* question on raw sockets and source IP address validation
@ 2009-09-24 17:53 Chris Friesen
2009-09-24 19:26 ` Neil Horman
0 siblings, 1 reply; 3+ messages in thread
From: Chris Friesen @ 2009-09-24 17:53 UTC (permalink / raw)
To: Linux Network Development list
Hi all,
Normally when sending a packet on a SOCK_RAW socket the source IP
address is validated against the addresses configured on the host. If
the address isn't configured, the packet isn't sent.
This can be avoided by setting IP_HDRINCL, but then the app needs to
handle all the fragmentation itself.
Is there any way to bypass the source address validation without IP_HDRINCL?
Thanks,
Chris
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: question on raw sockets and source IP address validation
2009-09-24 17:53 question on raw sockets and source IP address validation Chris Friesen
@ 2009-09-24 19:26 ` Neil Horman
2009-09-24 19:37 ` Chris Friesen
0 siblings, 1 reply; 3+ messages in thread
From: Neil Horman @ 2009-09-24 19:26 UTC (permalink / raw)
To: Chris Friesen; +Cc: Linux Network Development list
On Thu, Sep 24, 2009 at 11:53:39AM -0600, Chris Friesen wrote:
> Hi all,
>
> Normally when sending a packet on a SOCK_RAW socket the source IP
> address is validated against the addresses configured on the host. If
> the address isn't configured, the packet isn't sent.
>
> This can be avoided by setting IP_HDRINCL, but then the app needs to
> handle all the fragmentation itself.
>
> Is there any way to bypass the source address validation without IP_HDRINCL?
>
Nope, not with socket(AF_INET, SOCK_RAW, ...). its an IPv4 socket, so you get
ipv4 routing. If you don't want the ipv4 behavior, you can always use
AF_PACKET, to send raw frames direct to network interfaces. Of course, thats
going to imply that you do all your ip level fragmentation yourself as well.
That said, its not doing source validation, your socket is actually doing a
route lookup on the flow from your specified source address to your destination
address. So you should be able to fool the socket into doing the lookup by
adding a route to your routing table from your source address to your
destination address via the interface that you want to send the frames out of.
Regards
Neil
> Thanks,
>
> Chris
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: question on raw sockets and source IP address validation
2009-09-24 19:26 ` Neil Horman
@ 2009-09-24 19:37 ` Chris Friesen
0 siblings, 0 replies; 3+ messages in thread
From: Chris Friesen @ 2009-09-24 19:37 UTC (permalink / raw)
To: Neil Horman; +Cc: Linux Network Development list
On 09/24/2009 01:26 PM, Neil Horman wrote:
> That said, its not doing source validation, your socket is actually doing a
> route lookup on the flow from your specified source address to your destination
> address. So you should be able to fool the socket into doing the lookup by
> adding a route to your routing table from your source address to your
> destination address via the interface that you want to send the frames out of.
Hmm...that's an interesting point. Worth investigating for sure.
Thanks,
Chris
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-09-24 19:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-09-24 17:53 question on raw sockets and source IP address validation Chris Friesen
2009-09-24 19:26 ` Neil Horman
2009-09-24 19:37 ` Chris Friesen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).