| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ZzLWcxskwi9e_bPf@gondor.apana.org.au> Date: Tue, 12 Nov 2024 12:15:47 +0800 From: Herbert Xu <herbert@...dor.apana.org.au> To: "dongchenchen (A)" <dongchenchen2@...wei.com>, Steffen Klassert <steffen.klassert@...unet.com> Cc: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com, pabeni@...hat.com, horms@...nel.org, netdev@...r.kernel.org, yuehaibing@...wei.com, zhangchangzhong@...wei.com Subject: Re: [PATCH net] net: Fix icmp host relookup triggering ip_rt_bug On Tue, Nov 12, 2024 at 11:42:47AM +0800, dongchenchen (A) wrote: > > If skb_in is outbound, fl4_dec.saddr is not nolocal. It may be no input > route from B to A for > > first communication. You're right. So the problem here is that for the case of A being local, we should not be taking the ip_route_input code path (this is intended for forwarded packets). In fact if A is local, and we're sending an ICMP message to A, then perhaps we could skip the IPsec lookup completely and just do normal routing? Steffen, what do you think? So I think it boils down to two choices: 1) We could simply drop IPsec processing if we notice that A (fl.fl4_dst) is local; 2) Or we could take the __ip_route_output_key code path and continue to do the xfrm lookup when A is local. Thanks, -- Email: Herbert Xu <herbert@...dor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Powered by blists - more mailing lists