lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20250812125155.3808-1-richardbgobert@gmail.com>
Date: Tue, 12 Aug 2025 14:51:50 +0200
From: Richard Gobert <richardbgobert@...il.com>
To: netdev@...r.kernel.org
Cc: davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	donald.hunter@...il.com,
	andrew+netdev@...n.ch,
	dsahern@...nel.org,
	shuah@...nel.org,
	daniel@...earbox.net,
	jacob.e.keller@...el.com,
	razor@...ckwall.org,
	idosch@...dia.com,
	petrm@...dia.com,
	menglong8.dong@...il.com,
	martin.lau@...nel.org,
	linux-kernel@...r.kernel.org,
	Richard Gobert <richardbgobert@...il.com>
Subject: [PATCH net-next v5 0/5] net: add local address bind support to vxlan and geneve

Currently, vxlan sockets are always bound to 0.0.0.0. For security, it is
better to bind to the specific interface on which traffic is expected.

This series adds a netlink option that makes vxlan sockets bind to their
local addresses. The option is disabled by default as it can potentially
break existing network.

This series also adds a local address option to geneve, similar to vxlan.
The geneve socket is bound to the local address by default.

v4 -> v5:
  - Fix whitespace issues
  - Fix IPv6 compilation errors
  - Add missing documentation
  - Add selftest to test localbind functionality
  - Change localbind option in VXLAN to be non-default
  - v4: https://lore.kernel.org/netdev/20250717115412.11424-1-richardbgobert@gmail.com/

v3 -> v4:
  - Fix a problem where vxlan socket is bound before its outgoing interface is up
  - v3: https://lore.kernel.org/netdev/20240711131411.10439-1-richardbgobert@gmail.com/

v2 -> v3:
  - Fix typo and nit problem (Simon)
  - v2: https://lore.kernel.org/netdev/20240708111103.9742-1-richardbgobert@gmail.com/

v1 -> v2:
  - Change runtime checking of CONFIG_IPV6 to compile time in geneve
  - Change {geneve,vxlan}_find_sock to check listening address
  - Fix incorrect usage of IFLA_VXLAN_LOCAL6 in geneve
  - Use NLA_POLICY_EXACT_LEN instead of changing strict_start_type in geneve
  - v1: https://lore.kernel.org/netdev/df300a49-7811-4126-a56a-a77100c8841b@gmail.com/

Richard Gobert (5):
  net: udp: add freebind option to udp_sock_create
  net: vxlan: add netlink option to bind vxlan sockets to local
    addresses
  net: vxlan: bind vxlan sockets to their local address if configured
  net: geneve: enable binding geneve sockets to local addresses
  selftests/net: add vxlan localbind selftest

 Documentation/netlink/specs/rt-link.yaml      |   8 +
 drivers/net/geneve.c                          |  80 ++++-
 drivers/net/vxlan/vxlan_core.c                | 102 +++++-
 include/net/geneve.h                          |   6 +
 include/net/udp_tunnel.h                      |   3 +-
 include/net/vxlan.h                           |   1 +
 include/uapi/linux/if_link.h                  |   3 +
 net/ipv4/udp_tunnel_core.c                    |   1 +
 net/ipv6/ip6_udp_tunnel.c                     |   1 +
 tools/include/uapi/linux/if_link.h            |   3 +
 tools/testing/selftests/net/Makefile          |   1 +
 .../selftests/net/test_vxlan_localbind.sh     | 306 ++++++++++++++++++
 12 files changed, 490 insertions(+), 25 deletions(-)
 create mode 100755 tools/testing/selftests/net/test_vxlan_localbind.sh

-- 
2.36.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ