From: Patrick McHardy <kaber@trash.net>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Stephen Hemminger <shemminger@vyatta.com>, netdev@vger.kernel.org
Subject: Re: Yet another bridge netfilter crash
Date: Wed, 04 Aug 2010 18:30:58 +0200 [thread overview]
Message-ID: <4C5995C2.1010909@trash.net> (raw)
In-Reply-To: <20100723152609.GA7576@gondor.apana.org.au>
Am 23.07.2010 17:26, schrieb Herbert Xu:
> On Fri, Jul 23, 2010 at 05:17:42PM +0200, Patrick McHardy wrote:
>>
>>> There's also the matter of fragments jumping between bridges.
>>
>> Conntrack zones can be used to avoid that, but that currently needs
>> manual configuration.
>
> I think this is something that we need to fix. Because as it
> stands, it can still crash if you get the wrong nf_bridge.
>
> The reason is that skb->dev does not hold a ref count. So the
> reassembly code just throws it away and always uses the dev of
> the last fragment.
>
> This breaks when two bridges combine to reassemble a single
> packet, as the nf_bridge attribute of the reassembled packet
> may come from an skb whose device is now dead. This is then
> used to fill in the skb->dev (via nf_bridge->physindev).
We could perform a new device lookup on reassembly as we do
when expiring a fragment queue, but we probably shouldn't even
be reassembling fragments from different bridges. One way to
avoid this would be to automatically assign each bridge device
to a different conntrack zone, but conntrack zones are limited
to 2^16 and this might also have other unwanted side-effects.
Until we come up with something better the best fix seems to
be to perform the device lookup based on the iif.
next prev parent reply other threads:[~2010-08-04 16:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-07-23 13:42 Yet another bridge netfilter crash Herbert Xu
2010-07-23 14:18 ` Patrick McHardy
2010-07-23 15:00 ` Herbert Xu
2010-07-23 15:17 ` Patrick McHardy
2010-07-23 15:26 ` Herbert Xu
2010-08-04 16:30 ` Patrick McHardy [this message]
2010-08-04 16:41 ` Herbert Xu
2010-08-04 16:50 ` Patrick McHardy
2010-08-09 21:42 ` Herbert Xu
2010-08-09 22:39 ` Changli Gao
2010-08-10 15:19 ` Herbert Xu
2010-08-04 23:00 ` Changli Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C5995C2.1010909@trash.net \
--to=kaber@trash.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=shemminger@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.