From: Paolo Abeni <pabeni@redhat.com>
To: netdev@vger.kernel.org
Cc: "David S. Miller" <davem@davemloft.net>
Subject: [PATCH net 0/2] udp: fix early demux for mcast packets
Date: Thu, 28 Sep 2017 15:51:35 +0200 [thread overview]
Message-ID: <cover.1506606381.git.pabeni@redhat.com> (raw)
Currently the early demux callbacks do not perform source address validation.
This is not an issue for TCP or UDP unicast, where the early demux
is only allowed for connected sockets and the source address is validated
for the first packet and never change.
The UDP protocol currently allows early demux also for unconnected multicast
sockets, and we are not currently doing any validation for them, after that
the first packet lands on the socket: beyond ignoring the rp_filter - if
enabled - any kind of martian sources are also allowed.
This series addresses the issue allowing the early demux callback to return an
error code, and performing the proper checks for unconnected UDP multicast
sockets before leveraging the rx dst cache.
Alternatively we could disable the early demux for unconnected mcast sockets,
but that would cause relevant performance regression - around 50% - while with
this series, with full rp_filter in place, we keep the regression to a more
moderate level.
Paolo Abeni (2):
IPv4: early demux can return an error code
udp: perform source validation for mcast early demux
include/net/protocol.h | 4 ++--
include/net/route.h | 4 +++-
include/net/tcp.h | 2 +-
include/net/udp.h | 2 +-
net/ipv4/ip_input.c | 25 +++++++++++++++----------
net/ipv4/route.c | 46 ++++++++++++++++++++++++++--------------------
net/ipv4/tcp_ipv4.c | 9 +++++----
net/ipv4/udp.c | 24 ++++++++++++++++++------
8 files changed, 71 insertions(+), 45 deletions(-)
--
2.13.5
next reply other threads:[~2017-09-28 13:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-28 13:51 Paolo Abeni [this message]
2017-09-28 13:51 ` [PATCH net 1/2] IPv4: early demux can return an error code Paolo Abeni
2017-09-28 13:51 ` [PATCH net 2/2] udp: perform source validation for mcast early demux Paolo Abeni
2017-10-01 2:56 ` [PATCH net 0/2] udp: fix early demux for mcast packets David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1506606381.git.pabeni@redhat.com \
--to=pabeni@redhat.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).