Hi Saint, With this change an attacker could send a packet with both the source and destination both set to one of VPP’s own addresses. If you include in this new sub-condition to only accept locally generated packets, then we should be good (b->flags & VNET_BUFFER_F_LOCALLY_ORIGINATED).
Regards, neale De : "[email protected]" <[email protected]> Date : mercredi 31 octobre 2018 à 08:49 À : "Neale Ranns (nranns)" <[email protected]> Cc : vpp-dev <[email protected]> Objet : Re: Re: [vpp-dev]ping local address hello neale, I found and modified a piece of code in the ip4_forward.c, and now it is able to ping local address, as follows: I think the source- check should only discard the packet which comes from the attacker(forged a source address) and wants to attack another host, so I changed the judgement conditions. can you help me to check it right or wrong? The attachment is the modified file. ________________________________ [email protected] From: Neale Ranns (nranns)<mailto:[email protected]> Date: 2018-10-25 15:55 To: [email protected]<mailto:[email protected]>; vpp-dev<mailto:[email protected]> Subject: Re: [vpp-dev]ping local address It’s a known limitation. Contributions to fix it would be welcome. /neale De : <[email protected]> au nom de "saint_sun 孙 via Lists.Fd.Io" <[email protected]> Répondre à : "[email protected]" <[email protected]> Date : jeudi 25 octobre 2018 à 09:40 À : vpp-dev <[email protected]> Cc : "[email protected]" <[email protected]> Objet : [vpp-dev]ping local address Hello all: An basic features: ping myself. when I configure an IP address for an interface, then I ping the address from VPP, it's failed, why?should I do other more settings? DBGvpp# ping 10.0.0.1 Aborted due to a keypress. Statistics: 1 sent, 0 received, 100% packet loss DBGvpp# show ip fib ipv4-VRF:0, fib_index:0, flow hash:[src dst sport dport proto ] locks:[src:default-route:1, ] 0.0.0.0/0 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:1 buckets:1 uRPF:0 to:[0:0]] [0] [@0]: dpo-drop ip4 0.0.0.0/32 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:2 buckets:1 uRPF:1 to:[0:0]] [0] [@0]: dpo-drop ip4 10.0.0.0/32 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:17 buckets:1 uRPF:21 to:[0:0]] [0] [@0]: dpo-drop ip4 10.0.0.0/24 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:16 buckets:1 uRPF:27 to:[0:0]] [0] [@4]: ipv4-glean: line1: mtu:9000 ffffffffffff000e5e513c380806 10.0.0.1/32 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:19 buckets:1 uRPF:25 to:[0:0]] [0] [@2]: dpo-receive: 10.0.0.1 on line1 10.0.0.255/32 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:18 buckets:1 uRPF:23 to:[0:0]] [0] [@0]: dpo-drop ip4 224.0.0.0/4 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:4 buckets:1 uRPF:3 to:[0:0]] [0] [@0]: dpo-drop ip4 240.0.0.0/4 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:3 buckets:1 uRPF:2 to:[0:0]] [0] [@0]: dpo-drop ip4 255.255.255.255/32 unicast-ip4-chain [@0]: dpo-load-balance: [proto:ip4 index:5 buckets:1 uRPF:4 to:[0:0]] [0] [@0]: dpo-drop ip4 ________________________________ [email protected]
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11050): https://lists.fd.io/g/vpp-dev/message/11050 Mute This Topic: https://lists.fd.io/mt/27630267/21656 Group Owner: [email protected] Unsubscribe: https://lists.fd.io/g/vpp-dev/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
