| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 09 Jan 2007 18:53:03 -0800
From: Ben Greear <greearb@...delatech.com>
To: Brendan Cully <brendan@...lai.com>
CC: netdev@...r.kernel.org
Subject: Re: Question on advanced routing and/or virtual routers.
Brendan Cully wrote:
> I started something like this a while ago (posted at
> <20051006215312.GD24375@...opane.cs.ubc.ca> with a couple of replies
> by Thomas Graf, but I can't seem to find it in the archives) but then
> dropped the ball. It seems to work fairly well with a one-line kernel
> patch to allow route lookup before the local address check. Oh, and I
> didn't get traceroute working quite right either - I think there was
> some trick to finding the source address for the generated reply.
>
> I've got some info and code here: http://dsg.cs.ubc.ca/~brendan/remus/
Thanks for the pointers!
I took a look at this, and I think I'm starting to understand it.
But, I am not sure why the patch is needed. I was thinking that something
like this should cause packets entering a particular interface to use
a particular routing table. However, this does not seem to work for me
(without the patch). I have yet to try with the patch.
I'm using my re-direct device patch, which is a pair of network devices
that act like two ethernet interfaces connected with a cross-over cable.
So, when you tx on A, the pkt is RX'd on B.
I am trying to set up two 'routers':
router 1001:
rddA2: 10.0.3.1/24 -- connects to rddA1, which is in router 2
rddC1: 10.0.4.1/24 -- connects to rest of world...unused currently
router 1002:
rddA1: 10.0.3.2/24 -- connects to rddA2 in router 1
rddB1: 10.0.2.1/24 -- connects to private network...unused currently
I want any packets received on the rddA1 and rddB1 interfaces to use routing table 1002,
and those received on rddA2 and rddC1 to use routing table 1001.
It appears that the ping-response packets are using the local table,
so matching by incoming device does not appear to be working as I expected.
The ping requests are going out the right interface, so I think that matching
on source IP addr is working.
My ip route related commands:
ip ru del from 10.0.3.1 lookup 1001
ip ru del from 0/0 lookup 1001
ip ru del from 10.0.4.1 lookup 1001
ip ru del from 0/0 lookup 1001
ip ru del from 10.0.2.1 lookup 1002
ip ru del from 0/0 lookup 1002
ip ru del from 10.0.3.2 lookup 1002
ip ru del from 0/0 lookup 1002
ip link set rddC1 down
ip link set rddC1 up
ip addr flush dev rddC1
ip addr add 10.0.4.1/24 broadcast 10.0.4.255 dev rddC1
ip rule add iif rddC1 lookup 1001
ip rule add from 10.0.4.1/32 table 1001
ip route add 10.0.4.0/24 via 10.0.4.2 table 1001
ip link set rddA2 down
ip link set rddA2 up
ip addr flush dev rddA2
ip addr add 10.0.3.1/24 broadcast 10.0.3.255 dev rddA2
ip rule add iif rddA2 lookup 1001
ip rule add from 10.0.3.1/32 table 1001
ip route add 10.0.3.0/24 via 10.0.3.2 table 1001
ip link set rddA1 down
ip link set rddA1 up
ip addr flush dev rddA1
ip addr add 10.0.3.2/24 broadcast 10.0.3.255 dev rddA1
ip rule add iif rddA1 lookup 1002
ip rule add from 10.0.3.2/32 table 1002
ip route add 10.0.3.0/24 via 10.0.3.1 table 1002
ip link set rddB1 down
ip link set rddB1 up
ip addr flush dev rddB1
ip addr add 10.0.2.1/24 broadcast 10.0.2.255 dev rddB1
ip rule add iif rddB1 lookup 1002
ip rule add from 10.0.2.1/32 table 1002
ip route add 10.0.2.0/24 via 10.0.2.2 table 1002
[root@...forge-33-1E ~]# ping -I 10.0.3.1 10.0.3.2
PING 10.0.3.2 (10.0.3.2) from 10.0.3.1 : 56(84) bytes of data.
64 bytes from 10.0.3.2: icmp_seq=1 ttl=64 time=0.079 ms
64 bytes from 10.0.3.2: icmp_seq=2 ttl=64 time=0.062 ms
64 bytes from 10.0.3.2: icmp_seq=3 ttl=64 time=0.065 ms
64 bytes from 10.0.3.2: icmp_seq=4 ttl=64 time=0.062 ms
rddA2 Link encap:Ethernet HWaddr 00:19:DC:3A:39:50
inet addr:10.0.3.1 Bcast:10.0.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1 errors:0 dropped:0 overruns:0 frame:0
TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:42 (42.0 b) TX bytes:4186 (4.0 KiB)
[root@...forge-33-1E ~]# ifconfig rddA1
rddA1 Link encap:Ethernet HWaddr 00:62:D5:12:AF:31
inet addr:10.0.3.2 Bcast:10.0.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:45 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4186 (4.0 KiB) TX bytes:42 (42.0 b)
For other's benefit, here is the patch suggested by Mr. Cully:
--- net/ipv4/fib_rules.c.orig 2005-08-02 16:19:50.441632971 -0700
+++ net/ipv4/fib_rules.c 2005-08-02 16:20:06.844088253 -0700
@@ -94,6 +94,7 @@
static struct fib_rule local_rule = {
.r_next = &main_rule,
.r_clntref = ATOMIC_INIT(2),
+ .r_preference = 0x100,
.r_table = RT_TABLE_LOCAL,
.r_action = RTN_UNICAST,
};
Thanks,
Ben
--
Ben Greear <greearb@...delatech.com>
Candela Technologies Inc http://www.candelatech.com
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists