[BusyBox 0000356]: Answering ARP with invalid response when queried by firewall

bugs at busybox.net bugs at busybox.net
Thu Dec 8 03:53:20 UTC 2005


A NOTE has been added to this issue. 
====================================================================== 
http://busybox.net/bugs/view.php?id=356 
====================================================================== 
Reported By:                wphelps
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   356
Category:                   Networking Support
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             07-25-2005 22:52 PDT
Last Modified:              12-07-2005 19:53 PST
====================================================================== 
Summary:                    Answering ARP with invalid response when queried by
firewall
Description: 
When a SonicWALL TZ170 (WAN port) sends ARP queries through a busybox
system acting as a bridge, responses with a HW addr of 00:00:00:00:00:00
are sent instead of the correct address of the Cisco router on the other
side of the bridge. This is consistent when using different TZ170s.  A
SonicWALL engineer could not find anything wrong with the TZ170 operation.
 To make sure it was not a hardware level issue I tried using a hub between
the firewall and the bridge -- no difference.  Although, both the TZ170 and
the bridge box seem to work correctly when an ordinary PC running WinXP is
substituted for the other box and I try simple ping/arp tests.  The
workaround is to make a manual SAT entry on the TZ170 with the router's HW
and IP addresses.  How transparent is the bridging busybox?

This seems similar to issue http://busybox.net/bugs/view.php?id=154
Are there any specific tests I should do to help isolate the problem?

====================================================================== 

---------------------------------------------------------------------- 
 tbrown9 - 08-27-05 10:34  
---------------------------------------------------------------------- 
Would you elaborate on the workaround that you did on the TZ170?  Where do
you make the SAT entry? 

---------------------------------------------------------------------- 
 wphelps - 08-29-05 23:22  
---------------------------------------------------------------------- 
Using the web GUI of the TZ, go to the network ARP table; in addition to
viewing, one can add entries.  Also, I seem to be having a similar problem
with a W2K3 server directly behind the bridge instead of the TZ; I hope to
find a fix later today. 

---------------------------------------------------------------------- 
 bernhardf - 09-14-05 07:46  
---------------------------------------------------------------------- 
How does busybox come into play with this?

The arp table is supposedly maintained by the kernel, no?

Please describe what *exact* busybox commands are involved to reproduce
this issue.

thanks,

This sounds like a duplicate of bug 154 and 356 or vice versa. 

---------------------------------------------------------------------- 
 wphelps - 09-14-05 11:19  
---------------------------------------------------------------------- 
Answering inline:
>How does busybox come into play with this?
>The arp table is supposedly maintained by the kernel, no?

The problem is most likely not that anything in the code is outright
wrong, but that choices in the compiling and packaging of busybox cause
issues – as opposed to other packages based on the same kernel – e.g.
Suse, Red Hat, etc.

>Please describe what *exact* busybox commands are involved to reproduce
this issue.

On the busybox machine define a bridge – any will do, as per bridging
docs.
At this point ordinary PCs work fine (except for a few special Microsoft
'protect you from yourself' issues – see below); the problem arises when a
device such as a firewall wants 'secured' ARP.  To work in this environment
the bridge needs to be as transparent as the ports in a typical switch; the
newer implementations seem to have dropped their cloak of invisibility.
When you have router A, bridge (busybox) B, and firewall C, an arp given
from C with the IP of A should not, but does return a 0:0:0:0:0:0 MAC. 
Depending on the design of the bridge, one could return the MAC of A or B
but not zero.
Re: my problem with the W2K3 box, it turned out to be new security issue,
since fixed by a patch to a patch.  Complicating the diagnosis, were what
I consider to be poor implementations by Microsoft.  I new that the
dynamic address of a disconnected adapter was removed (good for
multihoming); I learned a while ago that a static address would also be
removed (why?); the MS loopback adapter can't be set to the reserved
'loopback address' range(why?).  But, I just learned (hair-lost) that
127.0.0.1 and the internal hostname also disappear when the physical
adapter is disconnected – thanks Bill!  And, yes there is a difference
between unplugged, disconnected, and disabled.

>This sounds like a duplicate of bug 154 and 356 or vice versa.
It may duplicate 154; but, did I duplicate myself? 

---------------------------------------------------------------------- 
 vapier - 09-14-05 18:44  
---------------------------------------------------------------------- 
so are you saying that a 'normal' linux box, one with standard utilities
from iputils/etc... work fine with the same kernel ?

the point bernhardf is trying to make is that busybox does not have an
arpd server, so any sort of communication which uses the busybox machine
as a router/gateway is done all through the kernel 

---------------------------------------------------------------------- 
 wphelps - 09-16-05 10:22  
---------------------------------------------------------------------- 
Yes, that is exactly what I am saying.  Now the task is to work through the
long list of options and differences to see which one causes the behavior. 

---------------------------------------------------------------------- 
 bernhardf - 09-17-05 03:27  
---------------------------------------------------------------------- 
Please close bugs 154 and 356. -EINAPPROPRIATE

They are not related to busybox. 

---------------------------------------------------------------------- 
 wphelps - 09-17-05 09:01  
---------------------------------------------------------------------- 
Why is compilation and configuration of BusyBox not related to BusyBox? 

---------------------------------------------------------------------- 
 landley - 12-07-05 19:53  
---------------------------------------------------------------------- 
Sorry for the delay in replying to this, but I don't think anybody knew
what you were talking about.  Bridging is a kernel function, as is
replying to ARP requests.  The closest busybox has is a command that sends
arp ping requests.  Your system may have had busybox on it, but this really
sounds like a kernel issue.  (And you didn't give us a reproduction
sequence.)

If you want to follow up on this, please use the busybox mailing list
(busybox at busybox.net) for much faster turnaround times. :)

Rob 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-25-05 22:52  wphelps        New Issue                                    
07-25-05 22:52  wphelps        Status                   new => assigned     
07-25-05 22:52  wphelps        Assigned To               => BusyBox         
08-27-05 10:34  tbrown9        Note Added: 0000441                          
08-29-05 23:22  wphelps        Note Added: 0000471                          
09-14-05 07:46  bernhardf      Note Added: 0000526                          
09-14-05 11:19  wphelps        Note Added: 0000530                          
09-14-05 18:44  vapier         Note Added: 0000535                          
09-16-05 10:22  wphelps        Note Added: 0000539                          
09-17-05 03:27  bernhardf      Note Added: 0000542                          
09-17-05 09:01  wphelps        Note Added: 0000544                          
12-07-05 19:53  landley        Note Added: 0000731                          
======================================================================




More information about the busybox-cvs mailing list