Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1953573pxb; Mon, 22 Feb 2021 15:51:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJx+Kv03U7e/PnPb+LAiSP3LOg6XVvVUB7vSNATMbdRWQ7eJ3pgCkU08BSZWDLwPFExKP4vw X-Received: by 2002:a17:907:778d:: with SMTP id ky13mr9462925ejc.415.1614037889999; Mon, 22 Feb 2021 15:51:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614037889; cv=none; d=google.com; s=arc-20160816; b=0hLzqgc5LL8LN+WmsqDX5lOJIR0OdWmBEXMMs0G1IlQtR0yfJOxtgWdP23GZZEeYBA rrBNLjYKQnDS5DEQH46RXYBohvYByHUM95FiLYBoaz7gTzI7TgqVp37xloO64hK7oXLO BFcGIXljt9cE9NGzwQf7KtCC0XNAwHikWLLDFQIRMVtHrLIjy8w20vJ0oxCq3pT4/o5l /RKtYllZCWIqwfwIkP7flkt03Wmf+lCgtEK1d1KkpP+4gQJFyh79xr72RcplvaYwFdUP qYnswtsqAlo/ahDh4jJXaxEM6vePfUKohGYCEye3KV+TwnD7xXBm0rJtaO6QlUyE6aB3 fbjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=WihLsYd1OHoE6E0dvuEs3/4jh0c0H/4yv4eFllu6pm0=; b=IT6nNUHKaJBewsJYijejj7Hpp+39heGaNeiFjKnUt//cv80bAiGpFs270v+vyFxLpf bKign+vXW+Z9foBaQ8EaNHfC/jD66RVswFNWVE63Q51lfgO5VI60i5PhK8DMJQuo6U9A svfBY5SauzXJ05PF9OljzptIpoXuQvwUrwA7u5e1W0yOLmztcB2l4epo/kNAERpIc7f1 lwVObGwxs5JyrSXTNHgce1Z1HcWySkVthX93rkkjsSWh307WPPb7poihhazDG3pg9BNI 9298lzFXQtvC/CKlAEULE+aDgd9G7AC5uUwqraApZJKFyEl2JCdPHaLN8fkbWMqqcklc lLSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YtxVHHM4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qt10si13800202ejb.29.2021.02.22.15.51.06; Mon, 22 Feb 2021 15:51:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=YtxVHHM4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231226AbhBVWc2 (ORCPT + 99 others); Mon, 22 Feb 2021 17:32:28 -0500 Received: from mail.kernel.org ([198.145.29.99]:45168 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231211AbhBVWcY (ORCPT ); Mon, 22 Feb 2021 17:32:24 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id DB6A664E15; Mon, 22 Feb 2021 22:31:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1614033102; bh=VwYWVwba3/XzILXhjV/KrCFuc9crJLqmLUH5E11fX2s=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=YtxVHHM4hFwshr07YruIlYFbIB4sMP/sHQiEOGJY72cXlGpkiPV5sbOf+/mQSEUNb HcRcdSoGdPiIAQpj7e/BkQl4bUAIiPXyzjHxznn3Ko+FbDllHmQqn0lBKWFbYvG8TE 8JV6ONTfw2vzMYmNmoOdYbGh+jlWbspcZSma9AM91u6FvRUdRaxtus1DaMMzNAGWOg 2VmyD1M8ri074jUXPbqHBK3EA5FPtQ32MqYSG8EN0yqw/sBa0YygSm4qIi7kfjbYJo p+tBN94fCkfqXUF0DJ1nmLbkFXhZgI/unibvHfay+8HFHTyRtRn9FgcAAM0UGkL+2N 5Ww6Im4JZQ+dg== Date: Mon, 22 Feb 2021 14:31:38 -0800 From: Jakub Kicinski To: Matthias Schiffer Cc: Tom Parkin , netdev@vger.kernel.org, "David S. Miller" , linux-kernel@vger.kernel.org Subject: Re: [PATCH net] net: l2tp: reduce log level when passing up invalid packets Message-ID: <20210222143138.5711048a@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> In-Reply-To: References: <20210219201201.GA4974@katalix.com> <2e75a78b-afa2-3776-2695-f9f6ac93eb67@universe-factory.net> <20210222114907.GA4943@katalix.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 22 Feb 2021 17:40:16 +0100 Matthias Schiffer wrote: > >> This will not be sufficient for my usecase: To stay compatible with older > >> versions of fastd, I can't set the T flag in the first packet of the > >> handshake, as it won't be known whether the peer has a new enough fastd > >> version to understand packets that have this bit set. Luckily, the second > >> handshake byte is always 0 in fastd's protocol, so these packets fail the > >> tunnel version check and are passed to userspace regardless. > >> > >> I'm aware that this usecase is far outside of the original intentions of the > >> code and can only be described as a hack, but I still consider this a > >> regression in the kernel, as it was working fine in the past, without > >> visible warnings. > >> > > > > I'm sorry, but for the reasons stated above I disagree about it being > > a regression. > > Hmm, is it common for protocol implementations in the kernel to warn about > invalid packets they receive? While L2TP uses connected sockets and thus > usually no unrelated packets end up in the socket, a simple UDP port scan > originating from the configured remote address/port will trigger the "short > packet" warning now (nmap uses a zero-length payload for UDP scans by > default). Log spam caused by a malicous party might also be a concern. Indeed, seems like appropriate counters would be a good fit here? The prints are both potentially problematic for security and lossy.