lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250212164323.2183023-3-edumazet@google.com>
Date: Wed, 12 Feb 2025 16:43:23 +0000
From: Eric Dumazet <edumazet@...gle.com>
To: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, 
	Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, David Ahern <dsahern@...nel.org>, 
	Paul Ripke <stix@...gle.com>, Simon Horman <horms@...nel.org>, eric.dumazet@...il.com, 
	Eric Dumazet <edumazet@...gle.com>
Subject: [PATCH net-next 2/2] ipv6: fix blackhole routes

For some reason, linux does not really act as a blackhole
for local processes:

ip route add blackhole 100::/64     # RFC 6666
ip route get 100::
RTNETLINK answers: Invalid argument
ping6 -c2 100::
ping6: connect: Invalid argument
ip route del 100::/64

After this patch, a local process no longer has an immediate error,
the blackhole is simply eating the packets as intended.

Also the "route get" command does not fail anymore.

ip route add blackhole 100::/64
ip route get 100::
blackhole 100:: dev lo src ::1 metric 1024 pref medium
ping6 -c2 100::
PING 100:: (100::) 56 data bytes

--- 100:: ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1019ms

ip route del 100::/64

Reported-by: Paul Ripke <stix@...gle.com>
Signed-off-by: Eric Dumazet <edumazet@...gle.com>
---
 net/ipv6/route.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 78362822b9070df138a0724dc76003b63026f9e2..335cdbfe621e2fc4a71badf4ff834870638d5e13 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1048,7 +1048,7 @@ static const int fib6_prop[RTN_MAX + 1] = {
 	[RTN_BROADCAST]	= 0,
 	[RTN_ANYCAST]	= 0,
 	[RTN_MULTICAST]	= 0,
-	[RTN_BLACKHOLE]	= -EINVAL,
+	[RTN_BLACKHOLE]	= 0,
 	[RTN_UNREACHABLE] = -EHOSTUNREACH,
 	[RTN_PROHIBIT]	= -EACCES,
 	[RTN_THROW]	= -EAGAIN,
-- 
2.48.1.502.g6dc24dfdaf-goog

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ