vxlan open udp socket on 0.0.0.0 even when local address is set
by davidhadas from LinuxQuestions.org on (#6MPB3)
Hi,
Code:ip netns add test
ip netns exec test /bin/bash
ip link set dev lo up
ip link add vxlan1 type vxlan id 1 remote 127.0.0.3 local 127.0.0.2 dev lo dstport 4789
ip link set vxlan1 up
netstat -pln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:4789 0.0.0.0:*I was expecting to see that vlanx listens on 127.0.0.2:4789 instead it listens to 0.0.0.0 (which blocks opening 4789 on any other IP in this network namespace, e.g. 127.0.0.3).
(1) Is it intentional to always open on 0.0.0.0? If so, why?
(2) Is there a way to force vxlan to listen only on a specific IP addresses?
(3) This seems to open up systems to vulnerabilities since it does not allow limiting the ingress from which vxlan traffic is accepted on?
(4) No warning is documented in the manual regarding this behavior.
(5) Is this the code being executed? If so, it shows that `udp_conf.local_ip` is zeroed and not set by `saddr` when `vxlan_sock_add` is called.
Code:struct vxlan_config {
...
union vxlan_addr saddr;
...
}
struct vxlan_dev {
...
struct vxlan_config cfg;
...
};
Tnx, DH
Code:ip netns add test
ip netns exec test /bin/bash
ip link set dev lo up
ip link add vxlan1 type vxlan id 1 remote 127.0.0.3 local 127.0.0.2 dev lo dstport 4789
ip link set vxlan1 up
netstat -pln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:4789 0.0.0.0:*I was expecting to see that vlanx listens on 127.0.0.2:4789 instead it listens to 0.0.0.0 (which blocks opening 4789 on any other IP in this network namespace, e.g. 127.0.0.3).
(1) Is it intentional to always open on 0.0.0.0? If so, why?
(2) Is there a way to force vxlan to listen only on a specific IP addresses?
(3) This seems to open up systems to vulnerabilities since it does not allow limiting the ingress from which vxlan traffic is accepted on?
(4) No warning is documented in the manual regarding this behavior.
(5) Is this the code being executed? If so, it shows that `udp_conf.local_ip` is zeroed and not set by `saddr` when `vxlan_sock_add` is called.
Code:struct vxlan_config {
...
union vxlan_addr saddr;
...
}
struct vxlan_dev {
...
struct vxlan_config cfg;
...
};
Tnx, DH