From: Florian Westphal <fw@strlen.de>
To: Patrick McHardy <kaber@trash.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Michal Kubecek <mkubecek@suse.cz>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
netfilter-devel@vger.kernel.org, linux-sctp@vger.kernel.org,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
fw@strlen.de
Subject: Re: [RFC PATCH -next] netfilter: nf_ct_sctp: validate vtag for new conntrack entries
Date: Thu, 26 Nov 2015 14:33:28 +0000 [thread overview]
Message-ID: <20151126143328.GC32716@breakpoint.cc> (raw)
In-Reply-To: <20151126141552.GH16828@macbook.localdomain>
Patrick McHardy <kaber@trash.net> wrote:
> The way I see it we basically have two options for fixing this:
>
> * disable the generic protocol entirely
That was the original v1 patch, BUT that means that we do not
support NAT for protocols without l4 tracker anymore (which
is why we did not remove generic protocol).
> * add a helper for every protocol for which we support matching on the identity
> of a flow and load the helper automatically when conntrack is enabled and
> the match is used.
Yes, but that might take a while.
The existing way (skip if module) is a compromise to attempt to not break
existing setups.
If e.g. SCTP=n and user has -p sctp --dport 42 -j ACCEPT then all
sctp packets will match the generic entry for sctp, i.e. the --dport 42
is redundant if an ESTABLISHED accept catchall is used.
Thats not nice, but the alternative is to break things when
NAT is used for that protocol...
If we have SCTP=n and its not loaded, we skip the generic tracker and
users need to load the extra module. Granted, that breaks things as
well in some cases, but at least thats fixable without 'rebuild
kernel'...
WARNING: multiple messages have this Message-ID (diff)
From: Florian Westphal <fw@strlen.de>
To: Patrick McHardy <kaber@trash.net>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Michal Kubecek <mkubecek@suse.cz>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
netfilter-devel@vger.kernel.org, linux-sctp@vger.kernel.org,
Vlad Yasevich <vyasevich@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
fw@strlen.de
Subject: Re: [RFC PATCH -next] netfilter: nf_ct_sctp: validate vtag for new conntrack entries
Date: Thu, 26 Nov 2015 15:33:28 +0100 [thread overview]
Message-ID: <20151126143328.GC32716@breakpoint.cc> (raw)
In-Reply-To: <20151126141552.GH16828@macbook.localdomain>
Patrick McHardy <kaber@trash.net> wrote:
> The way I see it we basically have two options for fixing this:
>
> * disable the generic protocol entirely
That was the original v1 patch, BUT that means that we do not
support NAT for protocols without l4 tracker anymore (which
is why we did not remove generic protocol).
> * add a helper for every protocol for which we support matching on the identity
> of a flow and load the helper automatically when conntrack is enabled and
> the match is used.
Yes, but that might take a while.
The existing way (skip if module) is a compromise to attempt to not break
existing setups.
If e.g. SCTP=n and user has -p sctp --dport 42 -j ACCEPT then all
sctp packets will match the generic entry for sctp, i.e. the --dport 42
is redundant if an ESTABLISHED accept catchall is used.
Thats not nice, but the alternative is to break things when
NAT is used for that protocol...
If we have SCTP=n and its not loaded, we skip the generic tracker and
users need to load the extra module. Granted, that breaks things as
well in some cases, but at least thats fixable without 'rebuild
kernel'...
next prev parent reply other threads:[~2015-11-26 14:33 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-25 19:13 [RFC PATCH -next] netfilter: nf_ct_sctp: validate vtag for new conntrack entries Marcelo Ricardo Leitner
2015-11-25 19:13 ` Marcelo Ricardo Leitner
2015-11-25 19:42 ` Pablo Neira Ayuso
2015-11-25 19:42 ` Pablo Neira Ayuso
2015-11-25 20:20 ` Marcelo Ricardo Leitner
2015-11-25 20:20 ` Marcelo Ricardo Leitner
2015-11-25 20:58 ` Michal Kubecek
2015-11-25 20:58 ` Michal Kubecek
2015-11-26 9:51 ` Pablo Neira Ayuso
2015-11-26 9:51 ` Pablo Neira Ayuso
2015-11-26 12:52 ` Marcelo Ricardo Leitner
2015-11-26 12:52 ` Marcelo Ricardo Leitner
2015-11-26 14:15 ` Patrick McHardy
2015-11-26 14:33 ` Florian Westphal [this message]
2015-11-26 14:33 ` Florian Westphal
2015-11-26 14:49 ` Patrick McHardy
2015-11-26 15:07 ` Florian Westphal
2015-11-26 15:07 ` Florian Westphal
2015-11-26 15:11 ` Patrick McHardy
2015-11-26 15:12 ` Pablo Neira Ayuso
2015-11-26 15:12 ` Pablo Neira Ayuso
2015-11-26 15:24 ` Patrick McHardy
2015-11-26 15:54 ` Pablo Neira Ayuso
2015-11-26 15:54 ` Pablo Neira Ayuso
2015-11-26 16:02 ` Patrick McHardy
2015-11-26 16:15 ` Pablo Neira Ayuso
2015-11-26 16:15 ` Pablo Neira Ayuso
2015-11-26 16:25 ` Patrick McHardy
2015-11-26 16:43 ` Pablo Neira Ayuso
2015-11-26 16:43 ` Pablo Neira Ayuso
2015-11-26 16:53 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151126143328.GC32716@breakpoint.cc \
--to=fw@strlen.de \
--cc=kaber@trash.net \
--cc=linux-sctp@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=mkubecek@suse.cz \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pablo@netfilter.org \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.