Re: Comment on nf_queue NF_STOLEN patch

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jim Sansing <jjsansing@verizon.net>,
	Linux Network Development list <netdev@vger.kernel.org>,
	Netfilter Development Mailinglist
	<netfilter-devel@vger.kernel.org>,
	Florian Westphal <fw@strlen.de>
Subject: Re: Comment on nf_queue NF_STOLEN patch
Date: Thu, 20 Oct 2011 12:30:15 +0200	[thread overview]
Message-ID: <20111020103015.GB20625@1984> (raw)
In-Reply-To: <1318997435.19139.16.camel@edumazet-laptop>

On Wed, Oct 19, 2011 at 06:10:35AM +0200, Eric Dumazet wrote:
> Le mardi 18 octobre 2011 à 17:34 -0400, Jim Sansing a écrit :
> > Eric Dumazet wrote:
> > > Le mardi 18 octobre 2011 à 15:08 -0400, Jim Sansing a écrit :
> > >   
> > >> I have been working on a kernel module that registers with netfilter,
> > >> and I noticed that a patch was added to nf_queue that changed the
> > >> handling of return code NF_FILTER from 'do nothing' to 'free the skb'. 
> > >> I'm not sure which kernel version this went in, but the date of the
> > >> patch is Feb, 19, 2010.
> > >>
> > >> Everything I have read about netfilter states that it is up to the
> > >> netfilter hook to free the skb if NF_STOLEN is returned.  The
> > >> implications of this patch from a hook programming perspective are:
> > >>
> > >> 1) If the skb is used after the return from the hook, it must be cloned.
> > >> 2) The original skb must not be freed.
> > >>
> > >> I suggest that a comment be added to include/linux/netfilter.h that says
> > >> explicitly the skb will be freed if NF_STOLEN is returned.
> > >>     
> > >
> > > But its not true. Just read the code.
> > >
> > > If you are working on this stuff I recommend you take a look at
> > > commits :
> > >
> > > c6675233f9015d3c0460c8aab53ed9b99d915c64
> > > (netfilter: nf_queue: reject NF_STOLEN verdicts from userspace)
> > >
> > > fad54440438a7c231a6ae347738423cbabc936d9
> > > (netfilter: avoid double free in nf_reinject)
> > >
> > > 64507fdbc29c3a622180378210ecea8659b14e40
> > > (netfilter: nf_queue: fix NF_STOLEN skb leak)
> > >
> > > 3bc38712e3a6e0596ccb6f8299043a826f983701
> > > ([NETFILTER]: nf_queue: handle NF_STOP and unknown verdicts in
> > > nf_reinject)
> > >
> > >   
> > 
> > I see that fad54440438a7c231a6ae347738423cbabc936d9 (netfilter: avoid
> > double free in nf_reinject) returns the switch case for NF_STOLEN back
> > to the original state, but I just downloaded 3.0.4, and the skb is still
> > freed.  So for some versions of the kernel, the situation exists. 
> > Hopefully anyone who runs into it will find this thread.
> > 
> 
> Hopefully netfilter guys (CCed) will sort out the problem and ask stable
> submissions, if not already done. 3.0.4 is quite old :)

Not done yet, sorry. I'll do it asap.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2011-10-20 10:30 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-10-14 19:18 Problem with ixgbe and TX locked on one cpu Paweł Staszewski
2011-10-18 18:57 ` Jesse Brandeburg
2011-10-18 19:08   ` Comment on nf_queue NF_STOLEN patch Jim Sansing
2011-10-18 21:23     ` Eric Dumazet
2011-10-18 21:34       ` Jim Sansing
2011-10-19  4:10         ` Eric Dumazet
2011-10-20 10:30           ` Pablo Neira Ayuso [this message]
2011-10-19  9:21   ` Problem with ixgbe and TX locked on one cpu Paweł Staszewski
2011-10-19  9:21   ` Paweł Staszewski

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20111020103015.GB20625@1984 \
    --to=pablo@netfilter.org \
    --cc=eric.dumazet@gmail.com \
    --cc=fw@strlen.de \
    --cc=jjsansing@verizon.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.