lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <365859bd-1457-4f83-91f4-34a7f21e1d8f@linux.alibaba.com>
Date: Fri, 21 Feb 2025 19:55:27 +0800
From: Philo Lu <lulie@...ux.alibaba.com>
To: Julian Anastasov <ja@....bg>
Cc: netdev@...r.kernel.org, davem@...emloft.net, edumazet@...gle.com,
 kuba@...nel.org, pabeni@...hat.com, horms@...nel.org,
 asml.silence@...il.com, willemb@...gle.com, almasrymina@...gle.com,
 chopps@...n.net, aleksander.lobakin@...el.com, nicolas.dichtel@...nd.com,
 dust.li@...ux.alibaba.com, hustcat@...il.com, bpf@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] ipvs: Always clear ipvs_property flag in
 skb_scrub_packet()



On 2025/2/21 19:42, Julian Anastasov wrote:
> 
> 	Hello,
> 
> On Fri, 21 Feb 2025, Philo Lu wrote:
> 
>> We found an issue when using bpf_redirect with ipvs NAT mode after
>> commit ff70202b2d1a ("dev_forward_skb: do not scrub skb mark within
>> the same name space"). Particularly, we use bpf_redirect to return
>> the skb directly back to the netif it comes from, i.e., xnet is
>> false in skb_scrub_packet(), and then ipvs_property is preserved
>> and SNAT is skipped in the rx path.
>>
>> ipvs_property has been already cleared when netns is changed in
>> commit 2b5ec1a5f973 ("netfilter/ipvs: clear ipvs_property flag when
>> SKB net namespace changed"). This patch just clears it in spite of
>> netns.
>>
>> Signed-off-by: Philo Lu <lulie@...ux.alibaba.com>
>> ---
>> This is in fact a fix patch, and the issue was found after commit
>> ff70202b2d1a ("dev_forward_skb: do not scrub skb mark within
>> the same name space"). But I'm not sure if a "Fixes" tag should be
>> added to that commit.
> 
> 	You can add 2b5ec1a5f973 as a Fixes tag in v2 and I'll ack it.

Thank you, Julian. You also solve my worries. I'll post v2 soon.

-- 
Philo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ