| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20100805134653.9e8985cc.akpm@linux-foundation.org>
Date: Thu, 5 Aug 2010 13:46:53 -0700
From: Andrew Morton <akpm@...ux-foundation.org>
To: netfilter@...r.kernel.org, netdev@...r.kernel.org
Cc: bugzilla-daemon@...zilla.kernel.org,
bugme-daemon@...zilla.kernel.org,
for.poige+bugzilla.kernel.org@...il.com
Subject: Re: [Bugme-new] [Bug 16517] New: rp_filter fails to filter with
CONFIG_IP_ROUTE_MULTIPATH and more than one 0/0 nexthop dev
(switched to email. Please respond via emailed reply-to-all, not via the
bugzilla web interface).
On Thu, 5 Aug 2010 01:48:01 GMT
bugzilla-daemon@...zilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=16517
>
> Summary: rp_filter fails to filter with
> CONFIG_IP_ROUTE_MULTIPATH and more than one 0/0
> nexthop dev
> Product: Networking
> Version: 2.5
> Kernel Version: at least 2.6.18 and newer
> Platform: All
> OS/Version: Linux
> Tree: Mainline
> Status: NEW
> Severity: high
> Priority: P1
> Component: IPV4
> AssignedTo: shemminger@...ux-foundation.org
> ReportedBy: for.poige+bugzilla.kernel.org@...il.com
> Regression: No
>
>
> I think the problem is net/ipv4/fib_frontend.c fib_validate_source()
>
> ...
> #ifdef CONFIG_IP_ROUTE_MULTIPATH
> if (FIB_RES_DEV(res) == dev || res.fi->fib_nhs > 1)
> #else
> if (FIB_RES_DEV(res) == dev)
> #endif
> ...
>
> I'm not sure, but this code is quite trivial and self-speaking. In case we have
> several default routes, we'd better iterate over each of them and compare
> resulting devices with the input one. So, fix is also trivial, specially for
> network kernel developers. ;-)
>
> I've set priority "High" cause it doesn't affects usual Linux users directly,
> but indirectly it can affect any host on Internet, so the problem is
> significant, of course.
>
> P. S. Kernel docs say: {
> rp_filter - INTEGER
> 0 - No source validation.
> 1 - Strict mode as defined in RFC3704 Strict Reverse Path
> Each incoming packet is tested against the FIB and if the interface
> is not the best reverse path the packet check will fail.
> By default failed packets are discarded.
> 2 - Loose mode as defined in RFC3704 Loose Reverse Path
> Each incoming packet's source address is also tested against the
> FIB
> and if the source address is not reachable via any interface
> the packet check will fail.
>
> Current recommended practice in RFC3704 is to enable strict mode
> to prevent IP spoofing from DDos attacks. If using asymmetric routing
> or other complicated routing, then loose mode is recommended.
>
> conf/all/rp_filter must also be set to non-zero to do source validation
> on the interface
>
> Default value is 0. Note that some distributions enable it
> in startup scripts.
> }, but is in reality level "2" of rp_filtering implemented?
>
> P. P. S. netfilter would be the best place to have Reverse Path checks. But
> that's another story.
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists