Re: [Dnsmasq-discuss] [PATCH] Fix DHCPv4 reply via --bridge-interface alias interface
That seems quite straightforward. Thanks. Patch applied without change. Cheers, Simon. On 08/04/16 19:27, Neil Jerram wrote: > I'm sorry not to have noticed this before now, but I just spotted that > DHCPv4 handling via --bridge-interface interfaces was broken between > v2.72 and v2.73. My further analysis and fix are in the attached patch. > > Regards, > Neil > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Too many logs produced when using a lot of “server=/domain/nameserver” config entires
I just committed some code to limit these logs, if there are more than 30 servers, only the first 30 are logged, followed by a single line which gives the number not logged. The 30 was a reasonable default, it's changeable in src/config.h Does that seem like a good solution? Cheers, Simon. On 12/04/16 14:58, s wrote: > Hello, > > In China some of us use dnsmasq to resolv all domestic domains from local > nameservers, but anything else from other more secure nameservers, e.g. via > VPN > tunnel or dnscrypt. We have a list of 20k+ local domains, which is translated > into 20k+ lines of config file[1]. > > Dnsmasq works just fine in this configuration. Memory footprint and query > speed > are still very good. But it produces too many logs. In fact it produce a log > entry for each of these “server=/.../.../” lines every time it starts/reloads. > The logs look like > >> using nameserver 223.6.6.6#53 for domain youxiwangguo.com > > I have went through doc and source code, but there is no option to disable > these > logs. I can filter the logs, but it is not very ideal, and I will have to do > that for both rsyslog and journald. > > Can dnsmasq itself make some changes or add a config option to disable/reduce > these logs? > > 1. https://github.com/felixonmars/dnsmasq-china-list > > See also https://github.com/felixonmars/dnsmasq-china-list/issues/124, which I > reported. > > Best regards, > sopium > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] dhcpv6 server hangs while dhcp server and RAs continue normally
On 01/05/16 20:46, James Feeney wrote: > Arch Linux > dnsmasq 2.75-1 > linux 4.5.2-1 > > I mentioned about two weeks ago, the dnsmasq dhcpv6 server will just stop > responding after running normally for a while. There have been no comments > that > I have seen. Any thoughts? Is there a way to dump the state of the dhcpv6 > server? Should I not be using dnsmasq as a dhcpv6 server? Simon? > > Difficult to know how to respond to this. You're the first person to report anything of this nature, so unless you can find a way to reproduce it, there's not an obvious way forward. Best would be a procedure to trigger the problem. Failing that, if it happens frequently enough to be practical, I can suggest some ways of getting some state out of the system. First line of attack would be run strace on the running process, to see what syscalls it's making. That would tell us if it's getting DHCPv6 packets, and if it's answering them. Cheers, Simon. signature.asc Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly
04.05.2016 00:02, Albert ARIBAUD пишет: Hi Alexander, Le Tue, 3 May 2016 22:56:45 +0500 "Alexander E. Patrakov"a écrit: 03.05.2016 22:28, Albert ARIBAUD wrote: Hi Alexander, Le Tue, 3 May 2016 21:45:00 +0500 "Alexander E. Patrakov" a écrit: 2016-05-03 20:37 GMT+05:00 Simon Kelley : I'm pretty sure that this is fixed in the current code. It is indeed fixed in git! But distributions (including Ubuntu and Arch) are still distributing a vulnerable version and are probably unaware of it. Could you please apply for a CVE ID (if it doesn't already exist) so that they fix their packages? A CVE ID? For a crash caused by a specific local name record which clashes with the public one? What's the vulnerability or exposure here? This is actually crashable by querying any CNAME that points to localhost.localdomain, given that upstream is 8.8.8.8, because localhost.localdomain nearly universally exists in /etc/hosts as ::1, and 8.8.8.8 doesn't have an entry for it. So this is a security issue. I am still not seeing what the *security* issue is. How can this problem be *exploited* in order to cause a DoS or compromise a host for instance? The only security issue here is a DoS. There are systems like antispam filters that resolve e.g. domains found in email messages. Also there are browsers that resolve names in order to e.g. display iframes for ads. So it is possible for a third party ("hacker"), by sending an email to an email server or showing a bad ad to the user, to cause his antispam client or browser to try to resolve a domain of hacker's choice for an record. If this name happens to be a CNAME that points to localhost.localdomain., then dnsmasq (which was supposed to give the DNS answer to the antispam or the browser) gets crashed. Or just consider a dnsmasq shared between several users. One of them tries to resolve an record for some name (which is actually a CNAME pointing to localhost.localdomain.), and crashes dnsmasq, thus causing irritation to other users until the admin restarts dnsmasq. -- Alexander E. Patrakov ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly
Hi Alexander, Le Tue, 3 May 2016 22:56:45 +0500 "Alexander E. Patrakov"a écrit: > 03.05.2016 22:28, Albert ARIBAUD wrote: > > Hi Alexander, > > > > Le Tue, 3 May 2016 21:45:00 +0500 > > "Alexander E. Patrakov" a écrit: > > > >> 2016-05-03 20:37 GMT+05:00 Simon Kelley : > >>> I'm pretty sure that this is fixed in the current code. > >> > >> It is indeed fixed in git! But distributions (including Ubuntu and > >> Arch) are still distributing a vulnerable version and are probably > >> unaware of it. Could you please apply for a CVE ID (if it doesn't > >> already exist) so that they fix their packages? > > > > A CVE ID? For a crash caused by a specific local name record which > > clashes with the public one? What's the vulnerability or exposure > > here? > > This is actually crashable by querying any CNAME that points to > localhost.localdomain, given that upstream is 8.8.8.8, because > localhost.localdomain nearly universally exists in /etc/hosts as ::1, > and 8.8.8.8 doesn't have an entry for it. So this is a security > issue. I am still not seeing what the *security* issue is. How can this problem be *exploited* in order to cause a DoS or compromise a host for instance? Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly
Hi Alexander, Le Tue, 3 May 2016 21:45:00 +0500 "Alexander E. Patrakov"a écrit: > 2016-05-03 20:37 GMT+05:00 Simon Kelley : > > I'm pretty sure that this is fixed in the current code. > > It is indeed fixed in git! But distributions (including Ubuntu and > Arch) are still distributing a vulnerable version and are probably > unaware of it. Could you please apply for a CVE ID (if it doesn't > already exist) so that they fix their packages? A CVE ID? For a crash caused by a specific local name record which clashes with the public one? What's the vulnerability or exposure here? Besides, one cannot burden the author of some software with the task of making sure it is up to date in distros -- unless of course he happens to also be the package manager for some given distro, in which case he could be held responsible for keeping that distro up to date. In the general case, some user (you for instance) should open a bug report (not a CVE) to get the package updated. Amicalement, -- Albert. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 dhcp strangeness
And then a little later: Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 available DHCP range: 192.168.219.2 -- 192.168.219.253 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 vendor class: MSFT 5.0 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 user class: RRAS.Microsoft Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 client provides name: Kermit.darbyshire-bryant.me.uk Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 DHCPREQUEST(br-lan) 192.168.219.4 e0:3f:49:a1:d4:aa Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: abandoning lease to e0:3f:49:a1:d4:aa of 192.168.219.4 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 tags: lan, known, br-lan Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 DHCPACK(br-lan) 192.168.219.4 e0:3f:49:a1:d4:aa kermit Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 requested options: 1:netmask, 15:domain-name, 3:router, 6:dns-server, Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 requested options: 44:netbios-ns, 46:netbios-nodetype, 47:netbios-scope, Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 requested options: 31:router-discovery, 33:static-route, 121:classless-static-route, Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 requested options: 249, 43:vendor-encap Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 next server: 192.168.219.1 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 broadcast response Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 1 option: 53 message-type 5 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 4 option: 54 server-identifier 192.168.219.1 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 4 option: 51 lease-time 12h Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 4 option: 58 T1 6h Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 4 option: 59 T2 10h30m Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 4 option: 1 netmask 255.255.255.0 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 4 option: 28 broadcast 192.168.219.255 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 4 option: 3 router 192.168.219.1 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 4 option: 6 dns-server 192.168.219.1 Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 23 option: 15 domain-name darbyshire-bryant.me.uk Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 33 option: 81 FQDN 03:ff:ff:6b:65:72:6d:69:74:2e:64:61:72:62... Tue May 3 18:43:58 2016 daemon.info dnsmasq-dhcp[2862]: 3895499820 sent size: 4 option: 44 netbios-ns 192.168.219.1 What the hell is this box doing?! :-/ Kevin On 02/05/2016 17:24, Simon Kelley wrote: > On 30/04/16 11:32, Kevin Darbyshire-Bryant wrote: >> Further clues maybe: So initially when kermit comes up it grabs an IPv4 >> address and I see this entry in dnsmasq's lease database: >> 1462055024 e0:3f:49:a1:d4:aa 192.168.219.4 Kermit 01:e0:3f:49:a1:d4:aa >> >> Which looks pretty normal to me. Then a little while later, presumably >> after a dhcpv6 request it gets changed to >> 1462055060 e0:3f:49:a1:d4:aa 192.168.219.4 Kermit >> 01:52:41:53:20:e0:3f:49:a1:d4:aa:00:00:09:00:00:00 >> >> There are also syslog messages of "abandoning lease to e0:3f:49:a1:d4:aa >> of 192.168.219.4" which I don't get at all. >> >> > Are you dual-booting Kermit, or netbooting it, or doing anything else > which may cause it to run more than one DHCP client? From the > information given it looks like the host with MAC address > e0:3f:49:a1:d4:aa is presenting two different client-ids at different > times. Since client-id trumps MAC address as a unique host identifier, > that could explain what's going on. (the client-id is the last field in > the leases database). > > Setting log-dhcp and posting the logs showing this sort of thing > happening would be useful. > > Cheers, > > Simon. > > >> >> On 29/04/16 12:27, Kevin Darbyshire-Bryant wrote: >>> Hi All, >>> >>> >>> I've just noticed some strange/different behaviour with regard to >>> dhcpv6 address allocation. I've a couple of 'internal' machines that >>> I'd like to have fixed ip addresses. To that end, and it used to work >>> I've got lines similar to: >>> dhcp-host=E0:3F:49:A1:D4:AA,192.168.219.4,[::0:4],Kermit - In theory >>> kermit gets 192.168.219.4 and the ipv6 address 'constructed prefix::0:4' >>> >>> >>> Instead, these lines appear to be partially ignored with the host >>> getting the usual pseudo random address constructed from the ipv6 >>> prefix/range. An nslookup pointing to dnsmasq does
Re: [Dnsmasq-discuss] Using nftables internal "ipset" rule
I think the way to go with this may be to use the libnftnl library. http://netfilter.org/projects/libnftnl/index.html Unfortunately, there doesn't appear to be any documentation for that (or the underlying netlink API). I guess that the answer to your question is that it would be a good idea to include nftables support, but it's not trivial to do, and I don't have the expertise or time to do it at the moment. If someone knows how to do this, and makes a patch, I'd certainly accept it. Cheers, Simon. On 28/04/16 22:29, Ronaldo Afonso wrote: > Hi, > > I'm using the "ipset" feature of dnsmasq with iptables and it's working > perfectly. > > The think is ... now I need to change my firewall to nftables and I just > found that nftables is not able to access an "external ipset set". The > nftables has is own kind of "internal ipset set of rules". > > I know that dnsmasq uses an netlink socket to insert ipset rules inside > the linux kernel netfilter subsystem. > > So I was wandering if it is so complicated to use that same netlink > socket to include "dnsmasq ipset rules" directly in the "nftables rule set" > instead of in an "external ipset set". > > Some think like this: nft add element filter ip_writelist { some_ip_address > } > > Of course the "nftable ipset rule" must already be created. Just like an > external ipset rule. > > Would it be a nice feature since nftables seems to be far from supporting > an external ipset rule? > > Thanks ... > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] IPv6 dhcp strangeness
Hi Simon, Thanks for getting back to me. Kermit is a Windows Home Server box and is definitely not net or dual booted. Here's the relevant 'log dhcp' extract from a clean boot of it. dhcp-host=id:00:01:00:01:1b:75:4c:36:e0:3f:49:a1:d4:aa,[::4],Kermit dhcp-host=E0:3F:49:A1:D4:AA,192.168.219.4,kermit Before booting: nslookup kermit nslookup: can't resolve '(null)': Name does not resolve Name: kermit Address 1: 2001:470:183f:da2b::4 kermit.darbyshire-bryant.me.uk Address 2: 192.168.219.4 kermit.darbyshire-bryant.me.uk No entries in dhcp.leases. Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 available DHCP range: 192.168.219.2 -- 192.168.219.253 Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 vendor class: MSFT 5.0 Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 client provides name: Kermit Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 DHCPREQUEST(br-lan) 192.168.219.4 e0:3f:49:a1:d4:aa Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 tags: lan, known, br-lan Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 DHCPACK(br-lan) 192.168.219.4 e0:3f:49:a1:d4:aa kermit Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 requested options: 1:netmask, 15:domain-name, 3:router, 6:dns-server, Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 requested options: 44:netbios-ns, 46:netbios-nodetype, 47:netbios-scope, Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 requested options: 31:router-discovery, 33:static-route, 121:classless-static-route, Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 requested options: 249, 43:vendor-encap Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 next server: 192.168.219.1 Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 broadcast response Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 1 option: 53 message-type 5 Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 4 option: 54 server-identifier 192.168.219.1 Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 4 option: 51 lease-time 12h Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 4 option: 58 T1 6h Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 4 option: 59 T2 10h30m Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 4 option: 1 netmask 255.255.255.0 Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 4 option: 28 broadcast 192.168.219.255 Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 4 option: 3 router 192.168.219.1 Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 4 option: 6 dns-server 192.168.219.1 Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 23 option: 15 domain-name darbyshire-bryant.me.uk Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 33 option: 81 FQDN 03:ff:ff:6b:65:72:6d:69:74:2e:64:61:72:62... Tue May 3 18:40:57 2016 daemon.info dnsmasq-dhcp[2862]: 1035611837 sent size: 4 option: 44 netbios-ns 192.168.219.1 Tue May 3 18:40:58 2016 daemon.info dnsmasq-dhcp[2862]: 9972055 available DHCP range: 2001:470:183f:da2b::2 -- 2001:470:183f:da2b::: Tue May 3 18:40:58 2016 daemon.info dnsmasq-dhcp[2862]: 9972055 vendor class: 311 Tue May 3 18:40:58 2016 daemon.info dnsmasq-dhcp[2862]: 9972055 DHCPCONFIRM(br-lan) 00:01:00:01:1b:75:4c:36:e0:3f:49:a1:d4:aa Tue May 3 18:40:58 2016 daemon.info dnsmasq-dhcp[2862]: 9972055 DHCPREPLY(br-lan) 2001:470:183f:da2b::9f93:7b6a 00:01:00:01:1b:75:4c:36:e0:3f:49:a1:d4:aa Kermit Tue May 3 18:40:58 2016 daemon.info dnsmasq-dhcp[2862]: 9972055 tags: known, dhcpv6, br-lan Tue May 3 18:40:58 2016 daemon.info dnsmasq-dhcp[2862]: 9972055 sent size: 14 option: 1 client-id 00:01:00:01:1b:75:4c:36:e0:3f:49:a1:d4:aa Tue May 3 18:40:58 2016 daemon.info dnsmasq-dhcp[2862]: 9972055 sent size: 14 option: 2 server-id 00:01:00:01:1e:b7:72:d8:14:cc:20:be:89:33 Tue May 3 18:40:58 2016 daemon.info dnsmasq-dhcp[2862]: 9972055 sent size: 29 option: 13 status 0 all addresses still on link Only Entry in dhcp.leases related to kermit 1462340457 e0:3f:49:a1:d4:aa 192.168.219.4 kermit 01:e0:3f:49:a1:d4:aa Kermit thinks it has 2001:470:183f:da2b::9f93:7b6a as per the dhcp reply, which is fair enough but I don't understand why the UID was ignored. Also, nslookup replies from dnsmasq still only return the configured addresses for kermit and no sign of the dhcpv6 allocated one. Ideas? Kevin On 02/05/2016 17:24, Simon Kelley wrote: > On 30/04/16 11:32, Kevin Darbyshire-Bryant wrote: >> Further clues maybe: So initially when kermit comes up it grabs an IPv4 >> address and I see this entry in dnsmasq's lease
Re: [Dnsmasq-discuss] Dnsmasq 2.75 on Ubuntu 16.04 crashes reproducibly
03.05.2016 22:28, Albert ARIBAUD wrote: Hi Alexander, Le Tue, 3 May 2016 21:45:00 +0500 "Alexander E. Patrakov"a écrit: 2016-05-03 20:37 GMT+05:00 Simon Kelley : I'm pretty sure that this is fixed in the current code. It is indeed fixed in git! But distributions (including Ubuntu and Arch) are still distributing a vulnerable version and are probably unaware of it. Could you please apply for a CVE ID (if it doesn't already exist) so that they fix their packages? A CVE ID? For a crash caused by a specific local name record which clashes with the public one? What's the vulnerability or exposure here? This is actually crashable by querying any CNAME that points to localhost.localdomain, given that upstream is 8.8.8.8, because localhost.localdomain nearly universally exists in /etc/hosts as ::1, and 8.8.8.8 doesn't have an entry for it. So this is a security issue. -- Alexander E. Patrakov ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss