| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e5d1e7da-0b90-45d7-b7ab-75ce2ef79208@nbd.name> Date: Tue, 9 Jan 2024 12:58:13 +0100 From: Felix Fietkau <nbd@....name> To: Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org Subject: Re: [PATCH net-next] net: bridge: do not send arp replies if src and target hw addr is the same On 09.01.24 12:36, Paolo Abeni wrote: > On Thu, 2024-01-04 at 15:25 +0100, Felix Fietkau wrote: >> There are broken devices in the wild that handle duplicate IP address >> detection by sending out ARP requests for the IP that they received from a >> DHCP server and refuse the address if they get a reply. >> When proxyarp is enabled, they would go into a loop of requesting an address >> and then NAKing it again. > > Can you instead provide the same functionality with some nft/tc > ingress/ebpf filter? > > I feel uneasy to hard code this kind of policy, even if it looks > sensible. I suspect it could break some other currently working weird > device behavior. > > Otherwise it could be nice provide some arpfilter flag to > enable/disable this kind filtering. I don't see how it could break anything, because it wouldn't suppress non-proxied responses. nft/arpfilter is just too expensive, and I don't think it makes sense to force the use of tc filters to suppress nonsensical responses generated by the bridge layer. - Felix
Powered by blists - more mailing lists