From: Florian Westphal <fw@strlen.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, jacobraz@chromium.org,
fw@strlen.de, mkubecek@suse.cz
Subject: Re: [PATCH nf,v2 1/2] netfilter: conntrack: make conntrack userspace helpers work again
Date: Mon, 25 May 2020 14:03:54 +0200 [thread overview]
Message-ID: <20200525120354.GD2915@breakpoint.cc> (raw)
In-Reply-To: <20200525114715.2301-1-pablo@netfilter.org>
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> Florian Westphal says:
>
> "Problem is that after the helper hook was merged back into the confirm
> one, the queueing itself occurs from the confirm hook, i.e. we queue
> from the last netfilter callback in the hook-list.
>
> Therefore, on return, the packet bypasses the confirm action and the
> connection is never committed to the main conntrack table.
>
> Therefore, on return, the packet bypasses the confirm action and the
> connection is never committed to the main conntrack table.
>
> To fix this there are several ways:
> 1. revert the 'Fixes' commit and have a extra helper hook again.
> Works, but has the drawback of adding another indirect call for
> everyone.
>
> 2. Special case this: split the hooks only when userspace helper
> gets added, so queueing occurs at a lower priority again,
> and normal nqueue reinject would eventually call the last hook.
>
> 3. Extend the existing nf_queue ct update hook to allow a forced
> confirmation (plus run the seqadj code).
>
> This goes for 3)."
>
> Fixes: 827318feb69cb ("netfilter: conntrack: remove helper hook again")
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> v2: call __nf_conntrack_update() before ct helper confirmation.
Reviewed-by: Florian Westphal <fw@strlen.de>
next prev parent reply other threads:[~2020-05-25 12:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-25 11:47 [PATCH nf,v2 1/2] netfilter: conntrack: make conntrack userspace helpers work again Pablo Neira Ayuso
2020-05-25 11:47 ` [PATCH nf,v2 2/2] netfilter: nfnetlink_cthelper: unbreak userspace helper support Pablo Neira Ayuso
2020-05-25 12:03 ` Florian Westphal [this message]
2020-05-29 22:49 ` [PATCH nf, v2 1/2] netfilter: conntrack: make conntrack userspace helpers work again kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200525120354.GD2915@breakpoint.cc \
--to=fw@strlen.de \
--cc=jacobraz@chromium.org \
--cc=mkubecek@suse.cz \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.