| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Feb 2014 02:29:34 +0100 From: Hannes Frederic Sowa <hannes@...essinduktion.org> To: David Miller <davem@...emloft.net> Cc: dcbw@...hat.com, mcgrof@...not-panic.com, zoltan.kiss@...rix.com, netdev@...r.kernel.org, xen-devel@...ts.xenproject.org, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, kuznet@....inr.ac.ru, jmorris@...ei.org, yoshfuji@...ux-ipv6.org, kaber@...sh.net Subject: Re: [RFC v2 2/4] net: enables interface option to skip IP On Tue, Feb 25, 2014 at 04:18:17PM -0500, David Miller wrote: > From: Dan Williams <dcbw@...hat.com> > Date: Tue, 25 Feb 2014 15:07:00 -0600 > > > Also, disable_ipv4 signals *intent*, which is distinct from current > > state. > > > > Does an interface without an IPv4 address mean that the user wished it > > not to have one? > > > > Or does it mean that DHCP hasn't started yet (but is supposed to), or > > failed, or something hasn't gotten around to assigning an address yet? > > > > disable_ipv4 lets you distinguish between these two cases, the same way > > disable_ipv6 does. > > Intent only matters on the kernel side if the kernel automatically > assigns addresses to interfaces which have been brought up like ipv6 > does. > > Since it does not do this for ipv4, this can be handled entirely in > userspace. > > It is not a valid argument to say that a rogue dhcp might run on > the machine and configure an ipv4 address. That's the admin's > responsibility, and still a user side problem. A "rogue" program > could just as equally turn the theoretical disable_ipv4 off too. Week end model strikes again. :) Currently one would need to set arp_filter and arp_ignore and have no ip address on the interface to isolate it from the ipv4 network. IFF_NOARP is of no use here as it also disables neighbour discovery. I am not sure we completley tear down igmp processing on that interface if no ip address is available. Maybe there are some special cases with forwarding, too. Such a "silent" mode could come handy for intrusion detection systems where one would ensure that no ip processing takes place but could also be realized with nftables/netfilter/arpfilter, I think. Bye, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists