From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: David Ahern <dsa@cumulusnetworks.com>,
YOSHIFUJI Hideaki <hideaki.yoshifuji@miraclelinux.com>,
LKML <linux-kernel@vger.kernel.org>,
WireGuard mailing list <wireguard@lists.zx2c4.com>,
Netdev <netdev@vger.kernel.org>
Subject: Re: [WireGuard] [PATCH v3] ip6_output: ensure flow saddr actually belongs to device
Date: Tue, 15 Nov 2016 15:45:29 +0100 [thread overview]
Message-ID: <7543fa0f-a053-8387-1862-d78ffadba688@stressinduktion.org> (raw)
In-Reply-To: <CAHmME9ppx01YR9Db1oPpm6FJ+BmpqSxvjQ2S+GT0DXO09_M4oQ@mail.gmail.com>
Hey Jason,
On 15.11.2016 01:45, Jason A. Donenfeld wrote:
> I'll have a better look at this. Perhaps this should be modeled on
> what we currently do for userspace, which might amount to something
> more or less like:
Cool, thanks!
> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> index 6001e78..0721915 100644
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -925,6 +925,7 @@ static int ip6_dst_lookup_tail(struct net *net,
> const struct sock *sk,
> #endif
> int err;
> int flags = 0;
> + int addr_type, bind_to_dev;
>
> /* The correct way to handle this would be to do
> * ip6_route_get_saddr, and then ip6_route_output; however,
> @@ -1012,6 +1013,16 @@ static int ip6_dst_lookup_tail(struct net *net,
> const struct sock *sk,
> }
> #endif
>
> + addr_type = ipv6_addr_type(&fl6->saddr);
> + if (addr_type == IPv6_ADDR_ANY)
> + return 0;
> +
> + err = -EINVAL;
> + bind_to_dev = __ipv6_addr_src_scope(addr_type) <=
> IPV6_ADDR_SCOPE_LINKLOCAL;
> + if (!ipv6_chk_addr(net, &fl6->saddr, bind_to_dev ?
> (*dst)->dev : NULL, 0) &&
> + !ipv6_chk_acast_addr_src(net, (*dst)->dev, &fl6->saddr))
> + goto out_err_release;
> +
> return 0;
>
> out_err_release:
>
We should not use (*dst)->dev, as this is the resulting device after the
lookup and not necessarily corresponds to the device the user asked for.
Thus you need to pass in fl6.flowi6_oif. Thus to kill the necessary
ifindex->net_device lookup, I would suggest to move
ipv6_chk_addr_and_flags to use ifindex instead of net_device (0
corresponds to the net_device == NULL case). It seems to me this would
make the code easier. ipv6_chk_addr can simply pass down dev->ifindex to
ipv6_chk_addr.
Probably for checking anycast address you need to look up the
net_device, thus use dev_get_by_index_rcu. But probably the unicast
filter will already hit thus the whole traversing of anycast addresses
won't happen in normal cases. This could be separated to its own function.
In the non-strict case we don't necessarily need bind_to_dev?
Bye,
Hannes
next prev parent reply other threads:[~2016-11-15 14:42 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-11 19:29 [WireGuard] Source address fib invalidation on IPv6 Jason A. Donenfeld
2016-11-11 22:14 ` David Ahern
2016-11-12 2:18 ` Jason A. Donenfeld
2016-11-12 15:40 ` Jason A. Donenfeld
2016-11-12 18:14 ` David Ahern
2016-11-12 19:08 ` Jason A. Donenfeld
2016-11-13 0:43 ` Jason A. Donenfeld
2016-11-13 0:51 ` Hannes Frederic Sowa
2016-11-13 1:00 ` Jason A. Donenfeld
2016-11-13 13:23 ` [WireGuard] [PATCH] ip6_output: ensure flow saddr actually belongs to device Jason A. Donenfeld
2016-11-13 16:30 ` David Ahern
2016-11-13 19:02 ` [WireGuard] [PATCH v2] " Jason A. Donenfeld
2016-11-13 20:45 ` David Ahern
2016-11-13 23:28 ` [WireGuard] [PATCH v3] " Jason A. Donenfeld
2016-11-14 1:36 ` [WireGuard] Debugging AllowedIps John Huttley
2016-11-14 1:39 ` Jason A. Donenfeld
2016-11-14 2:28 ` John Huttley
2016-11-14 2:59 ` Jason A. Donenfeld
2016-11-14 3:10 ` John Huttley
2016-11-14 16:19 ` [WireGuard] [PATCH v3] ip6_output: ensure flow saddr actually belongs to device David Ahern
[not found] ` <CAHmME9p6-mLSs84AwwfRXe8U3Z2sy6Dp9W9H0gKh0rcZuQAfZA@mail.gmail.com>
[not found] ` <CAHmME9qC4xqGOwJnauXrJBDkAtmmuJ+kJKL6ufuU9_XWKNFdSA@mail.gmail.com>
2016-11-14 16:54 ` Jason A. Donenfeld
2016-11-14 16:44 ` Hannes Frederic Sowa
2016-11-14 16:55 ` David Ahern
2016-11-14 17:04 ` Hannes Frederic Sowa
2016-11-14 17:17 ` David Ahern
2016-11-14 17:33 ` Hannes Frederic Sowa
2016-11-14 17:48 ` David Ahern
2016-11-14 18:33 ` Hannes Frederic Sowa
2016-11-15 0:45 ` Jason A. Donenfeld
2016-11-15 14:45 ` Hannes Frederic Sowa [this message]
2016-11-15 15:26 ` David Ahern
2016-11-13 20:19 ` [WireGuard] [PATCH] " Jason A. Donenfeld
2016-11-13 20:39 ` David Ahern
2016-11-13 0:51 ` [WireGuard] Source address fib invalidation on IPv6 Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7543fa0f-a053-8387-1862-d78ffadba688@stressinduktion.org \
--to=hannes@stressinduktion.org \
--cc=Jason@zx2c4.com \
--cc=dsa@cumulusnetworks.com \
--cc=hideaki.yoshifuji@miraclelinux.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).