* please fix TARPIT @ 2005-12-22 6:15 David S. Miller 2005-12-22 20:36 ` iptables/netlink/java Oscar Mechanic 2006-01-03 7:34 ` please fix TARPIT Jan Engelhardt 0 siblings, 2 replies; 10+ messages in thread From: David S. Miller @ 2005-12-22 6:15 UTC (permalink / raw) To: netfilter-devel Recently it was reported that the TARPIT target depends upon the sysctl_ip_default_ttl symbol which is not exported any longer. Any use is illegal, because the TTL is a property of a route and should thus be obtained from the RTAX_HOPLIMIT metric. The only valid reference is in the ipv4 routing code where it sets the default value of this route metric. So, tarpit_tcp() should compute 'nrt' a little earlier and then grab the RTAX_HOPLIMIT dst metric to store into nskb->nh.iph->ttl field. (as a side note it should probably use pskb_may_pull() and skb_unshare() instead of the dangerously hand-crafted stuff it's using there, skb_copy() is overkill especially for non-local packets on a firewall/router, and yeah there seems to be nf_debug references in there too :-). Wheee, there's also a copy of ip_finish_output2() in there as well. It should probably use dst_output() so that paths over IPSEC and things like that work. If someone could take care of this (bonus points for grepping other code in patch-o-matic for references to this sysctl_ip_default_ttl symbol) I would really appreciate it. Thanks. ^ permalink raw reply [flat|nested] 10+ messages in thread
* iptables/netlink/java 2005-12-22 6:15 please fix TARPIT David S. Miller @ 2005-12-22 20:36 ` Oscar Mechanic 2005-12-22 20:39 ` iptables/netlink/java Gary W. Smith 2006-01-03 7:34 ` please fix TARPIT Jan Engelhardt 1 sibling, 1 reply; 10+ messages in thread From: Oscar Mechanic @ 2005-12-22 20:36 UTC (permalink / raw) To: netfilter-devel Has anyone successfully managed to catch a Netlink packet with Java only code. I would be delighted just to know I am not wasting my time without a native interface and suprisingly google/freshmeat/sourceforge has little on the subject. I am trying to catch ULOG pkts with a Java only (JNI and me do not get on). Regards Oscar ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: iptables/netlink/java 2005-12-22 20:36 ` iptables/netlink/java Oscar Mechanic @ 2005-12-22 20:39 ` Gary W. Smith 0 siblings, 0 replies; 10+ messages in thread From: Gary W. Smith @ 2005-12-22 20:39 UTC (permalink / raw) To: oscar, netfilter-devel I would think, for performance reasons, that Java would not be the way to go. If I recall there was a similar question some months ago. You might want to check the archives. On 12/22/05 12:36 PM, "Oscar Mechanic" <oscar@ufomechanic.net> wrote: > Has anyone successfully managed to catch a Netlink packet with Java only > code. > > I would be delighted just to know I am not wasting my time without a > native interface and suprisingly google/freshmeat/sourceforge has little > on the subject. > > I am trying to catch ULOG pkts with a Java only (JNI and me do not get > on). > > Regards > Oscar > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: please fix TARPIT 2005-12-22 6:15 please fix TARPIT David S. Miller 2005-12-22 20:36 ` iptables/netlink/java Oscar Mechanic @ 2006-01-03 7:34 ` Jan Engelhardt 2006-01-03 11:22 ` Patrick McHardy 2006-01-03 20:29 ` please fix TARPIT David S. Miller 1 sibling, 2 replies; 10+ messages in thread From: Jan Engelhardt @ 2006-01-03 7:34 UTC (permalink / raw) To: David S. Miller; +Cc: netfilter-devel >Recently it was reported that the TARPIT target depends upon the >sysctl_ip_default_ttl symbol which is not exported any longer. How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a nice POM patch. Problem gone. (For the short term.) Jan Engelhardt -- | Alphagate Systems, http://alphagate.hopto.org/ | jengelh's site, http://jengelh.hopto.org/ ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: please fix TARPIT 2006-01-03 7:34 ` please fix TARPIT Jan Engelhardt @ 2006-01-03 11:22 ` Patrick McHardy 2006-01-03 20:30 ` David S. Miller 2006-01-05 8:08 ` [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT [was: Re: please fix TARPIT] Yasuyuki KOZAKAI 2006-01-03 20:29 ` please fix TARPIT David S. Miller 1 sibling, 2 replies; 10+ messages in thread From: Patrick McHardy @ 2006-01-03 11:22 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter-devel, David S. Miller Jan Engelhardt wrote: >>Recently it was reported that the TARPIT target depends upon the >>sysctl_ip_default_ttl symbol which is not exported any longer. > > > How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a > nice POM patch. Problem gone. (For the short term.) The fix is trivial, so I fixed it the right way (well, without testing). ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: please fix TARPIT 2006-01-03 11:22 ` Patrick McHardy @ 2006-01-03 20:30 ` David S. Miller 2006-01-05 8:08 ` [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT [was: Re: please fix TARPIT] Yasuyuki KOZAKAI 1 sibling, 0 replies; 10+ messages in thread From: David S. Miller @ 2006-01-03 20:30 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel From: Patrick McHardy <kaber@trash.net> Date: Tue, 03 Jan 2006 12:22:36 +0100 > Jan Engelhardt wrote: > >>Recently it was reported that the TARPIT target depends upon the > >>sysctl_ip_default_ttl symbol which is not exported any longer. > > > > > > How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a > > nice POM patch. Problem gone. (For the short term.) > > The fix is trivial, so I fixed it the right way (well, without > testing). Thank you :-) ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT [was: Re: please fix TARPIT] 2006-01-03 11:22 ` Patrick McHardy 2006-01-03 20:30 ` David S. Miller @ 2006-01-05 8:08 ` Yasuyuki KOZAKAI 2006-01-05 8:21 ` Patrick McHardy 1 sibling, 1 reply; 10+ messages in thread From: Yasuyuki KOZAKAI @ 2006-01-05 8:08 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel, davem [-- Attachment #1: Type: Text/Plain, Size: 744 bytes --] Hi, From: Patrick McHardy <kaber@trash.net> Date: Tue, 03 Jan 2006 12:22:36 +0100 > Jan Engelhardt wrote: > >>Recently it was reported that the TARPIT target depends upon the > >>sysctl_ip_default_ttl symbol which is not exported any longer. > > > > > > How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a > > nice POM patch. Problem gone. (For the short term.) > > The fix is trivial, so I fixed it the right way (well, without > testing). Should ipt_REJECT use metric, too ? ip6_REJECT has already use it. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> BTW, I'm not familiar with TARPIT, but ipt_REJECT seems to have the codes to fix the other issues David pointed out. -- Yasuyuki Kozakai [-- Attachment #2: 01-reject-ttl.patch --] [-- Type: Text/Plain, Size: 1171 bytes --] [NETFILTER] use HOPLIMIT metric as TTL of TCP reset sent by REJECT HOPLIMIT metric is appropriate to TCP reset sent by REJECT target than hard-coded max TTL. Thanks to David S. Miller for hint. Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> --- commit e290cc6158560638d4bd446075322b999485d064 tree 200689991a2cc57710642400db47c649be20c00f parent 67dbb4ea33731415fe09c62149a34f472719ac1d author Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Thu, 29 Dec 2005 00:41:51 +0900 committer Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Thu, 29 Dec 2005 00:41:51 +0900 net/ipv4/netfilter/ipt_REJECT.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/ipv4/netfilter/ipt_REJECT.c b/net/ipv4/netfilter/ipt_REJECT.c index f057025..6693526 100644 --- a/net/ipv4/netfilter/ipt_REJECT.c +++ b/net/ipv4/netfilter/ipt_REJECT.c @@ -203,7 +203,7 @@ static void send_reset(struct sk_buff *o sizeof(struct tcphdr), 0)); /* Adjust IP TTL, DF */ - nskb->nh.iph->ttl = MAXTTL; + nskb->nh.iph->ttl = dst_metric(nskb->dst, RTAX_HOPLIMIT); /* Set DF, id = 0 */ nskb->nh.iph->frag_off = htons(IP_DF); nskb->nh.iph->id = 0; ^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT [was: Re: please fix TARPIT] 2006-01-05 8:08 ` [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT [was: Re: please fix TARPIT] Yasuyuki KOZAKAI @ 2006-01-05 8:21 ` Patrick McHardy 2006-01-05 21:16 ` [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT David S. Miller 0 siblings, 1 reply; 10+ messages in thread From: Patrick McHardy @ 2006-01-05 8:21 UTC (permalink / raw) To: Yasuyuki KOZAKAI; +Cc: netfilter-devel, davem Yasuyuki KOZAKAI wrote: > Should ipt_REJECT use metric, too ? ip6_REJECT has already use it. Looks good. Dave, please apply on top of my patches. > BTW, I'm not familiar with TARPIT, but ipt_REJECT seems to have the codes > to fix the other issues David pointed out. Yes, looks like we could use some of the ipt_REJECT code. But we decided to move TARPIT out of pom after moving to something apt-get like anyway, so I'd rather spend time on that. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT 2006-01-05 8:21 ` Patrick McHardy @ 2006-01-05 21:16 ` David S. Miller 0 siblings, 0 replies; 10+ messages in thread From: David S. Miller @ 2006-01-05 21:16 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel, yasuyuki.kozakai From: Patrick McHardy <kaber@trash.net> Date: Thu, 05 Jan 2006 09:21:12 +0100 > Yasuyuki KOZAKAI wrote: > > Should ipt_REJECT use metric, too ? ip6_REJECT has already use it. > > Looks good. Dave, please apply on top of my patches. All 18 patches, and this one, applied and pushed to Linus. Thanks. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: please fix TARPIT 2006-01-03 7:34 ` please fix TARPIT Jan Engelhardt 2006-01-03 11:22 ` Patrick McHardy @ 2006-01-03 20:29 ` David S. Miller 1 sibling, 0 replies; 10+ messages in thread From: David S. Miller @ 2006-01-03 20:29 UTC (permalink / raw) To: jengelh; +Cc: netfilter-devel From: Jan Engelhardt <jengelh@linux01.gwdg.de> Date: Tue, 3 Jan 2006 08:34:47 +0100 (MET) > > >Recently it was reported that the TARPIT target depends upon the > >sysctl_ip_default_ttl symbol which is not exported any longer. > > How about just adding the EXPORT_SYMBOL back. And that all wrapped up in a > nice POM patch. Problem gone. (For the short term.) The usage of that symbol is broken. The fact that I went through the trouble of explaining exactly how to fix the bug properly, and yet this kind of suggestion still arises, deeply disturbs me. ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2006-01-05 21:16 UTC | newest] Thread overview: 10+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-12-22 6:15 please fix TARPIT David S. Miller 2005-12-22 20:36 ` iptables/netlink/java Oscar Mechanic 2005-12-22 20:39 ` iptables/netlink/java Gary W. Smith 2006-01-03 7:34 ` please fix TARPIT Jan Engelhardt 2006-01-03 11:22 ` Patrick McHardy 2006-01-03 20:30 ` David S. Miller 2006-01-05 8:08 ` [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT [was: Re: please fix TARPIT] Yasuyuki KOZAKAI 2006-01-05 8:21 ` Patrick McHardy 2006-01-05 21:16 ` [PATCH] use HOPLIMIT metric as TTL of TCP reset sent by REJECT David S. Miller 2006-01-03 20:29 ` please fix TARPIT David S. Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.