From: Pablo Neira Ayuso <pablo@netfilter.org>
To: KOVACS Krisztian <hidden@balabit.com>
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
Alex Badics <alex.badics@balabit.com>,
Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [PATCH] netfilter: xt_socket: fix transparent match for IPv6 request sockets
Date: Sun, 25 Sep 2016 13:47:29 +0200 [thread overview]
Message-ID: <20160925114729.GA8645@salvia> (raw)
In-Reply-To: <20160923092742.88262-1-hidden@balabit.com>
On Fri, Sep 23, 2016 at 11:27:42AM +0200, KOVACS Krisztian wrote:
> The introduction of TCP_NEW_SYN_RECV state, and the addition of request
> sockets to the ehash table seems to have broken the --transparent option
> of the socket match for IPv6 (around commit a9407000).
>
> Now that the socket lookup finds the TCP_NEW_SYN_RECV socket instead of the
> listener, the --transparent option tries to match on the no_srccheck flag
> of the request socket.
>
> Unfortunately, that flag was only set for IPv4 sockets in tcp_v4_init_req()
> by copying the transparent flag of the listener socket. This effectively
> causes '-m socket --transparent' not match on the ACK packet sent by the
> client in a TCP handshake.
>
> Based on the suggestion from Eric Dumazet, this change moves the code
> initializing no_srccheck to tcp_conn_request(), rendering the above
> scenario working again.
Applied, thanks Krisztian.
next prev parent reply other threads:[~2016-09-25 11:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-23 9:27 [PATCH] netfilter: xt_socket: fix transparent match for IPv6 request sockets KOVACS Krisztian
2016-09-25 11:47 ` Pablo Neira Ayuso [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-09-20 13:26 KOVACS Krisztian
2016-09-20 15:01 ` Eric Dumazet
2016-09-20 15:05 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160925114729.GA8645@salvia \
--to=pablo@netfilter.org \
--cc=alex.badics@balabit.com \
--cc=eric.dumazet@gmail.com \
--cc=hidden@balabit.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.