From: Patrick McHardy <kaber@trash.net>
To: Eric Paris <eparis@redhat.com>
Cc: Hua Zhong <hzhong@gmail.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
davem@davemloft.net, kuznet@ms2.inr.ac.ru, pekkas@netcore.fi,
jmorris@namei.org, yoshfuji@linux-ipv6.org
Subject: Re: [RFC PATCH] network: return errors if we know tcp_connect failed
Date: Mon, 15 Nov 2010 16:57:57 +0100 [thread overview]
Message-ID: <4CE15885.90003@trash.net> (raw)
In-Reply-To: <1289836066.14282.7.camel@localhost.localdomain>
On 15.11.2010 16:47, Eric Paris wrote:
> On Mon, 2010-11-15 at 11:32 +0100, Patrick McHardy wrote:
>> On 13.11.2010 00:14, Hua Zhong wrote:
>>>> On 11.11.2010 22:58, Hua Zhong wrote:
>>>>>> Yes, I realize this is little different than if the
>>>>>> SYN was dropped in the first network device, but it is different
>>>>>> because we know what happened! We know that connect() call failed
>>>>>> and that there isn't anything coming back.
>>>>>
>>>>> I would argue that -j DROP should behave exactly as the packet is
>>>> dropped in the network, while -j REJECT should signal the failure to
>>>> the application as soon as possible (which it doesn't seem to do).
>>>>
>>>> It sends an ICMP error or TCP reset. Interpretation is up to TCP.
>>>
>>> Huh? It's the OUTPUT chain we are talking about. There is no ICMP error or
>>> TCP reset.
>>
>> Of course there is.
>>
>> ICMP (default):
>>
>> iptables -A OUTPUT -p tcp -j REJECT
>>
>> TCP reset:
>>
>> iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
>>
>> The second one will cause a hard error for the connection.
>
> Well I'm (I guess?) surprised that the --reject-with icmp doesn't do
> anything with a local outgoing connection but --reject-with tcp-reset
> does something like what I'm looking for.
>
> I notice the heavy lifting for this is done in
> net/ipv4/netfilter/ipt_REJECT.c::send_rest()
> (and something very similar for IPv6)
>
> I really don't want to duplicate that code into SELinux (for obvious
> reasons) and I'm wondering if anyone has objections to me making it
> available outside of netlink and/or suggestions on how to make that code
> available outside of netfilter (aka what header to expose it, and does
> it still make logical sense in ipt_REJECT.c or somewhere else?)
I don't think having SELinux sending packets to handle local
connections is a very elegant design, its not a firewall after
all. What's wrong with reacting only to specific errno codes
in tcp_connect()? You could f.i. return -ECONNREFUSED from
SELinux, that one is pretty much guaranteed not to occur in
the network stack itself and can be returned directly.
That would need minor changes to nf_hook_slow so we can
encode errno values in the upper 16 bits of the verdict,
as we already do with the queue number. The added benefit
is that we don't have to return EPERM anymore when f.i.
rerouting fails.
next prev parent reply other threads:[~2010-11-15 15:57 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-11 21:03 [RFC PATCH] network: return errors if we know tcp_connect failed Eric Paris
2010-11-11 21:14 ` Eric Dumazet
2010-11-11 21:58 ` Hua Zhong
2010-11-12 7:36 ` Patrick McHardy
2010-11-12 23:14 ` Hua Zhong
2010-11-15 10:32 ` Patrick McHardy
2010-11-15 15:47 ` Eric Paris
2010-11-15 15:57 ` Patrick McHardy [this message]
2010-11-15 16:04 ` Patrick McHardy
2010-11-15 16:36 ` Patrick McHardy
2010-11-15 16:46 ` David Miller
2010-11-15 20:00 ` Alexey Kuznetsov
2010-11-12 16:08 ` Eric Paris
2010-11-12 16:15 ` Eric Dumazet
2010-11-12 16:35 ` David Lamparter
2010-11-12 16:53 ` Eric Paris
2010-11-12 16:54 ` Patrick McHardy
2010-11-12 17:57 ` a problem tcp_v4_err() Alexey Kuznetsov
2010-11-12 18:12 ` Eric Dumazet
2010-11-12 18:21 ` Eric Dumazet
2010-11-12 18:27 ` Eric Dumazet
2010-11-12 18:31 ` Alexey Kuznetsov
2010-11-12 18:29 ` Alexey Kuznetsov
2010-11-12 18:33 ` Eric Dumazet
2010-11-12 19:22 ` David Miller
2010-11-12 21:18 ` Eric Dumazet
2010-11-12 21:36 ` David Miller
2010-11-12 21:16 ` [RFC PATCH] network: return errors if we know tcp_connect failed David Lamparter
2010-11-12 21:18 ` David Miller
2010-11-12 17:46 ` Alexey Kuznetsov
2010-11-12 19:28 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CE15885.90003@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=eparis@redhat.com \
--cc=hzhong@gmail.com \
--cc=jmorris@namei.org \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pekkas@netcore.fi \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).