lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Oct 2008 17:56:17 +0100 From: Ferenc Wagner <wferi@...f.hu> To: Jarek Poplawski <jarkao2@...il.com> Cc: netdev@...r.kernel.org Subject: Re: IP-less bridge as a martian source Jarek Poplawski <jarkao2@...il.com> writes: > Jarek Poplawski wrote, On 10/22/2008 07:22 PM: > >> Ferenc Wagner wrote, On 10/22/2008 05:00 PM: >> >>> Ferenc Wagner <wferi@...f.hu> writes: >>> >>>> I expected an IP-less bridge interface to pick up no IP packets, but >>>> apparently this isn't the case: broadcast packets with destination >>>> address 255.255.255.255 are reported as martians by the 2.6.18 >>>> kernel, which I find counterintuitive (I know 2.6.18 is rather old, >>>> but that's the one supported by Xen). >>>> >>>> 1. Is this the expected behaviour? >> >> I think so, and this thread pertains to something similar: >> http://marc.info/?l=linux-netdev&m=122456602708727&w=2 > > Sorry! I didn't check this before writing. This: > > 1941 static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr, > 1942 u8 tos, struct net_device *dev) > 1943 { > ... > 1963 /* IP on this device is disabled. */ > 1964 > 1965 if (!in_dev) > 1966 goto out; > 1967 > 1968 /* Check for the most weird martians, which can be not detected > 1969 by fib_lookup. > 1970 */ > > means something else, so with IP disabled you shouldn't have any martians! > (And this is old code.) Hi Jarek, Thanks for your comments. To tell the truth, I'm quite confused about the host-based addressing model. If the addresses belong to the host, then why do we add them to interfaces? In my case, the bridge itself (?) has no IP addresses assigned, but an other interface (which isn't a bridge port) does have. In other words, the only network interface of the host is a bond interface aggregating the two physical Ethernet interfaces; the two IP addresses of the host are assigned to this bond0. bond0 is also the raw interface of several .1q VLAN interfaces, which are ports of bridges (there is one bridge for each VLAN but the native above). The other ports of the bridges are the virtual interfaces of the Xen guests running on this host. If I run ping -b 255.255.255.255 on one such guest, that gives a "martian source 255.255.255.255" warning on the given bridge. Even though 255.255.255.255 is the destination address of that ping packet... And this happens on 2.6.26.6, too. Can't it come from ip_mkroute_input instead of ip_route_input_slow? -- Regards, Feri. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists