On Sat, 2015-04-11 at 13:59 +0300, Julian Anastasov wrote: > > + /* > > + * For some 802.11 wireless deployments (and possibly other > > networks), > > + * there will be an ARP proxy and gratuitous ARP frames are attacks > > + * and thus should not be accepted. > > + */ > > + if (IN_DEV_CONF_GET(in_dev, DROP_GRATUITOUS_ARP) && sip == tip) > > + goto out; > > Does it happen for any pkt_type?
Yes, it's supposed to. > IN_DEV_ARP_ACCEPT > is not ON by default, so new entries are not created but Correct, this protects against "gratuitous updates" in a way. > update can happen at any time, even with simple request like > who-has OURIP tell PROXYIP and sha=hacker_mac sent by > attackers. Is that the only gap that needs to be protected > with this patch? Realistically, I'd expect networks that deploy this to implement other things that prevent clients from messing up the network. I'd expect, for example, that ARP packets are simple dropped in the AP bridge if it implements proxy service and wants to control the network tightly. It can still be desirable to not let gratuitous ARP packets update the cache entry though. IPv6 for example automatically marks such updated entries stale, IIRC, so there I had even bigger issues with testing and I need to check if I even need the 4th patch in this series. However, there's also a compliance test here that requires this behaviour, and checks specifically that a gratuitous ARP doesn't update an existing cache entry. > May be only arptable_filter can help here to > protect ARP? That could be possible, I'll check. Thanks! johannes -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
