lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Thu, 19 Mar 2020 07:58:39 -0700
From:   Stephen Hemminger <stephen@...workplumber.org>
To:     netdev@...r.kernel.org
Subject: Fw: [Bug 206885] New: macvlan and proxy ARP can be accidentally
 configured to respond to ARP requests for all IPs

My gut feeling is this a user error, but forwarding to get more eyes.

Begin forwarded message:

Date: Thu, 19 Mar 2020 13:48:01 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: stephen@...workplumber.org
Subject: [Bug 206885] New: macvlan and proxy ARP can be accidentally configured to respond to ARP requests for all IPs


https://bugzilla.kernel.org/show_bug.cgi?id=206885

            Bug ID: 206885
           Summary: macvlan and proxy ARP can be accidentally configured
                    to respond to ARP requests for all IPs
           Product: Networking
           Version: 2.5
    Kernel Version: 5.3.0-42-generic
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: IPV4
          Assignee: stephen@...workplumber.org
          Reporter: thomas.parrott@...onical.com
        Regression: No

Using the following approach it is possible to accidentally configure a macvlan
interface to respond to ARP requests for all IPs.

Reproducer:

ip link add link enp3s0 address f6:83:72:e4:77:0a vtest type macvlan
ip addr add 192.168.1.200/32 dev vtest
ip link set vtest up

sysctl -w net.ipv4.conf.vtest.rp_filter=2
sysctl -w net.ipv4.conf.vtest.proxy_arp=1
sysctl -w net.ipv4.conf.vtest.forwarding=1


On a separate host on the same segment:

arping -c 1 -I eth1 -s 192.168.1.2 10.1.2.3
ARPING 10.1.2.3 from 192.168.1.2 eth1
Unicast reply from 10.1.2.3 [f6:83:72:e4:77:0a] 419.288ms
Sent 1 probe(s) (0 broadcast(s))
Received 1 response(s) (0 request(s), 0 broadcast(s))

arping -c 1 -I eth1 -s 192.168.1.2 8.8.8.8
ARPING 10.1.2.3 from 192.168.1.2 eth1
Unicast reply from 10.1.2.3 [f6:83:72:e4:77:0a] 27.754ms
Sent 1 probe(s) (0 broadcast(s))
Received 1 response(s) (0 request(s), 0 broadcast(s))


See https://github.com/lxc/lxc/issues/775 for more information.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ