From: Patrick McHardy <kaber@trash.net>
To: David Stevens <dlstevens@us.ibm.com>
Cc: "David S. Miller" <davem@redhat.com>,
laforge@netfilter.org, netdev@oss.sgi.com,
netdev-bounce@oss.sgi.com, netfilter-devel@lists.netfilter.org,
okir@suse.de
Subject: Re: [PATCH] Prevent crash on ip_conntrack removal
Date: Tue, 24 Aug 2004 02:45:41 +0200 [thread overview]
Message-ID: <412A8FB5.4080700@trash.net> (raw)
In-Reply-To: <OF4320C747.75C5E93A-ON88256EF9.00744FBA-88256EF9.00750996@us.ibm.com>
David Stevens wrote:
>BTW, since some of the frags (esp. the one that triggers the problem)
>are added post-routing, a valid dst is available. It just isn't the first
>frag in the particular scenario.
>
>So, one solution would be to set skb->dst for the head (if NULL) based
>on a non-null fragment skb->dst. I believe that would prevent the problem
>case without dropping the fragment, since it'll be processed post-routing
>only if one of the frags is.
>
>
The fragments which jumped from PRE_ROUTING to ip_local_deliver will miss
ip options processing.
>When I was looking at it, I wondered if conntrack really has a need to
>reassemble itself, though. Couldn't it let IP do the reassembling and
>just ignore offset != 0 frags? The offset==0 frags will have enough
>protocol header to identify by port (a requirement for ICMP). But I don't
>know this code well enough to know if conntrack does actually need
>to reassemble for some good reason. Superficially, I wouldn't think
>there'd be a reason for it.
>
>
The NAT code needs to handle all fragments, so they can't be skipped.
Handling fragments in conntrack and NAT would be possible without helpers,
but to scan for patterns in fragments you need state for each fragmented
packet for each connection.
Regards
Patrick
next prev parent reply other threads:[~2004-08-24 0:45 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-18 9:13 [PATCH] Prevent crash on ip_conntrack removal Olaf Kirch
2004-08-19 10:11 ` Harald Welte
2004-08-19 14:18 ` David S. Miller
2004-08-19 14:55 ` Patrick McHardy
2004-08-19 15:14 ` David S. Miller
2004-08-21 15:10 ` Patrick McHardy
2004-08-22 5:13 ` David S. Miller
2004-08-22 12:58 ` Patrick McHardy
2004-08-23 5:03 ` David S. Miller
2004-08-23 21:18 ` David Stevens
2004-08-24 0:45 ` Nivedita Singhvi
2004-08-24 0:45 ` Patrick McHardy [this message]
2004-08-24 21:28 ` David Stevens
2004-08-29 6:15 ` David S. Miller
2004-08-29 19:36 ` Patrick McHardy
2004-08-29 19:57 ` David S. Miller
2004-08-29 20:06 ` Patrick McHardy
2004-08-29 21:58 ` Patrick McHardy
2004-08-29 23:38 ` David S. Miller
2004-08-30 0:50 ` Patrick McHardy
2004-08-30 4:28 ` David S. Miller
2004-08-29 21:48 ` Patrick McHardy
2004-08-30 7:57 ` Olaf Kirch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=412A8FB5.4080700@trash.net \
--to=kaber@trash.net \
--cc=davem@redhat.com \
--cc=dlstevens@us.ibm.com \
--cc=laforge@netfilter.org \
--cc=netdev-bounce@oss.sgi.com \
--cc=netdev@oss.sgi.com \
--cc=netfilter-devel@lists.netfilter.org \
--cc=okir@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).