Re: Patch "tcp: fix mark propagation with fwmark_reflect enabled" has been added to the 4.4-stable tree

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi Greg,

if you pick this one, then you take this one as well:

commit 92e55f412cffd016cc245a74278cb4d7b89bb3bc
Author: Pablo Neira <pablo@netfilter.org>
Date:   Thu Jan 26 22:56:21 2017 +0100

    tcp: don't annotate mark on control socket from tcp_v6_send_response()

Since the IPv6 chunk is broken.

Thanks.

On Thu, Feb 16, 2017 at 09:05:49AM -0800, gregkh@linuxfoundation.org wrote:
> 
> This is a note to let you know that I've just added the patch titled
> 
>     tcp: fix mark propagation with fwmark_reflect enabled
> 
> to the 4.4-stable tree which can be found at:
>     http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
> 
> The filename of the patch is:
>      tcp-fix-mark-propagation-with-fwmark_reflect-enabled.patch
> and it can be found in the queue-4.4 subdirectory.
> 
> If you, or anyone else, feels it should not be added to the stable tree,
> please let <stable@vger.kernel.org> know about it.
> 
> 
> From bf99b4ded5f8a4767dbb9d180626f06c51f9881f Mon Sep 17 00:00:00 2001
> From: Pau Espin Pedrol <pespin.shar@gmail.com>
> Date: Fri, 6 Jan 2017 20:33:28 +0100
> Subject: tcp: fix mark propagation with fwmark_reflect enabled
> 
> From: Pau Espin Pedrol <pespin.shar@gmail.com>
> 
> commit bf99b4ded5f8a4767dbb9d180626f06c51f9881f upstream.
> 
> Otherwise, RST packets generated by the TCP stack for non-existing
> sockets always have mark 0.
> The mark from the original packet is assigned to the netns_ipv4/6
> socket used to send the response so that it can get copied into the
> response skb when the socket sends it.
> 
> Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
> Cc: Lorenzo Colitti <lorenzo@google.com>
> Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> 
> ---
>  net/ipv4/ip_output.c |    1 +
>  net/ipv6/tcp_ipv6.c  |    1 +
>  2 files changed, 2 insertions(+)
> 
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1592,6 +1592,7 @@ void ip_send_unicast_reply(struct sock *
>  	sk->sk_protocol = ip_hdr(skb)->protocol;
>  	sk->sk_bound_dev_if = arg->bound_dev_if;
>  	sk->sk_sndbuf = sysctl_wmem_default;
> +	sk->sk_mark = fl4.flowi4_mark;
>  	err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,
>  			     len, 0, &ipc, &rt, MSG_DONTWAIT);
>  	if (unlikely(err)) {
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -822,6 +822,7 @@ static void tcp_v6_send_response(const s
>  	dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
>  	if (!IS_ERR(dst)) {
>  		skb_dst_set(buff, dst);
> +		ctl_sk->sk_mark = fl6.flowi6_mark;
>  		ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass);
>  		TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
>  		if (rst)
> 
> 
> Patches currently in stable-queue which might be from pespin.shar@gmail.com are
> 
> queue-4.4/tcp-fix-mark-propagation-with-fwmark_reflect-enabled.patch