From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Pau Espin Pedrol <pespin.shar@gmail.com>
Cc: Pau Espin Pedrol <pau.espin@tessares.net>,
netfilter-devel@vger.kernel.org,
Lorenzo Colitti <lorenzo@google.com>
Subject: Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset
Date: Thu, 5 Jan 2017 12:01:33 +0100 [thread overview]
Message-ID: <20170105110133.GA2037@salvia> (raw)
In-Reply-To: <CAEGpDub6crx823PTt-W9+-STP4+j6OnryKGfTRzhCEpZxNU=+Q@mail.gmail.com>
Hi Pau,
On Tue, Dec 27, 2016 at 10:51:09PM +0100, Pau Espin Pedrol wrote:
> Hi,
>
> I will try to find some time over next weeks to have a look at it.
>
> If I understood correctly, RSTs generated from the stack are currently
> not marked when fwmark_reflect is on no matter whether my patch is
> applied or not. Did I understand correctly?
>
> Which scenario did you use to trigger RST coming from the stack?
> Sending RST out of the rcv window to emulate spoofing? sending non
> only-SYN packets for connections not yet tracked in conntrack?
Using the ruleset example below on 192.168.12.1, from another host I
run netcat as client with:
# nc 192.168.12.1 24
(note that nothing is listening on 192.168.12.1, tcp port 24).
I get no mark reflected on the TCP RST packet that 192.168.12.1 sends
out to the host that runs netcat as client.
So it seems to me fwmark_reflect is broken.
> 2016-12-23 15:16 GMT+01:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> > Hi Pau,
> >
> > On Fri, Dec 16, 2016 at 11:03:27AM +0100, Pau Espin Pedrol wrote:
> >> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
> >> the routing is checked later in the same code path.
> >
> > Your patch works fine, I can see mark is reflected to TCP RST for
> > packets that are generated by netfilter.
> >
> > However, it seems fwmark_reflect is broken here for TCP RST that are
> > generated by the stack, or at least I don't manage to trigger the
> > reflection with current git tree.
> >
> > Using this simple ruleset to mark input packets:
> >
> > # nft list ruleset
> > table ip x {
> > chain y {
> > type filter hook output priority 0; policy accept;
> > log prefix "output: "
> > }
> >
> > chain z {
> > type filter hook input priority 0; policy accept;
> > mark set 0x00000001
> > log prefix "input: "
> > }
> > }
> >
> > Note input packets shows mark 0x1:
> >
> > Dec 23 15:07:37 salvia kernel: [14895.204591] input: IN=eth0 OUT=
> > MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27691 DF
> > PROTO=TCP SPT=36341 DPT=24 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x1
> >
> > however, output shows no mark, so no reflection is going on:
> >
> > Dec 23 15:07:37 salvia kernel: [14895.204643] output: IN= OUT=eth0
> > SRC=192.168.12.195 DST=192.168.12.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > ID=52846 DF PROTO=TCP SPT=24 DPT=36341 WINDOW=0 RES=0x00 ACK RST
> > URGP=0
> >
> > fwmark_reflect works perfectly fine with ICMP:
> >
> > Dec 23 15:11:21 salvia kernel: [15119.556780] input: IN=eth0 OUT=
> > MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> > TYPE=8 CODE=0 ID=5429 SEQ=2 MARK=0x1
> >
> > Dec 23 15:11:21 salvia kernel: [15119.556822] output: IN= OUT=eth0
> > SRC=192.168.2.195 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64
> > ID=25617 PROTO=ICMP TYPE=0 CODE=0 ID=5429 SEQ=2 MARK=0x1
> >
> > Thanks.
next prev parent reply other threads:[~2017-01-05 11:01 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-15 12:43 [PATCH] netfilter: use fwmark_reflect in nf_send_reset Pau Espin Pedrol
2016-12-15 20:27 ` Pablo Neira Ayuso
2016-12-16 10:03 ` Pau Espin Pedrol
2016-12-23 14:16 ` Pablo Neira Ayuso
2016-12-27 21:51 ` Pau Espin Pedrol
2017-01-05 11:01 ` Pablo Neira Ayuso [this message]
2017-01-06 19:33 ` [PATCH v2 1/2] " Pau Espin Pedrol
2017-01-06 19:33 ` [PATCH v2 2/2] tcp: fix mark propagation with fwmark_reflect enabled Pau Espin Pedrol
2017-01-09 17:00 ` Pablo Neira Ayuso
2017-01-09 17:23 ` David Miller
2017-01-09 16:56 ` [PATCH v2 1/2] netfilter: use fwmark_reflect in nf_send_reset Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170105110133.GA2037@salvia \
--to=pablo@netfilter.org \
--cc=lorenzo@google.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pau.espin@tessares.net \
--cc=pespin.shar@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.