| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b3b6158e-bb8f-42cd-879c-b246300ca04c@openvpn.net>
Date: Mon, 23 Sep 2024 16:36:46 +0200
From: Antonio Quartulli <antonio@...nvpn.net>
To: sd@...asysnail.net
Cc: kuba@...nel.org, netdev@...r.kernel.org, pabeni@...hat.com,
ryazanov.s.a@...il.com, edumazet@...gle.com, andrew@...n.ch
Subject: Re: [PATCH net-next v7 20/25] ovpn: implement peer add/dump/delete
via netlink
Hi Sabrina,
On 17/09/2024 03:07, Antonio Quartulli wrote:
[...]
> int ovpn_nl_set_peer_doit(struct sk_buff *skb, struct genl_info *info)
> {
[...]
> + /* VPN IPs cannot be updated, because they are hashed */
> + if (!new_peer && (attrs[OVPN_A_PEER_VPN_IPV4] ||
> + attrs[OVPN_A_PEER_VPN_IPV6])) {
> + NL_SET_ERR_MSG_FMT_MOD(info->extack,
> + "VPN IPs cannot be updated");
> + ret = -EINVAL;
> + goto peer_release;
> + }
while answering some other email I realized that right now we are
rejecting VPN IPs updates.
The reason is (as written in the comment above) that VPN IPs are used
for hashing the peer.
I think this barrier can be lifted if I implement the VPN IP hashing
using hlist_nulls, as I have done for the tranport_addr in case of
floating peers.
What do you think?
Can you see any drawback in this approach?
Doing that would allow us to remove the check above and allow userspace
to change IP to peers at runtime.
Cheers,
--
Antonio Quartulli
OpenVPN Inc.
Powered by blists - more mailing lists