All of lore.kernel.org
 help / color / mirror / Atom feed
From: Patrick McHardy <kaber@trash.net>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org, ben@decadent.org.uk,
	lists@michel-messerschmidt.de
Subject: Re: [PATCH 1/1] netfilter: xtables: fix conntrack match v1 ipt-save output
Date: Mon, 23 Nov 2009 10:45:44 +0100	[thread overview]
Message-ID: <4B0A59C8.6030104@trash.net> (raw)
In-Reply-To: <1258851366-1512-1-git-send-email-fw@strlen.de>

Florian Westphal wrote:
> commit d6d3f08b0fd998b647a05540cedd11a067b72867
> (netfilter: xtables: conntrack match revision 2) does break the
> v1 conntrack match iptables-save output in a subtle way.
> 
> Problem is as follows:
> 
>     up = kmalloc(sizeof(*up), GFP_KERNEL);
> [..]
>    /*
>     * The strategy here is to minimize the overhead of v1 matching,
>     * by prebuilding a v2 struct and putting the pointer into the
>     * v1 dataspace.
>     */
>     memcpy(up, info, offsetof(typeof(*info), state_mask));
> [..]
>     *(void **)info  = up;
> 
> As the v2 struct pointer is saved in the match data space,
> it clobbers the first structure member (->origsrc_addr).
> 
> Because the _v1 match function grabs this pointer and does not actually
> look at the v1 origsrc, run time functionality does not break.
> But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr
> has been overloaded in this way:
> 
> $ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT
> $ iptables-save
> -A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT
> 
> (128.173... is the address to the v2 match structure).
> 
> To fix this, we take advantage of the fact that the v1 and v2 structures
> are identical with exception of the last two structure members (u8 in v1,
> u16 in v2).
> 
> We extract them as early as possible and prevent the v2 matching function
> from looking at those two members directly.
> 
> Previously reported by Michel Messerschmidt via Ben Hutchings, also
> see Debian Bug tracker #556587.

Applied, thanks Florian.

      reply	other threads:[~2009-11-23  9:45 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-11-18  7:39 nf_conntrack sets wrong value for ctorigsrc parameter Ben Hutchings
2009-11-22  0:56 ` [PATCH 1/1] netfilter: xtables: fix conntrack match v1 ipt-save output Florian Westphal
2009-11-23  9:45   ` Patrick McHardy [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B0A59C8.6030104@trash.net \
    --to=kaber@trash.net \
    --cc=ben@decadent.org.uk \
    --cc=fw@strlen.de \
    --cc=lists@michel-messerschmidt.de \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.