lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <87y707mjbi.fsf@tac.ki.iif.hu>
Date:	Wed, 29 Oct 2008 17:56:17 +0100
From:	Ferenc Wagner <wferi@...f.hu>
To:	Jarek Poplawski <jarkao2@...il.com>
Cc:	netdev@...r.kernel.org
Subject: Re: IP-less bridge as a martian source

Jarek Poplawski <jarkao2@...il.com> writes:

> Jarek Poplawski wrote, On 10/22/2008 07:22 PM:
>
>> Ferenc Wagner wrote, On 10/22/2008 05:00 PM:
>> 
>>> Ferenc Wagner <wferi@...f.hu> writes:
>>>
>>>> I expected an IP-less bridge interface to pick up no IP packets, but
>>>> apparently this isn't the case: broadcast packets with destination
>>>> address 255.255.255.255 are reported as martians by the 2.6.18
>>>> kernel, which I find counterintuitive (I know 2.6.18 is rather old,
>>>> but that's the one supported by Xen).
>>>>
>>>>   1. Is this the expected behaviour?
>> 
>> I think so, and this thread pertains to something similar:
>> http://marc.info/?l=linux-netdev&m=122456602708727&w=2
>
> Sorry! I didn't check this before writing. This:
>
> 1941 static int ip_route_input_slow(struct sk_buff *skb, __be32 daddr, __be32 saddr,
> 1942                                u8 tos, struct net_device *dev)
> 1943 {
> ...
> 1963         /* IP on this device is disabled. */
> 1964
> 1965         if (!in_dev)
> 1966                 goto out;
> 1967
> 1968         /* Check for the most weird martians, which can be not detected
> 1969            by fib_lookup.
> 1970          */
>
> means something else, so with IP disabled you shouldn't have any martians!
> (And this is old code.)

Hi Jarek,

Thanks for your comments.  To tell the truth, I'm quite confused about
the host-based addressing model.  If the addresses belong to the host,
then why do we add them to interfaces?

In my case, the bridge itself (?) has no IP addresses assigned, but
an other interface (which isn't a bridge port) does have.  In other
words, the only network interface of the host is a bond interface
aggregating the two physical Ethernet interfaces; the two IP addresses
of the host are assigned to this bond0.

bond0 is also the raw interface of several .1q VLAN interfaces, which
are ports of bridges (there is one bridge for each VLAN but the native
above).  The other ports of the bridges are the virtual interfaces of
the Xen guests running on this host.  If I run ping -b 255.255.255.255
on one such guest, that gives a "martian source 255.255.255.255"
warning on the given bridge.  Even though 255.255.255.255 is the
destination address of that ping packet...

And this happens on 2.6.26.6, too.  Can't it come from
ip_mkroute_input instead of ip_route_input_slow?
-- 
Regards,
Feri.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ