subject:"\[PATCH 1\/2 nf\] netfilter\: nf_queue\: don't re\-enter same hook on packet reinjection"

Re: [PATCH 1/2 nf] netfilter: nf_queue: don't re-enter same hook on packet reinjection

2016-10-13 Thread Aaron Conole

Pablo Neira Ayuso  writes:

> Make sure we skip the current hook from where the packet was enqueued,
> otherwise the packets gets enqueued over and over again.
>
> Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list")
> Signed-off-by: Pablo Neira Ayuso 
> ---
> I managed to reproduce this with a simple test.
>
>  # iptables -I OUTPUT -j QUEUE
>  # cd libnetfilter_queue/utils/
>  # ./nfqnl_test
>
> Without my patch, netfilter munches packets that are reinjected.
>
> @Aaron: Please, I'd appreciate if you can have a look to confirm this bug
> and the fix. Thanks.

Looks like I missed this in my testing.

Reviewed-by: Aaron Conole 

>  net/netfilter/nf_queue.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
> index 96964a0070e1..221d7a5c2fec 100644
> --- a/net/netfilter/nf_queue.c
> +++ b/net/netfilter/nf_queue.c
> @@ -184,6 +184,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned 
> int verdict)
>   verdict = NF_DROP;
>   }
>  
> + hook_entry = rcu_dereference(hook_entry->next);
>   entry->state.thresh = INT_MIN;
>  
>   if (verdict == NF_ACCEPT) {

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 1/2 nf] netfilter: nf_queue: don't re-enter same hook on packet reinjection

2016-10-13 Thread Pablo Neira Ayuso

Make sure we skip the current hook from where the packet was enqueued,
otherwise the packets gets enqueued over and over again.

Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list")
Signed-off-by: Pablo Neira Ayuso 
---
I managed to reproduce this with a simple test.

 # iptables -I OUTPUT -j QUEUE
 # cd libnetfilter_queue/utils/
 # ./nfqnl_test

Without my patch, netfilter munches packets that are reinjected.

@Aaron: Please, I'd appreciate if you can have a look to confirm this bug
and the fix. Thanks.

 net/netfilter/nf_queue.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 96964a0070e1..221d7a5c2fec 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -184,6 +184,7 @@ void nf_reinject(struct nf_queue_entry *entry, unsigned int 
verdict)
verdict = NF_DROP;
}
 
+   hook_entry = rcu_dereference(hook_entry->next);
entry->state.thresh = INT_MIN;
 
if (verdict == NF_ACCEPT) {
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/2 nf] netfilter: nf_queue: don't re-enter same hook on packet reinjection

[PATCH 1/2 nf] netfilter: nf_queue: don't re-enter same hook on packet reinjection

2 matches

Site Navigation

Mail list logo

Footer information