grsecurity forums

[vita]

I have some odd issue when using udpcast (https://www.udpcast.linux.lu/) with a grsec kernel. The program basically sends data from A to B via udp.
I'm using the program in unidirectional mode: https://www.udpcast.linux.lu/satellite.html. But I can't receive data sent to a system with a grsec kernel (version 4.4.3, vanilla kernel on debian stretch). Tcpdump shows that the data reaches the system but it is somehow not recognized by udp-receiver. If I use the non-grsec kernel (same version) it works without problems. I can also send data from the grsec system to other pcs so udp-sender is working on this system.
Journalctl doesn't really spit out anything useful (resource overstepping for xinit and pulseaudio, denied priority change of rtkit-daemon). I tried disabling some network related grsec stuff via sysctl.conf but this didn't change anything. I don't know which grsec options could be a cause for this behavior, so any help would be greatly appreciated.

[spender]

What is /proc/sys/kernel/grsecurity/ip_blackhole set to?

That's the only feature that could possibly have any effect here, depending on how the communication is supposed to work. If the UDP packets are being sent to a host that isn't listening on that particular port, they'll simply be dropped without any replies.

-Brad

[vita]

Ip_blackhole was also the feature I was thinking of but disabling it via sysctl.conf didn't change anything ( /proc/sys/kernel/grsecurity/ip_blackhole set to 0 ). I recompiled the kernel without ip_blackhole but still udp-receiver is not working. Netstat shows more open sockets for the normal kernel though it's a bit hard to dig through. The most obvious is an additional udp connection at 224.2.2.2:9000 for udp-receiver which is not present on the grsec kernel. I also see incoming packets on RX but no packets are dropped. They just seem to not get through to the program.

[vita]

I did some more tests and finally used the patched kernel but disabled grsecurity completely. Yet, the same problem occured. Looking at the patch I see some files related to udp and networking in general which are changed or created (i.e net/ipv4/udp.c net/ipv6/udp.c grsecurity/grsec_sock.c grsecurity/gracl_ip.c ...) but I don't know which one of them could cause this behavior (or maybe it isn't one of them at all). Any hints for further debugging?

[spender]

Grsecurity does tweak the default value of some network-related sysctls, I forgot to mention that.

The culprit here is most likely the setting for rp_filter, which though it adds security for the majority of users, can break some unusual cases like yours.

Add:
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0

to your /etc/sysctl.conf and it should fix the problem.

-Brad

[vita]

That worked. Thanks a lot