IP data packets are forwarded although it should never work in theory, but why?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

IP data packets are forwarded although it should never work in theory, but why?

Benjamin Kalytta
Hello LwIP users,

First let me describe some important confguration options:

- TCP/IP is enabled, UDP, ICMP is enabled, and IP forwarding is disabled (#define IP_FORWARD 0) [lwipopts.h]
- There is no network default interface (netif_default == NULL) defined.
- There is no DNS server defined

There are two network interfaces on my board:

Itf1:
IP: 192.168.4.1
Netmask: 255.255.255.0
Gateway: 0.0.0.0

Itf2:
IP: 172.17.1.1
Netmask: 255.255.255.0
Gateway: 0.0.0.0

The board where LwIP (lwip-2.1.2) is installed, has running an http webserver (port 80) that accepts connections from any one.

Client 1 is connected to Itf1 and has ip 192.168.4.2
Client 2 is connected to Itf2 and has ip 172.17.1.2

Both, Client 1 and 2 are not connected to each other in any way.

Now, client 1 is trying to connect to 172.17.1.1 which suprisingly succeedes which it shouldn't since Itf1 netmask restricts the ip range to 192.168.4.1 ... 192.168.4.255 and therefore it should be never possible to connect to  172.17.1.1.

Is this an intended behaviour of LwIp stack or are there some options to prevent that? Or could this be some bug?


With Kind Regards,
Benjamin Kalytta


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

Re: IP data packets are forwarded although it should never work in theory, but why?

Indan Zupancic
Hello Benjamin,

On 2020-10-06 14:56, Benjamin Kalytta wrote:
> Is this an intended behaviour of LwIp stack or are there some options
> to prevent that? Or could this be some bug?

This is how most IP stacks are implemented and is intended behaviour.
They consider the stack itself as an end node and not each interface
as an end node, so all configured IP addresses are reachable through
any interface. Mind you, packets are not forwarded between networks.

If there is enough general interest for hard separation between
different
interfaces and lwIP is willing to merge such configuration option
upstream,
I can submit a patch for this feature.

Best regards,

Indan

_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

Re: IP data packets are forwarded although it should never work in theory, but why?

Benjamin Kalytta
Hello Indan,

> This is how most IP stacks are implemented and is intended behaviour.
> They consider the stack itself as an end node and not each interface as an end node, so all configured IP addresses are reachable through any interface. Mind you, packets are not forwarded between networks.

thank you for your fast response. I was not aware of that. I would need at least an option for a hard separation (DMZ) for specific interfaces. What do you think is the best point to implement that? In ip_input or ip_input_accept? Do you have implemented it and how did you implement it?

With Kind Regards,
Benjamin Kalytta


_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel
Reply | Threaded
Open this post in threaded view
|

Re: IP data packets are forwarded although it should never work in theory, but why?

Indan Zupancic
Hello Benjamin,

On 2020-10-06 15:37, Benjamin Kalytta wrote:
> thank you for your fast response. I was not aware of that. I would
> need at least an option for a hard separation (DMZ) for specific
> interfaces. What do you think is the best point to implement that? In
> ip_input or ip_input_accept? Do you have implemented it and how did
> you implement it?

Problem is that it is a bit scattered around if you do it correctly,
including all corner cases like peers behind gateways. TCP incoming
connections need to be automatically bound to the interface where
they came from. lwIP's SNMP code also needs changes to handle this
correctly. For unbound UDP sockets we changed the code so it honours
the pbuf's if_idx. We avoid ever calling ip_route().

Applications also have to bind all sockets to specific interfaces
for client sockets to pick the correct interface in case the peer
is behind a gateway.

We needed hard separation between all interfaces, so we didn't
make it a per-interface option.

An alternative solution would extend ip_route() with interface
information and enough hooks here and there to reach our goal
outside of lwIP, but that is a much bigger change.

Greetings,

Indan

_______________________________________________
lwip-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/lwip-devel