Comments (12)
Debian oldstable (stretch) currently only offers kernels that are affected by this bug; I submitted a bugreport about updating the backport kernels (it's already a 4.19 kernel, but not new enough).
The Debian stable (buster) kernel is fine (4.19.98). On Ubuntu 18.04 (bionic), install linux-generic-hwe-18.04
(at least this changelog says that should suffice).
from tunneldigger.
Could u say something what happens with old kernels? I updated the version to 19.07.4 with 4.14.180 or 4.19.X kernel.
I don't see any obvious issues with that kernel and the version while running tunneldigger. I will investigate further.
from tunneldigger.
Clients were unable to reliably connect with broken kernels, so we saw many connection timeouts or other disconnects in the logs. Also see #129. You should also see warnings specifically pointing out that the kernel is likely buggy.
Maybe Ubuntu backported the problematic patches, who knows. (I assume you are using Ubuntu? You didn't state the distro you are using.)
from tunneldigger.
Maybe Ubuntu backported the problematic patches, who knows. (I assume you are using Ubuntu? You didn't state the distro you are using.)
OpenWrt. Thanks I will have a look at the log.
from tunneldigger.
This issue is about the tunneldigger broker. Are you really running that server-side component on OpenWrt?
from tunneldigger.
This issue is about the tunneldigger broker. Are you really running that server-side component on OpenWrt?
No. :O Sry, than everytihng is fine. :D
from tunneldigger.
Would using SO_REUSEADDR
instead of SO_REUSEPORT
be an option? At least using a short test program, kernel 4.19 doesn't seem to show this bug with SO_REUSEADDR
(I have not checked older kernels).
While implementing L2TP support for fastd (still work in progress), I noticed another advantage of SO_REUSEADDR
: It can be set after bind() of the first socket, while SO_REUSEPORT
needs to be set before bind(), which may accidentally allow two processes of the same user to bind to the same port.
With SO_REUSEADDR
this can be prevented: Let a process bind its first socket without SO_REUSEADDR
; this will fail if the port is already bound by another process. Then set SO_REUSEADDR
on the first socket. On subsequent sockets, set SO_REUSEADDR
before bind(), so they are allowed to use the same port as the first socket.
from tunneldigger.
Would using SO_REUSEADDR instead of SO_REUSEPORT be an option?
I have to admit I am out of my league here; the differences between these flags are beyond my experience in this space. @kaechele did the implementation with SO_REUSEPORT, he might be able to comment. Other than that, if someone writes a PR that switches to SO_REUSEADDR, I'd be willing to test that on our servers and merge it if it works.
from tunneldigger.
I initially implemented this using SO_REUSEPORT
as my research suggested this to be best practice from a security standpoint.
Your way of utilizing SO_REUSEADDR
looks like a smart way to avoid double-binding a port already in use by the same user but for a different application.
Correct me if I'm wrong here but it looks like you trade the same-user bind protection for protection of user error in this case.
It seems like an edge case scenario that some other (malicious) user on the same machine would try to abuse a reused port to intercept or alter traffic. Given that L2TPv3 is not encrypted or authenticated anyway. So this is a sensible trade-off in my eyes.
I don't know if I have an immediate need to switch the current implementation over to SO_REUSEADDR
but I'm sure it would be a quick thing to do anyway.
In any case I'm looking forward to playing with fastd's implementation as I love the idea of flexibility in selecting L2TP as an option if I require speed over security.
from tunneldigger.
Correct me if I'm wrong here but it looks like you trade the same-user bind protection for protection of user error in this case.
It seems like an edge case scenario that some other (malicious) user on the same machine would try to abuse a reused port to intercept or alter traffic.
This is correct. If running on the same machine as untrusted users, only using low ports for L2TP would mitigate the issue.
from tunneldigger.
So, we (freifunk berlin) have been trying to use the NAT-removed version and have run into some strange issues. It seems like if an in-between router which is also doing NAT (perhaps with an older kernel) then the post-NAT-removal doesn't work and the tunnels time out. It's stange because it works for some people, and not for others. And the only difference we can find is in the router in-between. For example, it works with a recent openwrt image just fine, but with a fritz 7590 with firware 7.50 it doesn't
We have reverted to 7c467e6
from tunneldigger.
Sounds like an issue unrelated to this Kernel bug, possibly in the NAT implementation of the faulty routers.
In any case, it would probably be best to open a separate issue and attach some debugging information so the issue can be looked into. Good debugging info would be excerpts of the conntrack table from affected routers or maybe even packet captures.
from tunneldigger.
Related Issues (20)
- [Docs] max_tunnels HOT 3
- Failed to send() control packet HOT 5
- High CPU load due to a single misbehaving client HOT 2
- Change rate limiting to be per-UUID HOT 1
- No releases since 2017? HOT 3
- The client can get stuck in a high-frequency retry loop despite working brokers HOT 10
- TC/Traffic Control: Error: Invalid handle. HOT 1
- Review CI Tooling HOT 19
- Newer Kernels log error "recv short packet" for every broker packet HOT 7
- How does tunneldigger work compared to l2tp? HOT 5
- TC/Traffic Control does not always work HOT 1
- Proposal: Broker usage check on reconnect
- tunneldigger-broker: connection fails with `Error: Invalid handle.` HOT 3
- Silence `tc` output when `ignore_fails` is true
- teardown script crashes tunneldigger-broker HOT 5
- broker throwing OSError on creation of timers HOT 1
- Frequent reconnection of clients HOT 70
- setup.py is deprecated HOT 4
- Broker: Wait for interface to have an IP before listening HOT 2
- Update CI to ubuntu-22.04
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tunneldigger.