Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi Pau,

Cc'ing Lorenzo, I think the original intention is to cover this case
too.

On Thu, Dec 15, 2016 at 01:43:43PM +0100, Pau Espin Pedrol wrote:
> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
> the routing is checked later in the same code path.

I think this is fixing e110861f8609. So please add this before your
Signed-off-by tag.

Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")

More comments below.

> Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
> ---
>  net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
>  net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
>  2 files changed, 5 insertions(+)
> 
> diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
> index fd82202..d088295 100644
> --- a/net/ipv4/netfilter/nf_reject_ipv4.c
> +++ b/net/ipv4/netfilter/nf_reject_ipv4.c
> @@ -126,6 +126,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
>  	/* ip_route_me_harder expects skb->dst to be set */
>  	skb_dst_set_noref(nskb, skb_dst(oldskb));
>  
> +	nskb->mark = IP4_REPLY_MARK(dev_net(oldskb->dev), oldskb->mark);

nf_send_reset() already takes 'struct net *' as parameter, so no need
to look up for net again via dev_net().

> +
>  	skb_reserve(nskb, LL_MAX_HEADER);
>  	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
>  				   ip4_dst_hoplimit(skb_dst(nskb)));
> diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
> index 1009040..008b0ce 100644
> --- a/net/ipv6/netfilter/nf_reject_ipv6.c
> +++ b/net/ipv6/netfilter/nf_reject_ipv6.c
> @@ -152,6 +152,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
>  
>  	memset(&fl6, 0, sizeof(fl6));
>  	fl6.flowi6_proto = IPPROTO_TCP;
> +	fl6.flowi6_mark = IP6_REPLY_MARK(dev_net(oldskb->dev), oldskb->mark);

Same thing here.

Please, address this feedback and send a v2. Thanks.

>  	fl6.saddr = oip6h->daddr;
>  	fl6.daddr = oip6h->saddr;
>  	fl6.fl6_sport = otcph->dest;
> @@ -180,6 +181,8 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
>  
>  	skb_dst_set(nskb, dst);
>  
> +	nskb->mark = fl6.flowi6_mark;
> +
>  	skb_reserve(nskb, hh_len + dst->header_len);
>  	ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
>  				    ip6_dst_hoplimit(dst));
> -- 
> 2.7.4
> 
> 
> -- 
> 
> ------------------------------
> DISCLAIMER.
> This email and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. 
> If you have received this email in error please notify the system manager. 
> This message contains confidential information and is intended only for the 
> individual named. If you are not the named addressee you should not 
> disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately by e-mail if you have received this e-mail by mistake and 
> delete this e-mail from your system. If you are not the intended recipient 
> you are notified that disclosing, copying, distributing or taking any 
> action in reliance on the contents of this information is strictly 
> prohibited.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html