| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Mar 2014 22:37:57 +0100
From: Linus Lüssing <linus.luessing@....de>
To: Jan Stancek <jstancek@...hat.com>
Cc: netdev@...r.kernel.org, Florian Westphal <fwestpha@...hat.com>,
bridge@...ts.linux-foundation.org
Subject: Re: bridge is not forwaring ICMP6 neighbor solicitation to KVM guest
On Tue, Mar 04, 2014 at 06:06:29AM -0500, Jan Stancek wrote:
>
>
> ----- Original Message -----
> > From: "Linus Lüssing" <linus.luessing@....de>
> > To: "Jan Stancek" <jstancek@...hat.com>
> > Cc: netdev@...r.kernel.org, "Florian Westphal" <fwestpha@...hat.com>, bridge@...ts.linux-foundation.org
> > Sent: Tuesday, 4 March, 2014 11:52:54 AM
> > Subject: Re: bridge is not forwaring ICMP6 neighbor solicitation to KVM guest
> >
> > Hi Jan,
> >
> > On Tue, Mar 04, 2014 at 03:02:36AM -0500, Jan Stancek wrote:
> > > > For the broken query, ok, it's your manually crafted query. But
> > > > did you see a query with such a bogus source address "in the
> > > > wild", too? (I'm curious how urgent this sanity check is)
> > >
> > > It's real packet I managed to capture during one such occurrence.
> > > I'm sending it with small C program over raw socket, but it's byte
> > > by byte exact copy of what I captured with tcpdump previously.
> > >
> > > I'm not sure how that packet came to existence. Based on IPv6 address
> > > it came from host B, but all host B was doing at the time
> > > was running RHEL6 with couple qemu-kvm instances. KVM guests were
> > > set up to use bridge, so I'm assuming if any of them crafted
> > > this packet, source IPv6 address would be different.
> > >
> >
> > Ah, okay. Can you check whether it maybe came from the querier
> > code in the Linux bridge on host B? Is
> > "cat /sys/class/net/br0/bridge/multicast_querier" 1?
>
> # cat /sys/class/net/br0/bridge/multicast_querier
> cat: /sys/class/net/br0/bridge/multicast_querier: No such file or directory
Ok, that's not present on such old kernels, there it is actually
enabled by default.
>
> > Can you isolate host B and disable any multicast router daemon on it? Then
> > check again, if you still see these queries.
>
> Besides those cases where I sent it by myself, I haven't seen host B send
> that query for couple days now.
>
> > What kernel version is running on host B?
>
> 2.6.32-279.42.1.el6.x86_64
> It's a RHEL6.3.z kernel.
>
> > Where does Linux use :: for queries?
>
> I'm not sure if it's Linux (I'm trying to locate that system by MAC), but I see
> packets like these on my network every ~125 seconds:
>
> No. Time Source Destination Protocol Length Info
> 22675 1334.751135 :: ff02::1 ICMPv6 86 Multicast Listener Query
It's probably the bridge on this ancient kernel, you might want to
backport the following patch:
"bridge: Use IPv6 link-local address for multicast listener queries"
(fe29ec41aaa51902aebd63658dfb04fe6fea8be5)
And it's follow-up fixes:
"bridge: Fix possibly wrong MLD queries' ethernet source address"
(a7bff75b087e7a355838a32efe61707cfa73c194)
"bridge: check return value of ipv6_dev_get_saddr()"
(d1d81d4c3dd886d5fa25a2c4fa1e39cb89613712)
If these patches on host B xor the sanity check I just submitted applied
on your host A / VM host fix your issue, then they might be worth
considering for the stable queue.
Cheers, Linus
Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists