lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 22 Oct 2012 11:36:37 +0200
From:	Kristian Evensen <kristian.evensen@...il.com>
To:	netdev@...r.kernel.org, netfilter@...r.kernel.org
Subject: Prioritizing IPs on interface with multiple addresses

Hello,

I am currently working on configuring an embedded system that will be
used as an access point for other devices. In order to reduce the
number of external devices, we want to connect the LAN on the embedded
system to a switch. Then, two separate networks will also be connected
to this switch, and the LAN interface assigned one IP from each
network. The IPs are static and network addresses are not overlapping.
One interface is the main interface for all traffic from clients,
while the other is used as fallback and for some monitoring traffic.
The clients that connect to this AP will be assigned IPs using DHCP
and traffic from them will be NAT'ed.

Initially, this setup works fine. The devices connected to this AP are
able to send traffic through the intended network and to the correct
hosts. If I disconnect from the main network, the routing tables are
updated and traffic is routed through the secondary network. However,
when I connect to the main network again, things break. The problem is
that there is an inconsistency between the order in the routing table
and the order of IP addresses assigned to the interface, which causes
problems when I do NAT (MASQUERADE). The default route (with the
lowest metric) points to the main network, but the first IP address
belongs to the secondary network. So what happens is that the packets
have the MAC-address of the first hop in the main network, but a
source IP address from the second network (chosen by the NAT). This
causes the traffic to be discarded by the network. Deleting (and then
later adding) the IP of the secondary network is not an option as it
is needed for the monitoring traffic.

My question is, is there some way to prioritize the different IP
addresses assigned to an interface? For example, is there an
equivalent to a metric, index or something similar? Based on my
understanding, ip addr is only able to append addresses. I believe
this would solve the problem, as it would then be possible to ensure
that addresses and the routing table are in sync.

Another soulution would be to monitor network events and create/delete
SNAT rules on-demand, but this is a big hack if you ask me and I would
like to try to avoid it.

Thanks in advance for any help!
Kristian
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ