From: jamal <hadi@cyberus.ca>
To: KOVACS Krisztian <hidden@sch.bme.hu>
Cc: Patrick McHardy <kaber@trash.net>,
KOVACS Krisztian <hidden@balabit.hu>,
Andreas Schultz <aschultz@warp10.net>,
tproxy@lists.balabit.hu, netdev@vger.kernel.org
Subject: Re: [tproxy,regression] tproxy broken in 2.6.32
Date: Sat, 28 Nov 2009 14:44:02 -0500 [thread overview]
Message-ID: <1259437442.3864.61.camel@bigi> (raw)
In-Reply-To: <20091128190500.GB12264@sch.bme.hu>
On Sat, 2009-11-28 at 20:05 +0100, KOVACS Krisztian wrote:
> Hi,
>
> The source address *is* unicast.
Sorry - I meant the route type is unicast. The fact that an address is
unicast or not is already dealt with by the time you get to source
address validation (in ip_input())
> The problem is that the routing setup is
> asymmetrical, as Patrick has already mentioned: we're using a mark to
> force certain packets (those that have matching sockets on the host) being
> delivered locally.
>
> In the other direction, reply packets won't be marked by the iptables
> rules and thus will be routed on egress just fine.
In that case i dont understand the reluctance to use unicast routes.
Maybe you can explain and put me at ease because i see youve put extra
effort to use local addresses.
> Your modification has
> the assumption that routing is symmetrical, and that reply packets will
> have the same mark. That assumption is not necessarily right, and I think
> it's not entirely unreasonable to think that not only tproxy setups will
> be broken by the change.
>
> > So i didnt introduce that logic thats causing this pain.
>
> Well, it depends whether or not you consider the initial setup valid.
>
Based on what i see - I frankly dont. If i looked up the source address
and found that it belonged to something other than unicast route - we
drop it. It doesnt matter whether you use policy routing, rpf or not.
It may be the solution is to allow local routes under certain conditions
although i dont understand why.
> > If it worked before it was hack or fluke imo ;-> If we think that
> > source address validation needs to check for something else
> > additionally, i think thats a separate topic (but doesnt
> > seem worth a change)
>
> My only concern is that this definitely breaks current setups, and while
> we do have a workaround we don't have a way to let all users know what
> needs to be done...
This code just went in i think. And really this is a user space issue;
i am not unreasonable - please convince me i am just having a technical
challenge understanding your desire to use local instead of unicast.
cheers,
jamal
next prev parent reply other threads:[~2009-11-28 19:43 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <db81a9a20911230443h443b3c2l8fab5aef7b09cfa@mail.gmail.com>
[not found] ` <1259137434.9191.3.camel@nienna.balabit>
2009-11-26 17:19 ` [tproxy,regression] tproxy broken in 2.6.32 Andreas Schultz
2009-11-27 8:26 ` KOVACS Krisztian
2009-11-27 9:11 ` Andreas Schultz
2009-11-27 16:05 ` jamal
2009-11-28 15:15 ` KOVACS Krisztian
2009-11-28 15:45 ` jamal
2009-11-28 18:50 ` KOVACS Krisztian
2009-11-28 19:26 ` jamal
2009-11-28 15:46 ` Patrick McHardy
2009-11-28 16:04 ` jamal
2009-11-28 17:07 ` Patrick McHardy
2009-11-28 17:36 ` jamal
2009-11-28 19:05 ` KOVACS Krisztian
2009-11-28 19:44 ` jamal [this message]
2009-11-28 21:21 ` David Miller
2009-11-28 22:20 ` jamal
2009-11-29 20:35 ` KOVACS Krisztian
2009-11-30 12:15 ` jamal
2009-11-30 12:45 ` KOVACS Krisztian
2009-11-30 13:59 ` jamal
2009-12-01 13:34 ` jamal
2009-12-03 6:31 ` David Miller
2009-12-03 13:53 ` jamal
2009-12-03 13:55 ` Patrick McHardy
2009-12-03 14:07 ` KOVACS Krisztian
2009-12-03 14:29 ` jamal
2009-12-13 16:52 ` [PATCH] net: restore ip source validation WAS(Re: " jamal
2009-12-13 18:12 ` Julian Anastasov
2009-12-13 18:38 ` jamal
2009-12-13 19:11 ` jamal
2009-12-13 19:15 ` jamal
2009-12-14 3:10 ` David Miller
2009-12-14 10:19 ` jamal
2009-12-26 1:30 ` David Miller
2009-12-26 15:05 ` jamal
2009-12-26 21:45 ` David Miller
2009-11-30 20:17 ` David Miller
2009-11-28 21:22 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1259437442.3864.61.camel@bigi \
--to=hadi@cyberus.ca \
--cc=aschultz@warp10.net \
--cc=hidden@balabit.hu \
--cc=hidden@sch.bme.hu \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=tproxy@lists.balabit.hu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.