From: Jakub Sitnicki
Sent: 23 September 2024 15:56
On Mon, Sep 23, 2024 at 01:08 PM GMT, David Laight wrote:
From: Tiago Lam tiagolam@cloudflare.com
[...]
To limit its usage, a reverse socket lookup is performed to check if the configured egress source address and/or port have any ingress sk_lookup match. If it does, traffic is allowed to proceed, otherwise it falls back to the regular egress path.
Is that really useful/necessary?
We've been asking ourselves the same question during Plumbers with Martin.
Unprivileges processes can already source UDP traffic from (almost) any IP & port by binding a socket to the desired source port and passing IP_PKTINFO. So perhaps having a reverse socket lookup is an overkill.
Traditionally you'd need to bind to the source port on any local IP (or the wildcard IP) that didn't have another socket bound to that port. Modern Linux might have more restrictions and SO_REUSADDR muddies things.
And I don't think you can do a connect() on an unbound UDP socket to set the source port at the same time as the destination IP+port. (That would actually be useful.)
OTOH if you just want to send a UDP message you can just use another system on the same network. You might need to spoof the source mac - but that isn't hard (although it might confuse any ethernet switches).
We should probably respect net.ipv4.ip_local_reserved_ports and net.ipv4.ip_unprivileged_port_start system settings, though, or check for relevant caps.
True.
Open question if it is acceptable to disregard exclusive UDP port ownership by sockets binding to a wildcard address without SO_REUSEADDR?
We've often suffered from the opposite - a program binds to the wildcard IP and everything works until something else binds to the same port and a specific local IP. I'm sure this is grief some on both TCP and UDP - especially since you often need to set SO_REUSADDR to stop other things breaking.
David
- Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)