gle.com, andrew@...n.ch
Subject: Re: [PATCH net-next v7 20/25] ovpn: implement peer add/dump/delete
 via netlink

Hi Sabrina,

On 17/09/2024 03:07, Antonio Quartulli wrote:
[...]
>   int ovpn_nl_set_peer_doit(struct sk_buff *skb, struct genl_info *info)
>   {
[...]
> +	/* VPN IPs cannot be updated, because they are hashed */
> +	if (!new_peer && (attrs[OVPN_A_PEER_VPN_IPV4] ||
> +			  attrs[OVPN_A_PEER_VPN_IPV6])) {
> +		NL_SET_ERR_MSG_FMT_MOD(info->extack,
> +				       "VPN IPs cannot be updated");
> +		ret = -EINVAL;
> +		goto peer_release;
> +	}

while answering some other email I realized that right now we are 
rejecting VPN IPs updates.

The reason is (as written in the comment above) that VPN IPs are used 
for hashing the peer.

I think this barrier can be lifted if I implement the VPN IP hashing 
using hlist_nulls, as I have done for the tranport_addr in case of 
floating peers.

What do you think?
Can you see any drawback in this approach?

Doing that would allow us to remove the check above and allow userspace 
to change IP to peers at runtime.


Cheers,

-- 
Antonio Quartulli
OpenVPN Inc.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ