vxlan open udp socket on 0.0.0.0 even when local address is set

davidhadas · 05-09-2024, 09:05 AM

Hi,

Code:

ip netns add test 
ip netns exec test /bin/bash
ip link set dev lo up 
ip link add vxlan1 type vxlan id 1 remote 127.0.0.3  local 127.0.0.2 dev lo dstport 4789
ip link set vxlan1 up

netstat -pln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:4789            0.0.0.0:*

I was expecting to see that vlanx listens on 127.0.0.2:4789 instead it listens to 0.0.0.0 (which blocks opening 4789 on any other IP in this network namespace, e.g. 127.0.0.3).

(1) Is it intentional to always open on 0.0.0.0? If so, why?
(2) Is there a way to force vxlan to listen only on a specific IP addresses?
(3) This seems to open up systems to vulnerabilities since it does not allow limiting the ingress from which vxlan traffic is accepted on?
(4) No warning is documented in the manual regarding this behavior.
(5) Is this the code being executed? If so, it shows that `udp_conf.local_ip` is zeroed and not set by `saddr` when `vxlan_sock_add` is called.

Code:

struct vxlan_config {
        ...
	union vxlan_addr	saddr;
        ...
}

struct vxlan_dev {
        ...
	struct vxlan_config	cfg;
        ...
};

Tnx, DH

scasey · 05-10-2024, 10:31 PM

There’s nothing listening on udp port 4789. If there were, the Status column would contain LISTEN
What’s the tcp entry for port 4789 say?

davidhadas · 05-10-2024, 11:23 PM

@SCASEY,

This is normal for UDP ports - they do not show a LISTENING state
It is not an indication that the port is not open.

Code:

nc -luk 0.0.0.0 1234&
[1] 1954496
root@coco:~# netstat -pln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:1234            0.0.0.0:*                           1954496/nc