LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: LVS-Tun arp-encounter

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: LVS-Tun arp-encounter
From: Roberto Nibali <ratz@xxxxxxxxxxxx>
Date: Sat, 21 Jan 2006 10:47:38 +0100
your kernel isn't using the setting specified in RFC1812.

You would be referring to following snipped in the RFC, right?

5.3.8 Source Address Validation

   A router SHOULD IMPLEMENT the ability to filter traffic based on a
   comparison of the source address of a packet and the forwarding table
   for a logical interface on which the packet was received.  If this
   filtering is enabled, the router MUST silently discard a packet if
   the interface on which the packet was received is not the interface
   on which a packet would be forwarded to reach the address contained
   in the source address.  In simpler terms, if a router wouldn't route
   a packet containing this address through a particular interface, it
   shouldn't believe the address if it appears as a source address in a
   packet read from this interface.

   If this feature is implemented, it MUST be disabled by default.

So if I read this correctly, /proc/../conf/{all,default}/rp_filter must be off on a freshly booted kernel without any explicit user changes in any of the rc boot scripts.

You should file a bug report. Several people have fallen
over this one.

File it with debian?

whoever makes your kernel

<off-topic>
Horms, I believe :). But it's more of a user space issue, since I cannot imagine Debian being so "dumb^Wdifferent" and patch the default rp_filter proc-fs value to 1 in the kernel. I've checked on a Debian installation of one of our customers:

sf-lb:~ # cat /etc/network/options
ip_forward=yes
spoofprotect=yes
syncookies=no
sf-lb:~ # uname -a
Linux sf-lb 2.4.27 #1 Sat Oct 16 17:14:21 CEST 2004 sparc64 GNU/Linux
sf-lb:~ # cat /etc/debian_version
testing/unstable
sf-lb:~ #

I have to assume these are the default settings, which then in /etc/init.d/networking get set over doopt() (completely brain-dead redundant information).

Reading spoofprotect_rp_filter() in /etc/init.d/networking I have to assume that the person maintaining this piece of software has not understood the network related settings (besides showing horrible programming practise) in proc-fs under Linux:

spoofprotect_rp_filter () {
    # This is the best method: turn on Source Address Verification and get
    # spoof protection on all current and future interfaces.

    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

--> This should be s/*/default/ to match at least the wrong comment

            echo 1 > $f
        done
        return 0
    else
        return 1
    fi
}

On top, good programming practise would be to explicitly set the other values you take for granted to 0, since an operator could have accidentally set some proc-fs values to test something and did not make it reboot-safe.

Debian is and will remain a system for people with a lot of spare time. Folks: rp_filter has almost nothing to do with proper network security! If source validation has to be done, make sure you route properly.

It's funny, Debian people would only need to have a look at SuSE or Red Hat to see how one can do the networking setup a tad bit better.
</off-topic>

Regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

<Prev in Thread] Current Thread [Next in Thread>