From: Patrick McHardy <kaber@trash.net>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: David Miller <davem@davemloft.net>, netdev@vger.kernel.org
Subject: Re: [PATCH] macvlan: Support creating macvlans from macvlans
Date: Fri, 06 Mar 2009 16:08:45 +0100 [thread overview]
Message-ID: <49B13C7D.10308@trash.net> (raw)
In-Reply-To: <m14oy6n15y.fsf@fess.ebiederm.org>
Eric W. Biederman wrote:
> Patrick McHardy <kaber@trash.net> writes:
>
>> That makes sense of course. I'm mainly wondering whether a namespace
>> should be able to directly affect the real device like this. This
>> might move it to promiscous mode, or affect other performce-relevant
>> settings. Its also looks like you can steal the MAC address of a
>> different macvlan device this way and have the packets directed to you
>> (new devices are added to the beginning of the hash chains, so they
>> are found first on lookups).
>
> To a large extent those are things that we already can do, simply by
> having multiple mcavlans in different network namespaces. I could
> push it into promiscous mode by adding more multicast listeners,
> and I could steal the mac address of another macvlan by changing
> my mac address if I happen to come first in the hash chain.
>
> Hmm. Actually that appears to be a macvlan bug. It looks like if I
> change the macaddress on a macvlan we don't update the hash chains.
> So unless we have the same low byte we will be on the wrong hash chain
> and not receive the packets for the mac we specified. Ouch!
The address can only be changed while the device is down and unhashed.
> It is also trivial to spoof a different macvlan device by using
> PF_PACKET and sending packets with the source mac address of
> another macvlan.
Yes, but that doesn't allow one namespace to deny service to
a different one.
> Also this still requires CAP_NET_ADMIN, as much as I would like
> to remove that restriction.
>
> Your concerns don't appear to be new to allowing the creation
> of a macvlan from a macvlan or fundamental to creating
> a macvlan from a macvlan. You still must have access to at
> least a macvlan in your namespace to create a new one. So
> I don't think those issues bear on my patch.
No, they're not, but it seemed worth pointing out. Your patch
looks perfectly fine.
Acked-by: Patrick McHardy <kaber@trash.net>
next prev parent reply other threads:[~2009-03-06 15:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-05 23:12 [PATCH] macvlan: Support creating macvlans from macvlans Eric W. Biederman
2009-03-06 13:54 ` Patrick McHardy
2009-03-06 14:17 ` Eric W. Biederman
2009-03-06 14:25 ` Patrick McHardy
2009-03-06 15:03 ` Eric W. Biederman
2009-03-06 15:08 ` Patrick McHardy [this message]
2009-03-06 15:24 ` Eric W. Biederman
2009-03-06 15:33 ` Patrick McHardy
2009-03-06 15:50 ` Eric W. Biederman
2009-03-06 15:56 ` Patrick McHardy
2009-03-06 17:07 ` Ben Greear
2009-03-06 20:16 ` [PATCH] macvlan: Deterministic ingress packet delivery Eric W. Biederman
2009-03-07 16:36 ` Ben Greear
2009-03-09 13:25 ` Patrick McHardy
2009-03-13 20:16 ` David Miller
2009-03-13 20:15 ` [PATCH] macvlan: Support creating macvlans from macvlans David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49B13C7D.10308@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).