| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 Jan 2008 15:28:13 -0800 From: Andrew Morton <akpm@...ux-foundation.org> To: mingching.tiew@...tone.com Cc: bugme-daemon@...zilla.kernel.org, netdev@...r.kernel.org Subject: Re: [Bugme-new] [Bug 9719] New: when a system is configured as a bridge, and at the same time configured to have multipath weighted route, with one leg goes thru NAT and another without NAT, the nat path will intermittently get packets leaking out using internal IP without being SNAT-ted (switched to email. Please respond via emailed reply-to-all, not via the bugzilla web interface). On Wed, 9 Jan 2008 11:55:50 -0800 (PST) bugme-daemon@...zilla.kernel.org wrote: > http://bugzilla.kernel.org/show_bug.cgi?id=9719 > > Summary: when a system is configured as a bridge, and at the same > time configured to have multipath weighted route, with > one leg goes thru NAT and another without NAT, the nat > path will intermittently get packets leaking out using > internal IP without being SNAT-ted > Product: Networking > Version: 2.5 > KernelVersion: 2.6.22.15 and 2.6.23 > Platform: All > OS/Version: Linux > Tree: Mainline > Status: NEW > Severity: normal > Priority: P1 > Component: Netfilter/Iptables > AssignedTo: networking_netfilter-iptables@...nel-bugs.osdl.org > ReportedBy: mingching.tiew@...tone.com > > > Latest working kernel version: 2.6.23 > Earliest failing kernel version: 2.6.22.15 This doesn't make sense. What we're trying to ask here (and we've been unable to find a pair of questions which 100% of reporters can successfully answer) is whether this is a regression, and in which kernel release did we regress? In other words: did we break it, and if so, when did we break it? > Distribution: iptables 1.4.0 was used with kernel 2.6.23 and iptables 1.3.8 > with 2.6.22.15 > Hardware Environment: 3 interfaces, 2 interfaces bridged to form br0, and > another connects to internet using pppoe. > Software Environment: bridge, multipath routing > Problem Description: when a system is configured as a bridge with IP assigned > to br0 interface, and at the same time it is configured to have multipath > weighted default route, and one of the default route is NAT-ed and another of > the default route is not NAT-ed, then it is NAT-ed interface will occasionally > get packets leaking out to it with packets with private IPs. > > Steps to reproduce: > 1) setup the bridge interface and assign an IP to it > 2) setup an default gateway on side B of the bridge ( without NAT ) and default > route the bridge to this gateway. > 3) Setup a client on side A of the bridge and default route to the bridge br0 > interface. > 4) Start ping'ing an internet site, for example www.google.com from the client. > Run the ping continuously, for example :- > while true > do > ping -c 1 www.google.com > sleep 1 > done > 5) after successfully and consistently getting a ping response from the > www.google.com, on the bridge system start up another uplink to the internet, > but this uplink is SNAT-ed > > ( eg iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE ) > > 6) verify and make sure that the second uplink is working. > 7) change the default route on the bridge to multipath weighted route with > equal weight on both the uplinks. > 8) sniff the NAT-ed inteface for packets coming in from the LAN client. > Occasionallly packets with private IP leaks to the NAT-ed interface. > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists