| Message ID | 1259674488.3168.45.camel@bigi |
|---|---|
| State | RFC, archived |
| Delegated to: | David Miller |
| Headers | show |
From: jamal <hadi@cyberus.ca> Date: Tue, 01 Dec 2009 08:34:48 -0500 > On Mon, 2009-11-30 at 08:59 -0500, jamal wrote: > >> [I could move the check into fib_validate, but that would punish other >> users with a few extra cycles]. > > As in the following patch (gleaned from Patrick's patch on send to self) Tproxy folks, please have a look at Jamal's patch, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
BTW, it should be noted that the change from Patrick to fib_validate which allows to accept local routes from will also solve this problem. My suggestion below is to restore old expected behavior.. cheers, jamal On Wed, 2009-12-02 at 22:31 -0800, David Miller wrote: > From: jamal <hadi@cyberus.ca> > Date: Tue, 01 Dec 2009 08:34:48 -0500 > > > On Mon, 2009-11-30 at 08:59 -0500, jamal wrote: > > > >> [I could move the check into fib_validate, but that would punish other > >> users with a few extra cycles]. > > > > As in the following patch (gleaned from Patrick's patch on send to self) > > Tproxy folks, please have a look at Jamal's patch, thanks. > -- -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
jamal wrote: > BTW, it should be noted that the change from Patrick to fib_validate > which allows to accept local routes from will also solve this problem. > My suggestion below is to restore old expected behavior.. Agreed, the accept_local sysctl should not be misused for this, otherwise TPROXY setups wouldn't have source validation anymore. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi, On Thu, 2009-12-03 at 14:55 +0100, Patrick McHardy wrote: > jamal wrote: > > BTW, it should be noted that the change from Patrick to fib_validate > > which allows to accept local routes from will also solve this problem. > > My suggestion below is to restore old expected behavior.. > > Agreed, the accept_local sysctl should not be misused for this, > otherwise TPROXY setups wouldn't have source validation anymore. Absolutely agreed. Cheers, Krisztian -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, 2009-12-03 at 15:07 +0100, KOVACS Krisztian wrote: > Hi, > > On Thu, 2009-12-03 at 14:55 +0100, Patrick McHardy wrote: > > Agreed, the accept_local sysctl should not be misused for this, > > otherwise TPROXY setups wouldn't have source validation anymore. > > Absolutely agreed. > Ok, thanks. Dave - i can resubmit on top of Patricks changes once you swallow them. Or if you consider this a bug fix then i could submit before Patrick's (which is essentially that patch). Let me know. cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/linux/inetdevice.h b/include/linux/inetdevice.h index ad27c7d..9cd0bcf 100644 --- a/include/linux/inetdevice.h +++ b/include/linux/inetdevice.h @@ -83,6 +83,7 @@ static inline void ipv4_devconf_setall(struct in_device *in_dev) #define IN_DEV_FORWARD(in_dev) IN_DEV_CONF_GET((in_dev), FORWARDING) #define IN_DEV_MFORWARD(in_dev) IN_DEV_ANDCONF((in_dev), MC_FORWARDING) #define IN_DEV_RPFILTER(in_dev) IN_DEV_MAXCONF((in_dev), RP_FILTER) +#define IN_DEV_SRC_VMARK(in_dev) IN_DEV_ORCONF((in_dev), SRC_VMARK) #define IN_DEV_SOURCE_ROUTE(in_dev) IN_DEV_ANDCONF((in_dev), \ ACCEPT_SOURCE_ROUTE) #define IN_DEV_BOOTP_RELAY(in_dev) IN_DEV_ANDCONF((in_dev), BOOTP_RELAY) diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h index 1e4743e..843f71b 100644 --- a/include/linux/sysctl.h +++ b/include/linux/sysctl.h @@ -490,6 +490,7 @@ enum NET_IPV4_CONF_PROMOTE_SECONDARIES=20, NET_IPV4_CONF_ARP_ACCEPT=21, NET_IPV4_CONF_ARP_NOTIFY=22, + NET_IPV4_CONF_SRC_VMARK=23, __NET_IPV4_CONF_MAX }; diff --git a/kernel/sysctl_check.c b/kernel/sysctl_check.c index b6e7aae..469193c 100644 --- a/kernel/sysctl_check.c +++ b/kernel/sysctl_check.c @@ -220,6 +220,7 @@ static const struct trans_ctl_table trans_net_ipv4_conf_vars_table[] = { { NET_IPV4_CONF_PROMOTE_SECONDARIES, "promote_secondaries" }, { NET_IPV4_CONF_ARP_ACCEPT, "arp_accept" }, { NET_IPV4_CONF_ARP_NOTIFY, "arp_notify" }, + { NET_IPV4_CONF_SRC_VMARK, "src_valid_mark" }, {} }; diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c index 5df2f6a..0030e73 100644 --- a/net/ipv4/devinet.c +++ b/net/ipv4/devinet.c @@ -1450,6 +1450,7 @@ static struct devinet_sysctl_table { DEVINET_SYSCTL_RW_ENTRY(SEND_REDIRECTS, "send_redirects"), DEVINET_SYSCTL_RW_ENTRY(ACCEPT_SOURCE_ROUTE, "accept_source_route"), + DEVINET_SYSCTL_RW_ENTRY(SRC_VMARK, "src_valid_mark"), DEVINET_SYSCTL_RW_ENTRY(PROXY_ARP, "proxy_arp"), DEVINET_SYSCTL_RW_ENTRY(MEDIUM_ID, "medium_id"), DEVINET_SYSCTL_RW_ENTRY(BOOTP_RELAY, "bootp_relay"), diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index aa00398..b489135 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -241,16 +241,19 @@ int fib_validate_source(__be32 src, __be32 dst, u8 tos, int oif, .iif = oif }; struct fib_result res; - int no_addr, rpf; + int no_addr, rpf, validate_mark; int ret; struct net *net; - no_addr = rpf = 0; + no_addr = rpf = validate_mark = 0; rcu_read_lock(); in_dev = __in_dev_get_rcu(dev); if (in_dev) { no_addr = in_dev->ifa_list == NULL; rpf = IN_DEV_RPFILTER(in_dev); + validate_mark = IN_DEV_SRC_VMARK(in_dev); + if (!validate_mark) + mark = 0; } rcu_read_unlock();