lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 30 Nov 2009 18:55:30 +0100 (MET)
From:	Patrick McHardy <kaber@...sh.net>
To:	netdev@...r.kernel.org
Cc:	Patrick McHardy <kaber@...sh.net>
Subject: RFC: net 00/05: routing based send-to-self implementation

These patches are yet another attempt at adding "send-to-self" functionality,
allowing to send packets between two local interfaces over the wire. Unlike
the approaches I've seen so far, this one is purely routing based.
Especially the oif classification should also be useful for different setups.

The patchset consists of three parts:

- the first three patches add oif classification to fib_rules. This can be
  used create special routing tables for sockets bound to an interface.

- the fourth patch changes IPv4 and IPv6 to allow to delete the local rule
  with priority 0. This allows to re-create it using a lower priority and
  insert new rules below it to force packets with a local destination out
  on the wire.

- the fifth patch adds a devinet sysctl to accept packets with local source
  addresses in fib_validate_source(). This one unfortunately seems to be
  necessary, I couldn't come up with a method based purely on adding more
  routes to fool fib_validate_source() into accepting those packets.

Usage example:

# move local routing rule to lower priority
ip rule add pref 1000 lookup local
ip rule del pref 0

# only reply to ARP requests for addresses configured on the device
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore

# configure device and force packets of bound sockets out on eth1
ip address add dev eth1 10.0.0.1/24
echo 1 > /proc/sys/net/ipv4/conf/eth1/accept_local
ip link set eth1 up
ip rule add pref 500 oif eth1 lookup 500
ip route add default dev eth1 table 500

# configure device and force packets of bound sockets out on eth2
ip address add dev eth2 10.0.0.2/24
echo 1 > /proc/sys/net/ipv4/conf/eth2/accept_local
ip link set eth2 up
ip rule add pref 501 oif eth2 lookup 501
ip route add default dev eth2 table 501

At this point both packets between sockets bound to eth1/eth2 will
go over the wire.

Comments welcome.


 Documentation/networking/ip-sysctl.txt |    6 +++
 include/linux/fib_rules.h              |    8 +++-
 include/linux/inetdevice.h             |    1 +
 include/linux/sysctl.h                 |    1 +
 include/net/fib_rules.h                |    9 +++-
 kernel/sysctl_check.c                  |    1 +
 net/core/fib_rules.c                   |   71 +++++++++++++++++++++++---------
 net/ipv4/devinet.c                     |    1 +
 net/ipv4/fib_frontend.c                |   11 +++--
 net/ipv4/fib_rules.c                   |    2 +-
 net/ipv6/fib6_rules.c                  |    2 +-
 11 files changed, 82 insertions(+), 31 deletions(-)

Patrick McHardy (5):
      net: fib_rules: rearrange struct fib_rule
      net: fib_rules: rename ifindex/ifname/FRA_IFNAME to iifindex/iifname/FRA_IIFNAME
      net: fib_rules: add oif classification
      net: fib_rules: allow to delete local rule
      ipv4: add sysctl to accept packets with local source addresses
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ