From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Mukund Jampala <jbmukund@gmail.com>
Cc: netfilter-devel@vger.kernel.org, kadlec@blackhole.kfki.hu,
kaber@trash.net, linux-kernel@vger.kernel.org
Subject: Re: problem: [PATCH] iptable_REJECT doesn't constructs the tcp reset packet cleanly
Date: Sun, 16 Dec 2012 23:32:08 +0100 [thread overview]
Message-ID: <20121216223208.GA1304@1984> (raw)
In-Reply-To: <20121211005802.GA14525@1984>
On Tue, Dec 11, 2012 at 01:58:02AM +0100, Pablo Neira Ayuso wrote:
[...]
> On Mon, Dec 10, 2012 at 12:48:49PM -0800, Mukund Jampala wrote:
> > problem description:
> > The problem occurs when iptables constructs the tcp reset packet.
> > It doesn't initialize the pointer to the tcp header within the skb.
> > When the skb is passed to the ixgbe driver for transmit, the ixgbe
> > driver attempts to access the tcp header and crashes.
> > Currently, other drivers (such as our 1G e1000e or igb drivers) don't
> > access the tcp header on transmit unless the TSO option is turned on.
[...]
> > Solution: set the skb->trasport_header to a valid data offset in ipt
> > reject module
> >
> > diff -up net/ipv4/netfilter/ipt_REJECT.c{.orig,}
> > --- net/ipv4/netfilter/ipt_REJECT.c.orig 2012-12-10 12:08:37.000000000 -0800
> > +++ net/ipv4/netfilter/ipt_REJECT.c 2012-12-10 12:10:08.000000000 -0800
> > @@ -79,6 +79,8 @@ static void send_reset(struct sk_buff *o
> > niph->saddr = oiph->daddr;
> > niph->daddr = oiph->saddr;
> >
> > +
> > + skb_reset_transport_header(nskb);
> > tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
> > memset(tcph, 0, sizeof(*tcph));
> > tcph->source = oth->dest;
> >
> > Please let me know if you have any concerns with the patch.
>
> This is a good and extensive diagnosing, thanks a lot.
>
> Regarding your patch format, please, use git format-patch for your
> upcoming contributions and add the Signed-off-by tag to your patches.
> It makes
>
> But for this time, I'll do the formatting myself and will take this
> into the nf tree.
I have also made the same change for ip6t_REJECT.
Applied, thanks Mukund.
prev parent reply other threads:[~2012-12-16 22:32 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-10 20:48 problem: [PATCH] iptable_REJECT doesn't constructs the tcp reset packet cleanly Mukund Jampala
2012-12-11 0:58 ` Pablo Neira Ayuso
2012-12-16 22:32 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121216223208.GA1304@1984 \
--to=pablo@netfilter.org \
--cc=jbmukund@gmail.com \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.