lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Mon, 28 Apr 2014 17:25:08 -0700
From:	Stephen Hemminger <stephen@...workplumber.org>
To:	netdev@...r.kernel.org
Subject: Fw: [Bug 74991] New: rp_filter is dropping icmp unreach



Begin forwarded message:

Date: Mon, 28 Apr 2014 06:16:13 -0700
From: "bugzilla-daemon@...zilla.kernel.org" <bugzilla-daemon@...zilla.kernel.org>
To: "stephen@...workplumber.org" <stephen@...workplumber.org>
Subject: [Bug 74991] New: rp_filter is dropping icmp unreach


https://bugzilla.kernel.org/show_bug.cgi?id=74991

            Bug ID: 74991
           Summary: rp_filter is dropping icmp unreach
           Product: Networking
           Version: 2.5
    Kernel Version: 2.6.32
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: low
          Priority: P1
         Component: IPV4
          Assignee: shemminger@...ux-foundation.org
          Reporter: cport@...nadvice.de
        Regression: No

if rp_filter is enabled some ICMP messages may get dropped by checking the
wrong IP address information.

Setup:
Host - GW1 - GW2 - Server
The host has IP 192.168.1.1/24 and only a single route to 10.1.1.0/24 via its
gateway gw1, there is no default route. rp_filter is set to 1.
GW1 links to GW2 on link 172.16.1.0/24
GW2 has IP address 172.16.1.2 pointing to GW1 and 10.1.1.1 pointing to server,
MTU on link 10.1.1.1 is 1400.
Server has IP 10.1.1.2

Now the host is sending a packet with MTU 1500 to the server:
192.168.1.1 -> 10.1.1.2
GW1 is passing the packet to GW2
GW2 is checking the packet and reject it because of the MTU of the outgoing
link. The generated packet is 172.16.1.2 -> 192.168.1.1 ICMP fragmentation
needed with the original packet header in payload.
GW1 is passing the packet to host.
Host is checking the packet and dropping by rp_filter, because the sender IP
address is not in the routing table. This is a wrong behavior. The rp_filter
routine should in this case check the IP contained in the payload of the ICMP
unreach packet because the packet is related caused by the 192.168.1.1 ->
10.1.1.2 packet and relates to this session. If rp_filter drop this ICMP the
MTU-path-discovery gets broken. There is no need to route all transfer networks
in a provider cloud, but the related ICMP unreachable messages should pass the
filter.

Regards
Christian

-- 
You are receiving this mail because:
You are the assignee for the bug.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ