lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 17 Jan 2020 09:49:35 -0800
From:   Ben Greear <greearb@...delatech.com>
To:     netdev <netdev@...r.kernel.org>
Subject: vrf and ipsec xfrm routing problem

Hello,

I'm back to mucking with xfrm and vrfs.  I am currently able to get the
xfrm interface to connect to the ipsec peer and get an IP address.

But, when I bind a UDP socket to the x_eth4 xfrm device, the packets
go out of eth4 instead.

Based on the problems I was having with multicast, I am thinking this might just be some routing problem.

# ip route show vrf _vrf4
default via 192.168.5.1 dev eth4
192.168.5.0/24 dev eth4 scope link src 192.168.5.4

# ip addr show dev eth4
7: eth4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master _vrf4 state UP group default qlen 1000
     link/ether 00:30:18:01:63:eb brd ff:ff:ff:ff:ff:ff
     inet 192.168.5.4/24 brd 192.168.5.255 scope global eth4
        valid_lft forever preferred_lft forever

# ip addr show dev x_eth4
30: x_eth4@...4: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue master _vrf4 state UNKNOWN group default qlen 1000
     link/none 00:30:18:01:63:eb brd ff:ff:ff:ff:ff:ff
     inet 192.168.10.101/32 scope global x_eth4
        valid_lft forever preferred_lft forever
     inet6 fe80::f6ec:3e67:9b7b:60c9/64 scope link stable-privacy
        valid_lft forever preferred_lft forever


I tried adding a route to specify the x_frm as source, but that does not appear to work:

[root@...313-63e7 lanforge]# ip route add 192.168.10.0/24 via 192.168.5.1 dev x_eth4 table 4
[root@...313-63e7 lanforge]# ip route show vrf _vrf4
default via 192.168.5.1 dev eth4
192.168.5.0/24 dev eth4 scope link src 192.168.5.4
192.168.10.0/24 via 192.168.5.1 dev eth4

I also tried this, but no luck:

[root@...313-63e7 lanforge]# ip route add 192.168.10.0/24 via 192.168.10.1 dev x_eth4 table 4
Error: Nexthop has invalid gateway.

Any ideas about where my problem might lie?

Thanks,
Ben

-- 
Ben Greear <greearb@...delatech.com>
Candela Technologies Inc  http://www.candelatech.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ