CONNMARK target without ip_conntrack

CONNMARK target without ip_conntrack

[Piotr Chytla]

Hi

Today one of my friends told me about very simple problem with CONNMARK ,
after loading it without ip_conntrack, everything is ok but marking
isn't working . 

In ipt_CONNMARK.c I've found in function target :

[..]
static unsigned int
target(struct sk_buff **pskb,
       const struct net_device *in,
       const struct net_device *out,
       unsigned int hooknum,
       const void *targinfo,
       void *userinfo)
{
[..]
        enum ip_conntrack_info ctinfo;
        struct ip_conntrack *ct = ip_conntrack_get((*pskb), &ctinfo);
        if (ct) {
		[..] - set/save/restore mark
	} 
[..]

Mark set/restore/save is set when ip_conntrack structure exist , but
there is no warning message in logs about not loaded ip_conntrack or
something similar. Maybe it's wise to put some warning message :

if (ct) {
	[..]
} else printk(KERN_ERR "CONNMARK: no conntrack!\n");

/pch

-- 
Dyslexia bug unpatched since 1977 ...
exploit has been leaked to the underground.

Re: CONNMARK target without ip_conntrack

[Pablo Neira]

Piotr Chytla wrote:
> Mark set/restore/save is set when ip_conntrack structure exist , but
> there is no warning message in logs about not loaded ip_conntrack or
> something similar. Maybe it's wise to put some warning message :
> 
> if (ct) {
> 	[..]
> } else printk(KERN_ERR "CONNMARK: no conntrack!\n");

No. Even with ip_conntrack loaded it could possible that a skb doesn't
have any conntrack associated: in that case it means that the packet is
considered invalid.

--
Pablo