lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Oct 2008 14:06:48 +0200 From: Ferenc Wagner <wferi@...f.hu> To: netdev@...r.kernel.org Cc: wferi@...f.hu Subject: IP-less bridge as a martian source Hi, I expected an IP-less bridge interface to pick up no IP packets, but apparently this isn't the case: broadcast packets with destination address 255.255.255.255 are reported as martians by the 2.6.18 kernel, which I find counterintuitive (I know 2.6.18 is rather old, but that's the one supported by Xen). 1. Is this the expected behaviour? 2. I tried to cut down the logs by explicit iptables drops, but didn't succeed. Does martian detection happen before the netfilter rules? (I know I can disable martian logging by interface, but wanted finer granularity.) If somebody could also enlighten me on the following, I'd be very grateful. My setup consists of two Xen hosts, both with two physical Ethernet interfaces aggregated into active-backup bonds. There are several .1q VLAN interfaces built on the bonds, which are put into per-VLAN bridges. The virtual interfaces of the Xen guest machines are also put into these bridges, so each virtual interface sees the native traffic of the corresponding VLAN. In a specific scenario, I've got two guests running on different hosts, connecting to VLAN 891: xen2:~# brctl show bridge name bridge id STP enabled interfaces br891 8000.00065b8e7272 no vlan891 vif5.0 xen1:~# brctl show bridge name bridge id STP enabled interfaces br891 8000.00065b8e71d5 no vif12.0 vlan891 If I issue the ping -c1 -b 255.255.255.255 on either Xen guest (remember, they are running on different hosts), the xen2 host logs one martian packet "on dev br891", while the xen1 host logs two! 3. Can anybody explain this? :) I'm experiencing other strange things (like ARP replies sometimes not getting through the bridges), but let's start with the above... (Please Cc me, I'm not on the list.) -- Thanks, Feri. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists