| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5087C4F0.4070607@mail.ru> Date: Wed, 24 Oct 2012 13:37:36 +0300 From: Sergey Popovich <popovich_sergei@...l.ru> To: netdev@...r.kernel.org Subject: Re: Incorrect ARP behavior when multiple/none IPv4 address assigned to interface Julian Anastasov пишет: > dummy module is usually used as blackhole for > traffic or to hide addresses from other interfaces with > some sysctl interface flags. > > For example, can it work in this way?: > > eth0: addr 10.0.1.1/24 > ip route 10.0.1.2/32 dev eth0 src 10.0.1.1 > > eth1: addr 10.0.1.1/24 > ip route 10.0.1.3/32 dev eth1 src 10.0.1.1 > > eth2: addr 10.0.2.1/24 > ip route 10.0.2.2/32 dev eth2 src 10.0.2.1 > > By this way we have subnet on every device and > we can prefer local IP from such subnet in inet_select_addr. > May be arp_ignore=1/2 and arp_announce=1/2 can help here > to put the needed restrictions, i.e. we should not expose > addresses from other devices. It should not cause problem > for proxy_arp because we have more specific /32 routes. > Yes, just apply proposed configuration to lab schema. Everything works as expected with no extra arp_ignore/arp_announce configuration. Even if I add second primary address 192.168.1.1/24 to eth2, and introduce pc4 in same broadcast domain as pc3 (eth2). Well, configuration with 3000 subinterfaces looks worse, but it works with no extra patches/configuration. Thank you for your help. -- SP5474-RIPE Sergey Popovich -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists