Closed TIISR closed 5 months ago
pentestiing
commented
5 months ago I understand that this is a hotfix, but maybe it is still worth it to remove the comments as we can always use git blame, git log and so to find changes in files :gem:
TIISR
commented
5 months ago This can be tested but please do not merge, I just realized I forgot to update the corresponding cleanup lines so the ebtables rules are filling up with duplicates like:
`root@br_hardened:~# ebtables -t nat -L --Lc Bridge table: nat
Bridge chain: PREROUTING, entries: 2, policy: ACCEPT -i lmp04f021b8c37e -j dnat --to-dst ff:ff:ff:ff:ff:ff --dnat-target ACCEPT, pcnt = 84506 -- bcnt = 1940184 -i ump06f021b8c37e -j dnat --to-dst ff:ff:ff:ff:ff:ff --dnat-target ACCEPT, pcnt = 85100 -- bcnt = 2018440
Bridge chain: OUTPUT, entries: 2, policy: ACCEPT --logical-out lmb04f021b8c37b -j lmb04f021b8c37b, pcnt = 904797 -- bcnt = 73798956 --logical-out umb06f021b8c37b -j umb06f021b8c37b, pcnt = 261048 -- bcnt = 9488768
Bridge chain: POSTROUTING, entries: 0, policy: ACCEPT
Bridge chain: lmb04f021b8c37b, entries: 14, policy: DROP -d 4:f0:21:b8:c3:7e -o lms04f021b8c37e -j ACCEPT , pcnt = 343167 -- bcnt = 34390610 -d Broadcast -o lmp04f021b8c37e -j dnat --to-dst 4:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 109195 -- bcnt = 2506652 -d 4:f0:21:b8:c3:7e -o lms04f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o lmp04f021b8c37e -j dnat --to-dst 4:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 4:f0:21:b8:c3:7e -o lms04f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o lmp04f021b8c37e -j dnat --to-dst 4:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 4:f0:21:b8:c3:7e -o lms04f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o lmp04f021b8c37e -j dnat --to-dst 4:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 4:f0:21:b8:c3:7e -o lms04f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o lmp04f021b8c37e -j dnat --to-dst 4:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 4:f0:21:b8:c3:7e -o lms04f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o lmp04f021b8c37e -j dnat --to-dst 4:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 4:f0:21:b8:c3:7e -o lms04f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o lmp04f021b8c37e -j dnat --to-dst 4:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0
Bridge chain: umb06f021b8c37b, entries: 14, policy: DROP -d 6:f0:21:b8:c3:7e -o ums06f021b8c37e -j ACCEPT , pcnt = 20512 -- bcnt = 2133008 -d Broadcast -o ump06f021b8c37e -j dnat --to-dst 6:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 109971 -- bcnt = 2608880 -d 6:f0:21:b8:c3:7e -o ums06f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o ump06f021b8c37e -j dnat --to-dst 6:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 6:f0:21:b8:c3:7e -o ums06f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o ump06f021b8c37e -j dnat --to-dst 6:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 6:f0:21:b8:c3:7e -o ums06f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o ump06f021b8c37e -j dnat --to-dst 6:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 6:f0:21:b8:c3:7e -o ums06f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o ump06f021b8c37e -j dnat --to-dst 6:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 6:f0:21:b8:c3:7e -o ums06f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o ump06f021b8c37e -j dnat --to-dst 6:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 -d 6:f0:21:b8:c3:7e -o ums06f021b8c37e -j ACCEPT , pcnt = 0 -- bcnt = 0 -d Broadcast -o ump06f021b8c37e -j dnat --to-dst 6:f0:21:b8:c3:7e --dnat-target ACCEPT, pcnt = 0 -- bcnt = 0 `
pemanty
commented
5 months ago Hotfix tested and it will fix the reported issue
TIISR
commented
5 months ago Replaced by https://github.com/tiiuae/mesh_com/pull/455
Traffic multiplication appears to be due to a regression in the Lower/Upper Mess Bridge's (lmb/umb) even though they appear to be correctly configured in terms of forwarding database (bridge fdb) and port isolation (ip -d link show) so here is a bruteforce hotfix just dropping any traffic that should not be happening anyway.
WARNING: untested with more than 2 devices (which is required to be able to reproduced the issue) as I do not have access to more than 2 right now, but FWIW this hotfix does not seem to break anything at least between 2 devices.