[PATCH] ipv4: arp: process only if ipv4 address configured

[PATCH] ipv4: arp: process only if ipv4 address configured

[Florian Westphal]

8030f54499925d073a88c09f ([IPV4] devinet: Register inetdev earlier.)
changed arp behaviour (2.6.22 onwards).

Before this, inetdev_init() was called only when the first address was
added to the interface, i.e. arp_process always dropped incoming arp
packets as __in_dev_get_rcu() returned NULL when no IP address was set
on the interface.

With >= 2.6.22 we now process arp packets even if no address is assigned.
It can cause issues if the machine has several interfaces in the same
segment; requests receive answers from multiple macs.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
IMO such configurations are just asking for trouble, but it used
to work on older kernels.  Do we care about such setups?

diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 1a9b99e..8a44ed2 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -738,7 +738,7 @@ static int arp_process(struct sk_buff *skb)
 	 * is ARP'able.
 	 */
 
-	if (in_dev == NULL)
+	if (in_dev == NULL || in_dev->ifa_list == NULL)
 		goto out;
 
 	arp = arp_hdr(skb);
-- 
1.8.1.5

Re: [PATCH] ipv4: arp: process only if ipv4 address configured

[Eric Dumazet]

On Wed, 2014-02-12 at 18:27 +0100, Florian Westphal wrote:
> 8030f54499925d073a88c09f ([IPV4] devinet: Register inetdev earlier.)
> changed arp behaviour (2.6.22 onwards).
> 
> Before this, inetdev_init() was called only when the first address was
> added to the interface, i.e. arp_process always dropped incoming arp
> packets as __in_dev_get_rcu() returned NULL when no IP address was set
> on the interface.
> 
> With >= 2.6.22 we now process arp packets even if no address is assigned.
> It can cause issues if the machine has several interfaces in the same
> segment; requests receive answers from multiple macs.


What about arp_filter value/meaning ?

Re: [PATCH] ipv4: arp: process only if ipv4 address configured

[Florian Westphal]

Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Wed, 2014-02-12 at 18:27 +0100, Florian Westphal wrote:
> > 8030f54499925d073a88c09f ([IPV4] devinet: Register inetdev earlier.)
> > changed arp behaviour (2.6.22 onwards).
> > 
> > Before this, inetdev_init() was called only when the first address was
> > added to the interface, i.e. arp_process always dropped incoming arp
> > packets as __in_dev_get_rcu() returned NULL when no IP address was set
> > on the interface.
> > 
> > With >= 2.6.22 we now process arp packets even if no address is assigned.
> > It can cause issues if the machine has several interfaces in the same
> > segment; requests receive answers from multiple macs.
> 
> What about arp_filter value/meaning ?

Sure, arp_filter=1 avoids this.

If you mean "we don't care, its been like this for years and if you
don't want it then set arp_filter=1" -- fine with me.

Sorry if this wasn't clear -- its more about the change in behaviour
and if we should care.

Re: [PATCH] ipv4: arp: process only if ipv4 address configured

[Hannes Frederic Sowa]

On Wed, Feb 12, 2014 at 06:27:47PM +0100, Florian Westphal wrote:
> 8030f54499925d073a88c09f ([IPV4] devinet: Register inetdev earlier.)
> changed arp behaviour (2.6.22 onwards).
> 
> Before this, inetdev_init() was called only when the first address was
> added to the interface, i.e. arp_process always dropped incoming arp
> packets as __in_dev_get_rcu() returned NULL when no IP address was set
> on the interface.
> 
> With >= 2.6.22 we now process arp packets even if no address is assigned.
> It can cause issues if the machine has several interfaces in the same
> segment; requests receive answers from multiple macs.

I actually expect arp answers for ip addresses bound to loopback even from an
interface without ip address, if we strictly conform to the week end host
model in linux.

This is e.g. a common setup for BGP routers, where you assign the IBGP
address to loopback or dummy and thus make it interface independent.

Greetings,

  Hannes

Re: [PATCH] ipv4: arp: process only if ipv4 address configured

[David Miller]

From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Thu, 13 Feb 2014 01:24:13 +0100

> I actually expect arp answers for ip addresses bound to loopback even from an
> interface without ip address, if we strictly conform to the week end host
> model in linux.

Agreed.

Re: [PATCH] ipv4: arp: process only if ipv4 address configured

[Florian Westphal]

David Miller <davem@davemloft.net> wrote:
> From: Hannes Frederic Sowa <hannes@stressinduktion.org>
> Date: Thu, 13 Feb 2014 01:24:13 +0100
> 
> > I actually expect arp answers for ip addresses bound to loopback even from an
> > interface without ip address, if we strictly conform to the week end host
> > model in linux.
> 
> Agreed.

Thanks for your inpout everyone.  I've self-rejected the patch.