From: ebiederm@xmission.com (Eric W. Biederman)
To: Patrick McHardy <kaber@trash.net>
Cc: David Miller <davem@davemloft.net>, netdev@vger.kernel.org
Subject: Re: [PATCH] macvlan: Support creating macvlans from macvlans
Date: Fri, 06 Mar 2009 07:24:40 -0800 [thread overview]
Message-ID: <m1bpsellmv.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <49B13C7D.10308@trash.net> (Patrick McHardy's message of "Fri\, 06 Mar 2009 16\:08\:45 +0100")
Patrick McHardy <kaber@trash.net> writes:
> Eric W. Biederman wrote:
>> Patrick McHardy <kaber@trash.net> writes:
>>
>>> That makes sense of course. I'm mainly wondering whether a namespace
>>> should be able to directly affect the real device like this. This
>>> might move it to promiscous mode, or affect other performce-relevant
>>> settings. Its also looks like you can steal the MAC address of a
>>> different macvlan device this way and have the packets directed to you
>>> (new devices are added to the beginning of the hash chains, so they
>>> are found first on lookups).
>>
>> To a large extent those are things that we already can do, simply by
>> having multiple mcavlans in different network namespaces. I could
>> push it into promiscous mode by adding more multicast listeners,
>> and I could steal the mac address of another macvlan by changing
>> my mac address if I happen to come first in the hash chain.
>>
>> Hmm. Actually that appears to be a macvlan bug. It looks like if I
>> change the macaddress on a macvlan we don't update the hash chains.
>> So unless we have the same low byte we will be on the wrong hash chain
>> and not receive the packets for the mac we specified. Ouch!
>
> The address can only be changed while the device is down and unhashed.
Point. The dev_unicast/dev_unicast_delete in macvlan_set_mac_address
appears to be completely unnecessary then.
>> It is also trivial to spoof a different macvlan device by using
>> PF_PACKET and sending packets with the source mac address of
>> another macvlan.
>
> Yes, but that doesn't allow one namespace to deny service to
> a different one.
No for that I guess it seems I just need to down the interface
change the mac and up the interface again.
>> Also this still requires CAP_NET_ADMIN, as much as I would like
>> to remove that restriction.
>>
>> Your concerns don't appear to be new to allowing the creation
>> of a macvlan from a macvlan or fundamental to creating
>> a macvlan from a macvlan. You still must have access to at
>> least a macvlan in your namespace to create a new one. So
>> I don't think those issues bear on my patch.
>
> No, they're not, but it seemed worth pointing out. Your patch
> looks perfectly fine.
Thanks.
Would you be opposed to changes that made macvlan more robust.
Such as refusing to come up if the macaddress is already in use.
And perhaps denying the sending of packets with the wrong source
mac?
> Acked-by: Patrick McHardy <kaber@trash.net>
next prev parent reply other threads:[~2009-03-06 15:24 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-05 23:12 [PATCH] macvlan: Support creating macvlans from macvlans Eric W. Biederman
2009-03-06 13:54 ` Patrick McHardy
2009-03-06 14:17 ` Eric W. Biederman
2009-03-06 14:25 ` Patrick McHardy
2009-03-06 15:03 ` Eric W. Biederman
2009-03-06 15:08 ` Patrick McHardy
2009-03-06 15:24 ` Eric W. Biederman [this message]
2009-03-06 15:33 ` Patrick McHardy
2009-03-06 15:50 ` Eric W. Biederman
2009-03-06 15:56 ` Patrick McHardy
2009-03-06 17:07 ` Ben Greear
2009-03-06 20:16 ` [PATCH] macvlan: Deterministic ingress packet delivery Eric W. Biederman
2009-03-07 16:36 ` Ben Greear
2009-03-09 13:25 ` Patrick McHardy
2009-03-13 20:16 ` David Miller
2009-03-13 20:15 ` [PATCH] macvlan: Support creating macvlans from macvlans David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1bpsellmv.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).