Re: [Bugme-new] [Bug 16517] New: rp_filter fails to filter with CONFIG_IP_ROUTE_MULTIPATH and more than one 0/0 nexthop dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



(switched to email.  Please respond via emailed reply-to-all, not via the
bugzilla web interface).

On Thu, 5 Aug 2010 01:48:01 GMT
bugzilla-daemon@xxxxxxxxxxxxxxxxxxx wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=16517
> 
>            Summary: rp_filter fails to filter with
>                     CONFIG_IP_ROUTE_MULTIPATH and more than one 0/0
>                     nexthop dev
>            Product: Networking
>            Version: 2.5
>     Kernel Version: at least 2.6.18 and newer
>           Platform: All
>         OS/Version: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: high
>           Priority: P1
>          Component: IPV4
>         AssignedTo: shemminger@xxxxxxxxxxxxxxxxxxxx
>         ReportedBy: for.poige+bugzilla.kernel.org@xxxxxxxxx
>         Regression: No
> 
> 
> I think the problem is net/ipv4/fib_frontend.c fib_validate_source()
> 
> ...
> #ifdef CONFIG_IP_ROUTE_MULTIPATH
>     if (FIB_RES_DEV(res) == dev || res.fi->fib_nhs > 1)
> #else
>     if (FIB_RES_DEV(res) == dev)
> #endif
> ...
> 
> I'm not sure, but this code is quite trivial and self-speaking. In case we have
> several default routes, we'd better iterate over each of them and compare
> resulting devices with the input one. So, fix is also trivial, specially for
> network kernel developers. ;-)
> 
> I've set priority "High" cause it doesn't affects usual Linux users directly,
> but indirectly it can affect any host on Internet, so the problem is
> significant, of course.
> 
> P. S. Kernel docs say: {
> rp_filter - INTEGER
>         0 - No source validation.
>         1 - Strict mode as defined in RFC3704 Strict Reverse Path
>             Each incoming packet is tested against the FIB and if the interface
>             is not the best reverse path the packet check will fail.
>             By default failed packets are discarded.
>         2 - Loose mode as defined in RFC3704 Loose Reverse Path
>             Each incoming packet's source address is also tested against the
> FIB
>             and if the source address is not reachable via any interface
>             the packet check will fail.
> 
>         Current recommended practice in RFC3704 is to enable strict mode
>         to prevent IP spoofing from DDos attacks. If using asymmetric routing
>         or other complicated routing, then loose mode is recommended.
> 
>         conf/all/rp_filter must also be set to non-zero to do source validation
>         on the interface
> 
>         Default value is 0. Note that some distributions enable it
>         in startup scripts.
> }, but is in reality level "2" of rp_filtering implemented?
> 
> P. P. S. netfilter would be the best place to have Reverse Path checks. But
> that's another story.
> 

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux