lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sun, 10 Dec 2006 22:48:48 -0800 (PST)
From:	David Miller <davem@...emloft.net>
To:	weid@...jing-fnst.com
Cc:	netdev@...r.kernel.org
Subject: Re: [patch] Fix SNMPv2 "ipOutNoRoutes" counter error

From: weidong <weid@...jing-fnst.com>
Date: Tue, 05 Dec 2006 11:49:46 -0500

> Hi All:
>     When I tested linux kernel 2.6.18.3, and find that kernel statistics
> about IPSTATS_MIB_OUTNOROUTES which exsits in file /proc/net/snmp
> doesn't increase correctly.  The criteria conform to RFC2011:
> 
>   ipOutNoRoutes OBJECT-TYPE
>     SYNTAX      Counter32
>     MAX-ACCESS  read-only
>     STATUS      current
>     DESCRIPTION
>             "The number of IP datagrams discarded because no route could
>             be found to transmit them to their destination.  Note that
>             this counter includes any packets counted in ipForwDatagrams
>             which meet this `no-route' criterion.  Note that this
>             includes any datagrams which a host cannot route because all
>             of its default routers are down."
>     ::= { ip 12 }
> 
> When a host received an IP packet, but the destination address is not
> this host. The kernel just discards the IP packet but with no increment
> for this counter.
> 
> When a router received an IP packet that this router can't forward due
> to no route found. Kernel just simply invoke ip_error(), and send ICMP
> packet. Also do nothing for this counter.
> 
> Signed-off-by: Wei Dong <weid@...jing-fnst.com>

Hosts which have forwarding disabled, are not forwarding and
therefore not routing in the sense being described here.

So bumping this counter when the ip_forward sysctl is "0" makes
no sense.

We are not even getting to the "output" path when the route lookup
fails in ip_rcv_finish().  This means this silly SNMP "output" route
failed counter will get bumped like crazy when promiscuous mode is
enabled on an interface, and that makes zero sense.

This patch, at least in it's current form, is not correct.
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ