From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Pau Espin Pedrol <pau.espin@tessares.net>
Cc: netfilter-devel@vger.kernel.org, pespin.shar@gmail.com,
Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset
Date: Fri, 23 Dec 2016 15:16:28 +0100 [thread overview]
Message-ID: <20161223141628.GA20986@salvia> (raw)
In-Reply-To: <1481882607-461-1-git-send-email-pau.espin@tessares.net>
Hi Pau,
On Fri, Dec 16, 2016 at 11:03:27AM +0100, Pau Espin Pedrol wrote:
> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
> the routing is checked later in the same code path.
Your patch works fine, I can see mark is reflected to TCP RST for
packets that are generated by netfilter.
However, it seems fwmark_reflect is broken here for TCP RST that are
generated by the stack, or at least I don't manage to trigger the
reflection with current git tree.
Using this simple ruleset to mark input packets:
# nft list ruleset
table ip x {
chain y {
type filter hook output priority 0; policy accept;
log prefix "output: "
}
chain z {
type filter hook input priority 0; policy accept;
mark set 0x00000001
log prefix "input: "
}
}
Note input packets shows mark 0x1:
Dec 23 15:07:37 salvia kernel: [14895.204591] input: IN=eth0 OUT=
MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27691 DF
PROTO=TCP SPT=36341 DPT=24 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x1
however, output shows no mark, so no reflection is going on:
Dec 23 15:07:37 salvia kernel: [14895.204643] output: IN= OUT=eth0
SRC=192.168.12.195 DST=192.168.12.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64
ID=52846 DF PROTO=TCP SPT=24 DPT=36341 WINDOW=0 RES=0x00 ACK RST
URGP=0
fwmark_reflect works perfectly fine with ICMP:
Dec 23 15:11:21 salvia kernel: [15119.556780] input: IN=eth0 OUT=
MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=5429 SEQ=2 MARK=0x1
Dec 23 15:11:21 salvia kernel: [15119.556822] output: IN= OUT=eth0
SRC=192.168.2.195 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=25617 PROTO=ICMP TYPE=0 CODE=0 ID=5429 SEQ=2 MARK=0x1
Thanks.
next prev parent reply other threads:[~2016-12-23 14:16 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-15 12:43 [PATCH] netfilter: use fwmark_reflect in nf_send_reset Pau Espin Pedrol
2016-12-15 20:27 ` Pablo Neira Ayuso
2016-12-16 10:03 ` Pau Espin Pedrol
2016-12-23 14:16 ` Pablo Neira Ayuso [this message]
2016-12-27 21:51 ` Pau Espin Pedrol
2017-01-05 11:01 ` Pablo Neira Ayuso
2017-01-06 19:33 ` [PATCH v2 1/2] " Pau Espin Pedrol
2017-01-06 19:33 ` [PATCH v2 2/2] tcp: fix mark propagation with fwmark_reflect enabled Pau Espin Pedrol
2017-01-09 17:00 ` Pablo Neira Ayuso
2017-01-09 17:23 ` David Miller
2017-01-09 16:56 ` [PATCH v2 1/2] netfilter: use fwmark_reflect in nf_send_reset Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161223141628.GA20986@salvia \
--to=pablo@netfilter.org \
--cc=lorenzo@google.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pau.espin@tessares.net \
--cc=pespin.shar@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.