From: Paolo Abeni <pab...@redhat.com> Date: Thu, 28 Sep 2017 15:51:35 +0200
> Currently the early demux callbacks do not perform source address validation. > This is not an issue for TCP or UDP unicast, where the early demux > is only allowed for connected sockets and the source address is validated > for the first packet and never change. > > The UDP protocol currently allows early demux also for unconnected multicast > sockets, and we are not currently doing any validation for them, after that > the first packet lands on the socket: beyond ignoring the rp_filter - if > enabled - any kind of martian sources are also allowed. > > This series addresses the issue allowing the early demux callback to return an > error code, and performing the proper checks for unconnected UDP multicast > sockets before leveraging the rx dst cache. > > Alternatively we could disable the early demux for unconnected mcast sockets, > but that would cause relevant performance regression - around 50% - while with > this series, with full rp_filter in place, we keep the regression to a more > moderate level. Series applied and queued up for -stable, thanks.
