lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 23 Nov 2009 15:31:24 +1100
From:	Alex Samad <alex@...ad.com.au>
To:	netdev@...r.kernel.org
Subject: icmp redirects problem

Hi


I seem to be having problems with icmp redirects

My network setup, I have

sydrt01 
  eth0 192.168.11.1/24 
  eth1 192.168.10.1/24
  ppp0 attached to eth2 internet

max
  eth0 192.168.11.10/24 DGW 192.168.11.1

because sydrt01 only have 10/100 ports I moved 192.168.10.1/24 (my
wireless to max), which had a spare 1g port. so I ended up with 


sydrt01 
  eth0 192.168.11.1/24 
  ppp0 attached to eth2 internet

max
  eth0 192.168.11.10/24
  eth1 192.168.10.1/24

I add a ip r r 192.168.10.0/24 via 192.168.11.10 to sydrt01 and I see
that sydrt01 sends out the icmp redirects.


But in this situation when I have

laptop connected to 192.168.11.0/24 (192.168.11.200) and I have
alex-mini connected to 192.168.10.0/24 (192.168.10.201), I can ssh from
alex-mini to laptop, pings seem to work but ssh has a problem.

When I investigated this, tcpdump -pni eth0 hostname alex-mini or icmp
on laptop, I can see that the return packets (syn-ack) goes to sydrt01
(DGW) and a icmp comes back to redirect - which laptop fails to act
upon.  I tried ping -c 6 alex-mini from laptop and after each icmp ping
advised that there was a icmp redirect, but again the kernel did not
take the information in.

I have 

net.ipv4.conf.all.accept_redirects = 0                                                                                                                                          
net.ipv4.conf.all.secure_redirects = 1                                                                                                                                          
(presume all the interface ones are 1)

as my default, the documentation seems to suggest that I don't need the
former for the later to work ie I can have either one.

But for me to get this to work I had to set 

net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.secure_redirects = 1

to get it to work properly.

My understanding is secure_redirects means that the kernel should listen
to icmp redirect if the redirect comes from the default gateway as per
the route table.

laptop gets its ip from dchp server that make 192.168.11.1 the default
gateway and its 192.168.11.1 that sends out the icmp redirect.

I had a quick look at the kernel tree for 2.6.31 (which is what I am
using).

I am no expert of the kernel source.  but from what I found
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=net/ipv4/icmp.c;h=97c410e8438895664a9abdbbf5670b26af01dffa;hb=HEAD
line 774 which handles the icmp redirects uses ip_rt_redirect

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=net/ipv4/route.c;h=278f46f5011beb2ab85747543f84dfd3ce7c6d1c;hb=HEAD
line 1334 has ip_rt_redirect

This is where I loose it a bit

my guess is line 1349 which seems to check to see if redirects are allow
does a IN_DEV_RX_REDIRECTS and this macro
(http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=include/linux/inetdevice.h;h=ad27c7da87986da346da3d62f29e88bec957280a;hb=HEAD)


and I think it fails the test here and thus get bounced out. Which sort
of corrosponds to what i have seen - but  doesn't match up with the
documentation
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=Documentation/networking/ip-sysctl.txt;h=8be76235fe6724c43e0c2b39778f3f741e53b619;hb=HEAD

Line 680
 secure_redirects - BOOLEAN
 681         Accept ICMP redirect messages only for gateways,
 682         listed in default gateway list.
 683         secure_redirects for the interface will be enabled if at
 least one of
 684         conf/{all,interface}/secure_redirects is set to TRUE,
 685         it will be disabled otherwise
 686         default TRUE


I had conf/interface/secure_redirect = 1 and conf/all/secure_redirect=1


Thanks
Alex
PS I am not subscribed please cc me on replies thanks

I sent this to linux-net, but realises that might not be the right list

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ