diff mbox

[net] arp: filter NOARP neighbours for SIOCGARP

Message ID 1437989630.20182.35.camel@edumazet-glaptop2.roam.corp.google.com
State Accepted, archived
Delegated to: David Miller
Headers show

Commit Message

Eric Dumazet July 27, 2015, 9:33 a.m. UTC 
From: Eric Dumazet <edumazet@google.com>

When arp is off on a device, and ioctl(SIOCGARP) is queried,
a buggy answer is given with MAC address of the device, instead
of the mac address of the destination/gateway.

We filter out NUD_NOARP neighbours for /proc/net/arp,
we must do the same for SIOCGARP ioctl.

Tested:

lpaa23:~# ./arp 10.246.7.190
MAC=00:01:e8:22:cb:1d      // correct answer

lpaa23:~# ip link set dev eth0 arp off
lpaa23:~# cat /proc/net/arp   # check arp table is now 'empty'
IP address       HW type     Flags       HW address    Mask     Device
lpaa23:~# ./arp 10.246.7.190
MAC=00:1a:11:c3:0d:7f   // buggy answer before patch (this is eth0 mac)

After patch :

lpaa23:~# ip link set dev eth0 arp off
lpaa23:~# ./arp 10.246.7.190
ioctl(SIOCGARP) failed: No such device or address

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Vytautas Valancius <valas@google.com>
Cc: Willem de Bruijn <willemb@google.com>
---
 net/ipv4/arp.c |   16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Miller July 29, 2015, 6:41 a.m. UTC | #1 
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Mon, 27 Jul 2015 11:33:50 +0200

> From: Eric Dumazet <edumazet@google.com>
> 
> When arp is off on a device, and ioctl(SIOCGARP) is queried,
> a buggy answer is given with MAC address of the device, instead
> of the mac address of the destination/gateway.
> 
> We filter out NUD_NOARP neighbours for /proc/net/arp,
> we must do the same for SIOCGARP ioctl.
> 
> Tested:
 ...
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: Vytautas Valancius <valas@google.com>

Applied, thanks Eric.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eric Dumazet July 29, 2015, 9:15 a.m. UTC | #2 
On Tue, 2015-07-28 at 23:41 -0700, David Miller wrote:

> Applied, thanks Eric.
Thanks David

Note that IPv6 is completely broken after 'arp off' sequence.

ND destination MAC are a copy of eth0 MAC address, instead of the required multicast.

lpaa23:~# ip link set dev eth0 arp off
lpaa23:~# ping6 4444::555:0027
PING 4444::555:0027(4444::555:27) 56 data bytes
02:05:13.742684 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 1, length 64
02:05:14.742200 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 2, length 64
^C
--- 4444::555:0027 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms

lpaa23:~# ip link set dev eth0 arp on 

lpaa23:~# ip -6 neigh sh dev eth0
fe80::21a:11ff:fec3:d45 lladdr 00:1a:11:c3:0d:45 STALE
4444::555:26  FAILED
4444::555:25  FAILED

lpaa23:~# ping6 4444::555:0027
PING 4444::555:0027(4444::555:27) 56 data bytes
02:12:15.698654 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 1, length 64
02:12:16.698249 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 2, length 64
02:12:17.698224 00:1a:11:c3:0d:7f > 00:1a:11:c3:0d:7f, ethertype IPv6 (0x86dd), length 118: 4444::555:23 > 4444::555:27: ICMP6, echo request, seq 3, length 64
^C
--- 4444::555:0027 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

lpaa23:~# ip -6 neigh flush dev eth0

lpaa23:~# ip -6 neigh sh dev eth0
4444::555:24  FAILED
4444::555:28  FAILED
fe80::21a:11ff:fec3:d45  FAILED
4444::555:26  FAILED
4444::555:25  FAILED

Oh well...


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eric Dumazet July 29, 2015, 9:32 a.m. UTC | #3 
On Wed, 2015-07-29 at 11:15 +0200, Eric Dumazet wrote:
> On Tue, 2015-07-28 at 23:41 -0700, David Miller wrote:
> 
> > Applied, thanks Eric.
> Thanks David
> 
> Note that IPv6 is completely broken after 'arp off' sequence.

It seems we need to replicate what commit
6c8b4e3ff81b82fc153625e81e60af1d89de2c32 ("arp: flush arp cache on
IFF_NOARP change") 
did for IPv4

Will test this and submit an official patch.


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 933a92820d26..6c8b1fbafce8 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1017,14 +1017,16 @@  static int arp_req_get(struct arpreq *r, struct net_device *dev)
 
 	neigh = neigh_lookup(&arp_tbl, &ip, dev);
 	if (neigh) {
-		read_lock_bh(&neigh->lock);
-		memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len);
-		r->arp_flags = arp_state_to_flags(neigh);
-		read_unlock_bh(&neigh->lock);
-		r->arp_ha.sa_family = dev->type;
-		strlcpy(r->arp_dev, dev->name, sizeof(r->arp_dev));
+		if (!(neigh->nud_state & NUD_NOARP)) {
+			read_lock_bh(&neigh->lock);
+			memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len);
+			r->arp_flags = arp_state_to_flags(neigh);
+			read_unlock_bh(&neigh->lock);
+			r->arp_ha.sa_family = dev->type;
+			strlcpy(r->arp_dev, dev->name, sizeof(r->arp_dev));
+			err = 0;
+		}
 		neigh_release(neigh);
-		err = 0;
 	}
 	return err;
 }