From: Florian Westphal <fw@strlen.de>
To: Jason Xing <kerneljasonxing@gmail.com>
Cc: Florian Westphal <fw@strlen.de>,
edumazet@google.com, pablo@netfilter.org, kadlec@netfilter.org,
kuba@kernel.org, pabeni@redhat.com, davem@davemloft.net,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, Jason Xing <kernelxing@tencent.com>
Subject: Re: [PATCH net-next] netfilter: conntrack: avoid sending RST to reply out-of-window skb
Date: Fri, 8 Mar 2024 23:46:57 +0100 [thread overview]
Message-ID: <20240308224657.GO4420@breakpoint.cc> (raw)
In-Reply-To: <CAL+tcoDUyFU9wT8gzOcDqW7hWfR-7Sg8Tky9QsY_b05gP4uZ1Q@mail.gmail.com>
Jason Xing <kerneljasonxing@gmail.com> wrote:
> > connection. Feel free to send patches that replace drop with -accept
> > where possible/where it makes sense, but I don't think the
> > TCP_CONNTRACK_SYN_SENT one can reasonably be avoided.
>
> Oh, are you suggesting replacing NF_DROP with -NF_ACCEPT in
> nf_conntrack_dccp_packet()?
It would be more consistent with what tcp and sctp trackers are
doing, but this should not matter in practice (the packet is malformed).
> > + case NFCT_TCP_INVALID: {
> > + verdict = -NF_ACCEPT;
> > + if (ct->status & IPS_NAT_MASK)
> > + res = NF_DROP; /* skb would miss nat transformation */
>
> Above line, I guess, should be 'verdict = NF_DROP'?
Yes.
> Great! I think your draft patch makes sense really, which takes NAT
> into consideration.
You could submit this officially and we could give it a try and see if
anyone complains down the road.
next prev parent reply other threads:[~2024-03-08 22:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-07 9:07 [PATCH net-next] netfilter: conntrack: avoid sending RST to reply out-of-window skb Jason Xing
2024-03-07 9:33 ` Florian Westphal
2024-03-07 11:02 ` Jason Xing
2024-03-07 12:00 ` Florian Westphal
2024-03-07 13:33 ` Jason Xing
2024-03-07 14:10 ` Florian Westphal
2024-03-07 15:11 ` Jason Xing
2024-03-07 15:34 ` Jozsef Kadlecsik
2024-03-07 15:59 ` Jason Xing
2024-03-07 19:00 ` Jozsef Kadlecsik
2024-03-08 0:42 ` Jason Xing
2024-03-08 8:59 ` Jason Xing
2024-03-08 22:46 ` Florian Westphal [this message]
2024-03-09 0:37 ` Jason Xing
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240308224657.GO4420@breakpoint.cc \
--to=fw@strlen.de \
--cc=coreteam@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kadlec@netfilter.org \
--cc=kerneljasonxing@gmail.com \
--cc=kernelxing@tencent.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.