lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251201114025.1e6aa795@kernel.org>
Date: Mon, 1 Dec 2025 11:40:25 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Clara Engler <cve@....cx>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
 davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com,
 pabeni@...hat.com, horms@...nel.org
Subject: Re: [PATCH] ipv4: Fix log message for martian source

On Mon, 1 Dec 2025 19:54:23 +0100 Clara Engler wrote:
> On Fri, Nov 28, 2025 at 10:47:12AM -0800, Jakub Kicinski wrote:
> > Could you explain how you discovered the issue?  (it should ideally be
> > part of the commit msg TBH)  
> 
> In the past few days, I toyed around with TUN interfaces and using them
> as a tunnel (receiving packets via a TUN and sending them over a TCP
> stream; receiving packets from a TCP stream and writing them to a
> TUN).[^1]
> 
> When these IP addresses contained local IPs (i.e. 10.0.0.0/8 in source
> and destination), everything worked fine.  However, sending them to a
> real routeable IP address on the internet led to them being treated as a
> martian packet, obviously.  I was able to fix this with some sysctl's
> and iptables settings, but while debugging I found the log message
> rather confusing, as I was unsure on whether the packet that gets
> dropped was the packet originating from me, or the response from the
> endpoint, as "martian source <ROUTEABLE IP>" could also be falsely
> interpreted as the response packet being martian, due to the word
> "source" followed by the routeable IP address, implying the source
> address of that packet is set to this IP.
> 
> [^1]: https://backreference.org/2010/03/26/tuntap-interface-tutorial

I see. Sounds legit, we can adjust the error msg per you suggestion.
Unfortunately, we just entered a merge window and then there will be 
an end-of-year shutdown period so you'll need to post v2 in around a
month :(

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ