lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8f53ba28-d897-45c4-862c-3d3850dbd79d@cumulusnetworks.com>
Date:   Fri, 17 Mar 2017 23:54:12 -0600
From:   David Ahern <dsa@...ulusnetworks.com>
To:     Daniele Orlandi <daniele@...andi.com>, netdev@...r.kernel.org
Subject: Re: SO_BINDTODEVICE in VRFs not working?

On 3/17/17 7:59 PM, Daniele Orlandi wrote:
> 
> Hello,
> 
> I'm writing an application that should listen on a TCP port bound to an
> inteface in a VRF.
> 
> The bind/listen sequence is the following:
> 
>   int s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
> 
>   char *ifname = "eth1";

Bind to the VRF device not an interface enslaved to it. I want to add
the option for enslaved interfaces but have not gotten around to it.


>   setsockopt(s, SOL_SOCKET, SO_BINDTODEVICE, ifname, strlen(ifname)+1);
> 
>   struct sockaddr_in addr;
>   memset(&addr, 0, sizeof addr);
>   addr.sin_family = AF_INET;
>   addr.sin_port = htons(555);
>   addr.sin_addr.s_addr = inet_addr("0.0.0.0");
> 
>   bind(s, (struct sockaddr *)&addr, sizeof(addr));
> 
>   listen(s, 5);
> 
> The application is confirmed to be bound to the correct interface via "ss":
> 
> Netid State    Local Address:Port     Peer Address:Port
> tcp   LISTEN   *%eth1:555             *:*
> 
> I can ping the interface address finely, however I get an RST whenever I
> try to connect from a remote host:
> 
> $ ping 10.10.10.10
> PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
> 64 bytes from 10.10.10.10: icmp_seq=1 ttl=64 time=0.758 ms
> 64 bytes from 10.10.10.10: icmp_seq=2 ttl=64 time=0.350 ms
> 
> $ telnet 10.10.10.10 555
> Trying 10.10.10.10...
> telnet: Unable to connect to remote host: Connection refused
> 
> A similar piece of code without setsockopt run via "ip vrf exec" does
> however work!

'ip vrf exec' binds sockets to the VRF.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ