[PATCH] netfilter: use fwmark_reflect in nf_send_reset

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Pau Espin Pedrol <pau.espin@tessares.net>
To: netfilter-devel@vger.kernel.org
Cc: pespin.shar@gmail.com, Pau Espin Pedrol <pau.espin@tessares.net>,
	Lorenzo Colitti <lorenzo@google.com>
Subject: [PATCH] netfilter: use fwmark_reflect in nf_send_reset
Date: Fri, 16 Dec 2016 11:03:27 +0100	[thread overview]
Message-ID: <1481882607-461-1-git-send-email-pau.espin@tessares.net> (raw)
In-Reply-To: <1481805823-32636-1-git-send-email-pau.espin@tessares.net>

Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
the routing is checked later in the same code path.

Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
---
 net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
 net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index fd82202..146d861 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -126,6 +126,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set_noref(nskb, skb_dst(oldskb));
 
+	nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);
+
 	skb_reserve(nskb, LL_MAX_HEADER);
 	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
 				   ip4_dst_hoplimit(skb_dst(nskb)));
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index 1009040..1e2cc8e 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -152,6 +152,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
 
 	memset(&fl6, 0, sizeof(fl6));
 	fl6.flowi6_proto = IPPROTO_TCP;
+	fl6.flowi6_mark = IP6_REPLY_MARK(net, oldskb->mark);
 	fl6.saddr = oip6h->daddr;
 	fl6.daddr = oip6h->saddr;
 	fl6.fl6_sport = otcph->dest;
@@ -180,6 +181,8 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
 
 	skb_dst_set(nskb, dst);
 
+	nskb->mark = fl6.flowi6_mark;
+
 	skb_reserve(nskb, hh_len + dst->header_len);
 	ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
 				    ip6_dst_hoplimit(dst));
-- 
2.7.4


-- 

------------------------------
DISCLAIMER.
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.

next prev parent reply	other threads:[~2016-12-16 10:05 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-12-15 12:43 [PATCH] netfilter: use fwmark_reflect in nf_send_reset Pau Espin Pedrol
2016-12-15 20:27 ` Pablo Neira Ayuso
2016-12-16 10:03 ` Pau Espin Pedrol [this message]
2016-12-23 14:16   ` Pablo Neira Ayuso
2016-12-27 21:51     ` Pau Espin Pedrol
2017-01-05 11:01       ` Pablo Neira Ayuso
2017-01-06 19:33   ` [PATCH v2 1/2] " Pau Espin Pedrol
2017-01-06 19:33     ` [PATCH v2 2/2] tcp: fix mark propagation with fwmark_reflect enabled Pau Espin Pedrol
2017-01-09 17:00       ` Pablo Neira Ayuso
2017-01-09 17:23         ` David Miller
2017-01-09 16:56     ` [PATCH v2 1/2] netfilter: use fwmark_reflect in nf_send_reset Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:fd82202 dfblob:146d861 dfblob:1009040 dfblob:1e2cc8e )
 OR (
bs:"[PATCH] netfilter: use fwmark_reflect in nf_send_reset" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1481882607-461-1-git-send-email-pau.espin@tessares.net \
    --to=pau.espin@tessares.net \
    --cc=lorenzo@google.com \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pespin.shar@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).