question regarding Linux kernel handling of packets received that has src address of interface address

question regarding Linux kernel handling of packets received that has src address of interface address

[Mikael Abrahamsson]

Hi,

in the context of this IETF draft:

https://tools.ietf.org/html/draft-patterson-intarea-ipoe-health-05

we're looking into being able to do internet access health check, by 
sending a packet to ourself via the upstream ISP router, to check if 
everything is still alive.

Deployment scenario is as follows:

<Internet> BNG <-L2-> <WAN-RG-LAN>

For the normal deployment scenario, the WAN address of the RG (residential 
gateway) will have both IPv4 and IPv6 packets.

So let's say in this case that WAN has 100.64.0.2 address and BNG has 
100.64.0.1 address. For IPv6 they have 2001:db8::2 and ::1 respectively, 
and RG has prefix 2001:db8:100::/56 routed to 2001:db8::2.

On the RG we would take the mac address of the BNG by looking at the 
100.64.0.1 ARP entry, look at our own WAN mac address and form a packet:

RG-WAN-MAC > BNG-WAN-MAC IP SRC: 100.64.0.2 IP DST 100.64.0.2

we would then get back a packet (since the SRC passes the BNG 
anti-spoofing rule, it's then just forwarded according to the normal 
forwarding table):

BNG-WAN-MAC > RG-WAN-MAC IP SRC: 100.64.0.2 IP DST 100.64.0.2

So we're sending a packet with our own address as both src and dst, just 
now instead with the mac addresses swapped because it went in via the BNG 
routing engine and was sentback to us. For IPv6, look at 
https://www.ietf.org/mail-archive/web/v6ops/current/msg30041.html

If I make "ncat" listen to UDP port 10000, I can successfully receive 
packets with src not my own interface address, which is fine for the 
DHCPv6-PD case (I have plenty of LAN addresses to choose from), but it 
doesn't work for the IPv6 IA_NA and IPv4 case. I have to use my source 
address to pass the BNG anti-spoofing filters.

So my question is where in the Linux kernel is this check performed that 
disallows incoming packets that have src IP address the same as an 
interface address? Can it be turned off? Is there a way to "hack around 
it", for instance with iptables and re-write the source address of the 
packet before it hits this check (I don't care about the source address 
when the packet is delivered to the application, it can be re-written to 
anything).

rp_filter is turned off in my testing.

Thanks.

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

Re: question regarding Linux kernel handling of packets received that has src address of interface address

[Ido Schimmel]

On Fri, Oct 05, 2018 at 10:50:24AM +0200, Mikael Abrahamsson wrote:
> So my question is where in the Linux kernel is this check performed that
> disallows incoming packets that have src IP address the same as an interface
> address? Can it be turned off? Is there a way to "hack around it", for
> instance with iptables and re-write the source address of the packet before
> it hits this check (I don't care about the source address when the packet is
> delivered to the application, it can be re-written to anything).

Did you set 'accept_local' [1] ?

"
accept_local - BOOLEAN
	Accept packets with local source addresses. In combination with
	suitable routing, this can be used to direct packets between two
	local interfaces over the wire and have them accepted properly.
	default FALSE
"

I tried to create a setup similar to yours and it seems to be working
for me.

1. https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt

Re: question regarding Linux kernel handling of packets received that has src address of interface address

[Mikael Abrahamsson]

On Fri, 5 Oct 2018, Ido Schimmel wrote:

> Did you set 'accept_local' [1] ?

I did not. Thanks for the pointer, looks like exactly what I was looking 
for!

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se