On 3/19/19 6:26 AM, Erik Auerswald wrote:
Hi,
Hi,
I was alluding to this part specifically, i.e. tricking the kernel into sending a packet out an interface although it is addressed to a local IP address.
I agree that's what is being done in that case.The kicker is that it's destined for an IP that the kernel / routing doesn't realize is local based on the modifications to routing tables.
Even that, traffic is from one IP (192.168.2.1 / 192.168.2.2) and going to a different IP (192.168.2.2 / 192.168.2.1 respectively).
Sending from an IP to the same IP is decidedly different.
Exactly. In this case two interfaces are used that shall send data to each other over an external network (a hub), thus source based routing is used. Source based routing is probably not needed for the BFD-EM idea.
I think the PBR would be significantly different, if not more complex for BFD-EM.
I'm currently of the mindset that this likely shouldn't be done with routing and instead should be done at a lower level.
The reply / incoming packet can probably be processed at a normal level.
In the blog post, the IP of the egress interface was used. As I understand it, after the kernel determines which interface to send a packet out of, it determines the "best" IP to use.I do think that this is quite implementation specific, and I would not bet that the above behaviour is seen as part of Linux's stable API.
I think the behavior represented in the article should be quite stable. It's not even an API thing. It's a config thing.
From a routing perspective:· There is no 192.168.2.* IP in the local or main routing table. Thus the kernel doesn't think it's bound locally. · There are rules that match 192.168.2.* destination IPs and choose alternate routing tables as appropriate. · The alternate routing tables have device routes pointing to an interface. · There are rules that match the incoming interface and choose an alternate routing table as appropriate.
I would expect any Linux kernel that supports PBR to be able to support this.
The only exception might be the /proc tunable to accept local.
Yes, I'd look into something like this for a BFD-EM implementation.
*nod*
Those could be used for a relatively simple proof-of-concept.
ACK
I'd expect that using AF_PACKET, SOCK_RAW removes the need for the hacks used by Project Zero. They were using e.g. curl instead of writing their own network application.
Agreed.
Thanks,
:-) -- Grant. . . . unix || die
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
