lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20091124075852.GA6170@ff.dom.local>
Date:	Tue, 24 Nov 2009 07:58:52 +0000
From:	Jarek Poplawski <jarkao2@...il.com>
To:	Alex Samad <alex@...ad.com.au>
Cc:	netdev@...r.kernel.org
Subject: Re: icmp redirects problem

On Tue, Nov 24, 2009 at 11:12:30AM +1100, Alex Samad wrote:
> On Mon, Nov 23, 2009 at 10:58:38PM +0100, Jarek Poplawski wrote:
> > Alex Samad wrote, On 11/23/2009 05:31 AM:
> > 
> 
> [snip]
> 
> > > 
> > > laptop gets its ip from dchp server that make 192.168.11.1 the default
> > > gateway and its 192.168.11.1 that sends out the icmp redirect.
> > 
> > Btw, it seems you should fix your routing (by adding sydrt01's eth0
> > the second ip or advertising 192.168.11.10 more) to avoid those
> > redirects.
> 
> sorry I am lost on this statement, I can't add 192.168.11.10 to sydrt01
> as it is not physically connected to the 192.168.10.0/24 any more, which
> is why I had added the route on sydrt01 and which is why it send
> icmp_rediercts.
> 
> I have updated the route table on each static machine, but the problem
> is on the machines that get their ip via dhcp - I haven't looked at
> pushing out route information via dhcp - I am not sure that it would
> work in a mixed windows / linux environment.
> 
> what do you mean by advertising 192.168.11.10 more ?

I meant just what you've described, but wasn't sure of your config.

> 
> > 
> > > 
> > > I had a quick look at the kernel tree for 2.6.31 (which is what I am
> > > using).
> > 
> > ...
> > 
> > > Line 680
> > >  secure_redirects - BOOLEAN
> > >  681         Accept ICMP redirect messages only for gateways,
> > >  682         listed in default gateway list.
> > >  683         secure_redirects for the interface will be enabled if at
> > >  least one of
> > >  684         conf/{all,interface}/secure_redirects is set to TRUE,
> > >  685         it will be disabled otherwise
> > >  686         default TRUE
> > 
> > Very helpful links. So, as you wrote "the documentation seems to suggest"
> > something, and IMHO even if it doesn't, it's needlessly too concise
> > considering your "lost time", and I'd suggest you sending a patch to fix
> > this. (It seems it could "touch" shared_media, as well.)
> 
> Which is wrong the code or the documentation and which part the test or
> the reliance on the shared_media or on the redirects flags

The code looks consistent to me. The documentation isn't wrong either,
until it only "seems to suggest", but it might be better, if it
metioned just what you tested: both things depend on accept_redirects.

Jarek P.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ