subject:"Re\: \[PATCH v3 nf\-next 5\/7\] netfilter\: add and use nf_ct

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

2017-01-23 Thread Jozsef Kadlecsik

On Mon, 23 Jan 2017, Florian Westphal wrote:

> Jozsef Kadlecsik  wrote:
> > > > > --- a/net/netfilter/core.c
> > > > > +++ b/net/netfilter/core.c
> > > > > @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const 
> > > > > struct sk_buff *skb)
> > > > >  {
> > > > >   void (*attach)(struct sk_buff *, const struct sk_buff *);
> > > > >  
> > > > > - if (skb_nfct(skb)) {
> > > > > + if (skb->nfct) {
> > > > 
> > > > I guess this slipped through accidentally. No need to resent, I can
> > > > amend it here.
> > > 
> > > Hmm, let me review this.  I thin the skb_nfct() conversion is erroneous.
> > > (Q: If original is UNTRRACKED, should the reply packet that is being
> > >  attached be UNTRACKED or INVALID?)
> > 
> > If the packet is UNTRACKED, then how can there be a reply packet from 
> > conntrack point of view? In my opinion it's the user responsibility to 
> > handle both directions.
> 
> afaics it would happen with this:
> 
> -t raw -j UNTRACKED
> -t filter -j REJECT
> 
> REJECT target ends up calling nf_ct_attach to associate the rst/icmp
> packet with original skb->nfct.

Ohh, I see. Yes, that should then be UNTRACKED as well. Thanks for the 
clarification!

Best regards,
Jozsef
-
E-mail  : kad...@blackhole.kfki.hu, kadlecsik.joz...@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
  H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

2017-01-23 Thread Florian Westphal

Jozsef Kadlecsik  wrote:
> > > > --- a/net/netfilter/core.c
> > > > +++ b/net/netfilter/core.c
> > > > @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const struct 
> > > > sk_buff *skb)
> > > >  {
> > > > void (*attach)(struct sk_buff *, const struct sk_buff *);
> > > >  
> > > > -   if (skb_nfct(skb)) {
> > > > +   if (skb->nfct) {
> > > 
> > > I guess this slipped through accidentally. No need to resent, I can
> > > amend it here.
> > 
> > Hmm, let me review this.  I thin the skb_nfct() conversion is erroneous.
> > (Q: If original is UNTRRACKED, should the reply packet that is being
> >  attached be UNTRACKED or INVALID?)
> 
> If the packet is UNTRACKED, then how can there be a reply packet from 
> conntrack point of view? In my opinion it's the user responsibility to 
> handle both directions.

afaics it would happen with this:

-t raw -j UNTRACKED
-t filter -j REJECT

REJECT target ends up calling nf_ct_attach to associate the rst/icmp
packet with original skb->nfct.

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

2017-01-23 Thread Florian Westphal

Pablo Neira Ayuso  wrote:
> On Mon, Jan 23, 2017 at 01:28:48PM +0100, Florian Westphal wrote:
> > diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> > index 0c629fdf90e1..ce6adfae521a 100644
> > --- a/net/netfilter/core.c
> > +++ b/net/netfilter/core.c
> > @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const struct 
> > sk_buff *skb)
> >  {
> > void (*attach)(struct sk_buff *, const struct sk_buff *);
> >  
> > -   if (skb_nfct(skb)) {
> > +   if (skb->nfct) {
> 
> I guess this slipped through accidentally. No need to resent, I can
> amend it here.

Hmm, let me review this.  I thin the skb_nfct() conversion is erroneous.
(Q: If original is UNTRRACKED, should the reply packet that is being
 attached be UNTRACKED or INVALID?)

I think its "UNTRACKED", and then this needs testing of skb->_nfct .

(at least once the untracked object gets removed).
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

2017-01-23 Thread Pablo Neira Ayuso

On Mon, Jan 23, 2017 at 01:28:48PM +0100, Florian Westphal wrote:
> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> index 0c629fdf90e1..ce6adfae521a 100644
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const struct 
> sk_buff *skb)
>  {
>   void (*attach)(struct sk_buff *, const struct sk_buff *);
>  
> - if (skb_nfct(skb)) {
> + if (skb->nfct) {

I guess this slipped through accidentally. No need to resent, I can
amend it here.

>   rcu_read_lock();
>   attach = rcu_dereference(ip_ct_attach);
>   if (attach)

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

Re: [PATCH v3 nf-next 5/7] netfilter: add and use nf_ct_set helper

4 matches

Site Navigation

Mail list logo

Footer information