Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
question for kernel experts
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jserink
Veteran
Veteran


Joined: 30 Jan 2004
Posts: 1008

PostPosted: Sat Aug 21, 2021 8:26 am    Post subject: question for kernel experts Reply with quote

Background:
I have some linux based routers that were misbehaving "occasionally" when initiating IPSec connections to a Cisco IOS router.
I am using strongswan and GRE tunnels on the Linux box which always initiates the tunnels.
What happens, about 20% of the time, is the IPSec tunnel comes up (100% reliable) but the GRE tunnel does not, hence no connectivity.

So, I turned on GRE keepalives in the Cisco and to make this work on the linux boxes I did this:

echo 1 > /proc/sys/net/ipv4/conf/default/accept_local
echo 1 > /proc/sys/net/ipv4/conf/all/accept_local

Now the GRE tunnels come up every time all the time.

What are the security ramifications of enabling those accept_local flags?

Cheers,
john
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 806

PostPosted: Sat Aug 21, 2021 9:14 pm    Post subject: Reply with quote

The documentation on the accept_local flag is a bit sparse, this is what's in Documentation/networking/ip-sysctl.rst of the kernel sources:
Code:
accept_local - BOOLEAN
        Accept packets with local source addresses. In combination with
        suitable routing, this can be used to direct packets between two
        local interfaces over the wire and have them accepted properly.
        default FALSE

Usually receiving a packet with your own addresses as a source address would indicate a possible IP address conflict. If i understand this option correctly those checks are not done anymore so it works like any other.

I don't see too much security implications with that, if you use proper firewall rules on your router i think it's safe to use.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum