lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20200706091437.6f2188c0@hermes.lan>
Date:   Mon, 6 Jul 2020 09:14:37 -0700
From:   Stephen Hemminger <stephen@...workplumber.org>
To:     netdev@...r.kernel.org
Subject: Fw: [Bug 206885] macvlan and proxy ARP can be accidentally
 configured to respond to ARP requests for all IPs

This likes a user configuration error.

Begin forwarded message:

Date: Mon, 06 Jul 2020 09:36:58 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: stephen@...workplumber.org
Subject: [Bug 206885] macvlan and proxy ARP can be accidentally configured to respond to ARP requests for all IPs


https://bugzilla.kernel.org/show_bug.cgi?id=206885

--- Comment #2 from Thomas Parrott (thomas.parrott@...onical.com) ---
Hi,

Thanks for your reply.

I've setup another test:

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
    link/ether 00:16:3e:14:4a:d4 brd ff:ff:ff:ff:ff:ff
    inet 10.109.89.91/24 brd 10.109.89.255 scope global dynamic enp5s0
       valid_lft 3279sec preferred_lft 3279sec
    inet6 fd42:d37c:f0f2:a5f:69c1:50d9:30fe:6d20/128 scope global dynamic
noprefixroute 
       valid_lft 3282sec preferred_lft 3282sec
    inet6 fe80::216:3eff:fe14:4ad4/64 scope link 
       valid_lft forever preferred_lft forever
3: vtest@...5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP group default qlen 1000
    link/ether f6:83:72:e4:77:0a brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.200/32 scope global vtest
       valid_lft forever preferred_lft forever
    inet6 fe80::f483:72ff:fee4:770a/64 scope link 
       valid_lft forever preferred_lft forever

ip r
default via 10.109.89.1 dev enp5s0 proto dhcp src 10.109.89.91 metric 100 
10.109.89.0/24 dev enp5s0 proto kernel scope link src 10.109.89.91 
10.109.89.1 dev enp5s0 proto dhcp scope link src 10.109.89.91 metric 100

sysctl -w net.ipv4.conf.vtest.rp_filter=2
sysctl -w net.ipv4.conf.vtest.proxy_arp=1
sysctl -w net.ipv4.conf.vtest.forwarding=1

On another host:
sudo arping -c1 -I lxdbr0 -S 10.109.89.1 8.8.8.8
ARPING 8.8.8.8
42 bytes from f6:83:72:e4:77:0a (8.8.8.8): index=0 time=11.809 msec

--- 8.8.8.8 statistics ---
1 packets transmitted, 1 packets received,   0% unanswered (0 extra)
rtt min/avg/max/std-dev = 11.809/11.809/11.809/0.000 ms


So are you saying the default route is triggering a response to all ARP
requests due to rp_filter=2 with proxy_arp=1?

The reason this seems odd is that setting these same settings on an ethernet
device (rather than a macvlan device) does not result in the same behaviour
(even with rp_filter=2).

E.g.

Remove the macvlan interface.

ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP
group default qlen 1000
    link/ether 00:16:3e:14:4a:d4 brd ff:ff:ff:ff:ff:ff
    inet 10.109.89.91/24 brd 10.109.89.255 scope global dynamic enp5s0
       valid_lft 3029sec preferred_lft 3029sec
    inet6 fd42:d37c:f0f2:a5f:69c1:50d9:30fe:6d20/128 scope global dynamic
noprefixroute 
       valid_lft 3032sec preferred_lft 3032sec
    inet6 fe80::216:3eff:fe14:4ad4/64 scope link 
       valid_lft forever preferred_lft forever

ip r
default via 10.109.89.1 dev enp5s0 proto dhcp src 10.109.89.91 metric 100 
10.109.89.0/24 dev enp5s0 proto kernel scope link src 10.109.89.91 
10.109.89.1 dev enp5s0 proto dhcp scope link src 10.109.89.91 metric 100 

Set the sysctls on parent ethernet device instead:

sysctl -w net.ipv4.conf.enp5s0.proxy_arp=1
sysctl -w net.ipv4.conf.enp5s0.rp_filter=2
sysctl -w net.ipv4.conf.enp5s0.forwarding=1


Now repeat the arping from a different host in same segment, and it doesn't get
a response as it did with macvlan:

sudo arping -c1 -I lxdbr0 -S 10.109.89.1 8.8.8.8
ARPING 8.8.8.8
Timeout

--- 8.8.8.8 statistics ---
1 packets transmitted, 0 packets received, 100% unanswered (0 extra)

-- 
You are receiving this mail because:
You are the assignee for the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ