Hi Saint,
With this change an attacker could send a packet with both the source and
destination both set to one of VPP’s own addresses. If you include in this new
sub-condition to only accept locally generated packets, then we should be good
(b->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED).
Regards,
neale
De : "saint_...@aliyun.com" <saint_...@aliyun.com>
Date : mercredi 31 octobre 2018 à 08:49
À : "Neale Ranns (nranns)" <nra...@cisco.com>
Cc : vpp-dev <vpp-dev@lists.fd.io>
Objet : Re: Re: [vpp-dev]ping local address
hello neale,
I found and modified a piece of code in the ip4_forward.c, and now it is
able to ping local address, as follows:
I think the source- check should only discard the packet which comes from the
attacker(forged a source address) and wants to attack another host, so I
changed the judgement conditions.
can you help me to check it right or wrong?
The attachment is the modified file.
________________________________
saint_...@aliyun.com
From: Neale Ranns (nranns)<mailto:nra...@cisco.com>
Date: 2018-10-25 15:55
To: saint_...@aliyun.com<mailto:saint_...@aliyun.com>;
vpp-dev<mailto:vpp-dev@lists.fd.io>
Subject: Re: [vpp-dev]ping local address
It’s a known limitation. Contributions to fix it would be welcome.
/neale
De : <vpp-dev@lists.fd.io> au nom de "saint_sun 孙 via Lists.Fd.Io"
<saint_sun=aliyun....@lists.fd.io>
Répondre à : "saint_...@aliyun.com" <saint_...@aliyun.com>
Date : jeudi 25 octobre 2018 à 09:40
À : vpp-dev <vpp-dev@lists.fd.io>
Cc : "vpp-dev@lists.fd.io" <vpp-dev@lists.fd.io>
Objet : [vpp-dev]ping local address
Hello all:
An basic features: ping myself. when I configure an IP address for an
interface, then I ping the address from VPP, it's failed, why?should I do other
more settings?
DBGvpp# ping 10.0.0.1
Aborted due to a keypress.
Statistics: 1 sent, 0 received, 100% packet loss
DBGvpp# show ip fib
ipv4-VRF:0, fib_index:0, flow hash:[src dst sport dport proto ]
locks:[src:default-route:1, ]
0.0.0.0/0
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:1 buckets:1 uRPF:0 to:[0:0]]
[0] [@0]: dpo-drop ip4
0.0.0.0/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:2 buckets:1 uRPF:1 to:[0:0]]
[0] [@0]: dpo-drop ip4
10.0.0.0/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:17 buckets:1 uRPF:21 to:[0:0]]
[0] [@0]: dpo-drop ip4
10.0.0.0/24
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:16 buckets:1 uRPF:27 to:[0:0]]
[0] [@4]: ipv4-glean: line1: mtu:9000 ffffffffffff000e5e513c380806
10.0.0.1/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:19 buckets:1 uRPF:25 to:[0:0]]
[0] [@2]: dpo-receive: 10.0.0.1 on line1
10.0.0.255/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:18 buckets:1 uRPF:23 to:[0:0]]
[0] [@0]: dpo-drop ip4
224.0.0.0/4
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:4 buckets:1 uRPF:3 to:[0:0]]
[0] [@0]: dpo-drop ip4
240.0.0.0/4
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:3 buckets:1 uRPF:2 to:[0:0]]
[0] [@0]: dpo-drop ip4
255.255.255.255/32
unicast-ip4-chain
[@0]: dpo-load-balance: [proto:ip4 index:5 buckets:1 uRPF:4 to:[0:0]]
[0] [@0]: dpo-drop ip4
________________________________
saint_...@aliyun.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#11050): https://lists.fd.io/g/vpp-dev/message/11050
Mute This Topic: https://lists.fd.io/mt/27630267/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
