* [PATCH net] arp: filter NOARP neighbours for SIOCGARP
@ 2015-07-27 9:33 Eric Dumazet
2015-07-29 6:41 ` David Miller
0 siblings, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2015-07-27 9:33 UTC (permalink / raw)
To: David Miller; +Cc: netdev, Vytautas Valancius, Willem de Bruijn
From: Eric Dumazet <edumazet@google.com>
When arp is off on a device, and ioctl(SIOCGARP) is queried,
a buggy answer is given with MAC address of the device, instead
of the mac address of the destination/gateway.
We filter out NUD_NOARP neighbours for /proc/net/arp,
we must do the same for SIOCGARP ioctl.
Tested:
lpaa23:~# ./arp 10.246.7.190
MAC=00:01:e8:22:cb:1d // correct answer
lpaa23:~# ip link set dev eth0 arp off
lpaa23:~# cat /proc/net/arp # check arp table is now 'empty'
IP address HW type Flags HW address Mask Device
lpaa23:~# ./arp 10.246.7.190
MAC=00:1a:11:c3:0d:7f // buggy answer before patch (this is eth0 mac)
After patch :
lpaa23:~# ip link set dev eth0 arp off
lpaa23:~# ./arp 10.246.7.190
ioctl(SIOCGARP) failed: No such device or address
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Vytautas Valancius <valas@google.com>
Cc: Willem de Bruijn <willemb@google.com>
---
net/ipv4/arp.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 933a92820d26..6c8b1fbafce8 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1017,14 +1017,16 @@ static int arp_req_get(struct arpreq *r, struct net_device *dev)
neigh = neigh_lookup(&arp_tbl, &ip, dev);
if (neigh) {
- read_lock_bh(&neigh->lock);
- memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len);
- r->arp_flags = arp_state_to_flags(neigh);
- read_unlock_bh(&neigh->lock);
- r->arp_ha.sa_family = dev->type;
- strlcpy(r->arp_dev, dev->name, sizeof(r->arp_dev));
+ if (!(neigh->nud_state & NUD_NOARP)) {
+ read_lock_bh(&neigh->lock);
+ memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len);
+ r->arp_flags = arp_state_to_flags(neigh);
+ read_unlock_bh(&neigh->lock);
+ r->arp_ha.sa_family = dev->type;
+ strlcpy(r->arp_dev, dev->name, sizeof(r->arp_dev));
+ err = 0;
+ }
neigh_release(neigh);
- err = 0;
}
return err;
}
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net] arp: filter NOARP neighbours for SIOCGARP
2015-07-27 9:33 [PATCH net] arp: filter NOARP neighbours for SIOCGARP Eric Dumazet
@ 2015-07-29 6:41 ` David Miller
2015-07-29 9:15 ` Eric Dumazet
0 siblings, 1 reply; 6+ messages in thread
From: David Miller @ 2015-07-29 6:41 UTC (permalink / raw)
To: eric.dumazet; +Cc: netdev, valas, willemb
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Mon, 27 Jul 2015 11:33:50 +0200
> From: Eric Dumazet <edumazet@google.com>
>
> When arp is off on a device, and ioctl(SIOCGARP) is queried,
> a buggy answer is given with MAC address of the device, instead
> of the mac address of the destination/gateway.
>
> We filter out NUD_NOARP neighbours for /proc/net/arp,
> we must do the same for SIOCGARP ioctl.
>
> Tested:
...
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Vytautas Valancius <valas@google.com>
Applied, thanks Eric.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] arp: filter NOARP neighbours for SIOCGARP
2015-07-29 6:41 ` David Miller
@ 2015-07-29 9:15 ` Eric Dumazet
2015-07-29 9:32 ` Eric Dumazet
0 siblings, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2015-07-29 9:15 UTC (permalink / raw)
To: David Miller; +Cc: netdev, valas, willemb
On Tue, 2015-07-28 at 23:41 -0700, David Miller wrote:
> Applied, thanks Eric.
Thanks David
Note that IPv6 is completely broken after 'arp off' sequence.
ND destination MAC are a copy of eth0 MAC address, instead of the required multicast.
lpaa23:~# ip link set dev eth0 arp off
lpaa23:~# ping6 4444::555:0027
PING 4444::555:0027(4444::555:27) 56 data bytes
02:05:13.742684 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 1, length 64
02:05:14.742200 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 2, length 64
^C
--- 4444::555:0027 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
lpaa23:~# ip link set dev eth0 arp on
lpaa23:~# ip -6 neigh sh dev eth0
fe80::21a:11ff:fec3:d45 lladdr 00:1a:11:c3:0d:45 STALE
4444::555:26 FAILED
4444::555:25 FAILED
lpaa23:~# ping6 4444::555:0027
PING 4444::555:0027(4444::555:27) 56 data bytes
02:12:15.698654 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 1, length 64
02:12:16.698249 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 2, length 64
02:12:17.698224 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 3, length 64
^C
--- 4444::555:0027 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms
lpaa23:~# ip -6 neigh flush dev eth0
lpaa23:~# ip -6 neigh sh dev eth0
4444::555:24 FAILED
4444::555:28 FAILED
fe80::21a:11ff:fec3:d45 FAILED
4444::555:26 FAILED
4444::555:25 FAILED
Oh well...
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH net] arp: filter NOARP neighbours for SIOCGARP
2015-07-29 9:15 ` Eric Dumazet
@ 2015-07-29 9:32 ` Eric Dumazet
2015-07-29 10:01 ` [PATCH net] ipv6: flush nd cache on IFF_NOARP change Eric Dumazet
0 siblings, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2015-07-29 9:32 UTC (permalink / raw)
To: David Miller; +Cc: netdev, valas, willemb
On Wed, 2015-07-29 at 11:15 +0200, Eric Dumazet wrote:
> On Tue, 2015-07-28 at 23:41 -0700, David Miller wrote:
>
> > Applied, thanks Eric.
> Thanks David
>
> Note that IPv6 is completely broken after 'arp off' sequence.
It seems we need to replicate what commit
6c8b4e3ff81b82fc153625e81e60af1d89de2c32 ("arp: flush arp cache on
IFF_NOARP change")
did for IPv4
Will test this and submit an official patch.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH net] ipv6: flush nd cache on IFF_NOARP change
2015-07-29 9:32 ` Eric Dumazet
@ 2015-07-29 10:01 ` Eric Dumazet
2015-07-30 6:01 ` David Miller
0 siblings, 1 reply; 6+ messages in thread
From: Eric Dumazet @ 2015-07-29 10:01 UTC (permalink / raw)
To: David Miller; +Cc: netdev, valas, willemb, Mario Fanelli, edumazet
From: Eric Dumazet <edumazet@google.com>
This patch is the IPv6 equivalent of commit
6c8b4e3ff81b ("arp: flush arp cache on IFF_NOARP change")
Without it, we keep buggy neighbours in the cache, with destination
MAC address equal to our own MAC address.
Tested:
tcpdump -i eth0 -s 0 ip6 -n -e &
ip link set dev eth0 arp off
ping6 remote // sends buggy frames
ip link set dev eth0 arp on
ping6 remote // should work once kernel is patched
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Mario Fanelli <mariofanelli@google.com>
---
net/ipv6/ndisc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 0a05b35..c53331c 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1650,6 +1650,7 @@ int ndisc_rcv(struct sk_buff *skb)
static int ndisc_netdev_event(struct notifier_block *this, unsigned long event, void *ptr)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ struct netdev_notifier_change_info *change_info;
struct net *net = dev_net(dev);
struct inet6_dev *idev;
@@ -1664,6 +1665,11 @@ static int ndisc_netdev_event(struct notifier_block *this, unsigned long event,
ndisc_send_unsol_na(dev);
in6_dev_put(idev);
break;
+ case NETDEV_CHANGE:
+ change_info = ptr;
+ if (change_info->flags_changed & IFF_NOARP)
+ neigh_changeaddr(&nd_tbl, dev);
+ break;
case NETDEV_DOWN:
neigh_ifdown(&nd_tbl, dev);
fib6_run_gc(0, net, false);
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH net] ipv6: flush nd cache on IFF_NOARP change
2015-07-29 10:01 ` [PATCH net] ipv6: flush nd cache on IFF_NOARP change Eric Dumazet
@ 2015-07-30 6:01 ` David Miller
0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2015-07-30 6:01 UTC (permalink / raw)
To: eric.dumazet; +Cc: netdev, valas, willemb, mariofanelli, edumazet
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Wed, 29 Jul 2015 12:01:41 +0200
> From: Eric Dumazet <edumazet@google.com>
>
> This patch is the IPv6 equivalent of commit
> 6c8b4e3ff81b ("arp: flush arp cache on IFF_NOARP change")
>
> Without it, we keep buggy neighbours in the cache, with destination
> MAC address equal to our own MAC address.
>
> Tested:
> tcpdump -i eth0 -s 0 ip6 -n -e &
> ip link set dev eth0 arp off
> ping6 remote // sends buggy frames
> ip link set dev eth0 arp on
> ping6 remote // should work once kernel is patched
>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Mario Fanelli <mariofanelli@google.com>
Applied, thanks Eric.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-07-30 6:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-27 9:33 [PATCH net] arp: filter NOARP neighbours for SIOCGARP Eric Dumazet
2015-07-29 6:41 ` David Miller
2015-07-29 9:15 ` Eric Dumazet
2015-07-29 9:32 ` Eric Dumazet
2015-07-29 10:01 ` [PATCH net] ipv6: flush nd cache on IFF_NOARP change Eric Dumazet
2015-07-30 6:01 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).