From: Florian Westphal <fw@strlen.de>
To: Sebastian Poehn <sebastian.poehn@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
netdev@vger.kernel.org, David Miller <davem@davemloft.net>,
Florian Westphal <fw@strlen.de>
Subject: Re: [FYI] xfrm: Don't lookup sk_policy for timewait sockets
Date: Mon, 13 Apr 2015 18:04:25 +0200 [thread overview]
Message-ID: <20150413160425.GA23168@breakpoint.cc> (raw)
In-Reply-To: <1428937760.6534.23.camel@googlemail.com>
Sebastian Poehn <sebastian.poehn@gmail.com> wrote:
> On Mon, 2015-04-13 at 10:04 +0200, Sebastian Poehn wrote:
> >
> > Played around with sending crafted packets to a transparent tw socket.
> >
> > For SYN tproxy does the re-lookup of the listening socket, which is fine. But for
> > packets without SYN is assigns the tw socket. However this is not an issue as the
> > fw mark is set, policy routing processes frame, so it becomes input and finally is
> > dropped in TCP receive path. But if I remove the policy routing rule the frame
> > enters the forwarding path.
> >
> > Unfortunately this did not trigger the panic but this may be just by chance.
> >
> > However I can't explain what is wrong with the ip rule maybe setup related.
> >
> First of all: This issue will only happen if there is something screwed up with
> policy routing. We don't use any 'exotic' policy to match the TPROXY traffic nor
> is there anything that could damage the mark.
>
> ip rule add from all fwmark 0x1/0x1 lookup X
>
> However it happens - maybe a race with configuration.
>
> I found TPROXY behavior correct:
> 1) For SYN on tw socket it assigns listening socket
> 2) Otherwise tw socket is assigned with is required for protocol conformity
>
> Principally the problem is that TPROXY cannot ensure that policy routing is
> working correctly. Florian suggested me to clean skb->sk in ip_forward. I even think
> dropping the frame is fine. Not sure if this is suited for mainline.
I agree, drop is preferable. I also think this should go in mainline,
kernel shouldn't be prone to oopses just because someone flushed ip rules at wrong
moment.
Thanks Sebastian.
next prev parent reply other threads:[~2015-04-13 16:04 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-09 8:09 [FYI] xfrm: Don't lookup sk_policy for timewait sockets Sebastian Poehn
2015-04-09 9:07 ` Eric Dumazet
2015-04-09 9:24 ` Sebastian Poehn
2015-04-09 18:37 ` David Miller
2015-04-09 19:14 ` Florian Westphal
2015-04-09 21:07 ` David Miller
2015-04-09 21:21 ` Florian Westphal
2015-04-10 11:14 ` Sebastian Poehn
2015-04-13 8:04 ` Sebastian Poehn
2015-04-13 15:09 ` Sebastian Poehn
2015-04-13 15:39 ` Eric Dumazet
2015-04-13 17:25 ` David Miller
2015-04-13 16:04 ` Florian Westphal [this message]
2015-04-09 19:21 ` Eric Dumazet
2015-04-09 19:25 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150413160425.GA23168@breakpoint.cc \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=sebastian.poehn@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.