From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 01/12] ipvs: SNAT packet replies only for NATed connections
Date: Fri, 19 May 2017 10:33:42 +0200 [thread overview]
Message-ID: <1495182833-2272-2-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1495182833-2272-1-git-send-email-pablo@netfilter.org>
From: Julian Anastasov <ja@ssi.bg>
We do not check if packet from real server is for NAT
connection before performing SNAT. This causes problems
for setups that use DR/TUN and allow local clients to
access the real server directly, for example:
- local client in director creates IPVS-DR/TUN connection
CIP->VIP and the request packets are routed to RIP.
Talks are finished but IPVS connection is not expired yet.
- second local client creates non-IPVS connection CIP->RIP
with same reply tuple RIP->CIP and when replies are received
on LOCAL_IN we wrongly assign them for the first client
connection because RIP->CIP matches the reply direction.
As result, IPVS SNATs replies for non-IPVS connections.
The problem is more visible to local UDP clients but in rare
cases it can happen also for TCP or remote clients when the
real server sends the reply traffic via the director.
So, better to be more precise for the reply traffic.
As replies are not expected for DR/TUN connections, better
to not touch them.
Reported-by: Nick Moriarty <nick.moriarty@york.ac.uk>
Tested-by: Nick Moriarty <nick.moriarty@york.ac.uk>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
net/netfilter/ipvs/ip_vs_core.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index d2d7bdf1d510..ad99c1ceea6f 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -849,10 +849,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
{
unsigned int verdict = NF_DROP;
- if (IP_VS_FWD_METHOD(cp) != 0) {
- pr_err("shouldn't reach here, because the box is on the "
- "half connection in the tun/dr module.\n");
- }
+ if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
+ goto ignore_cp;
/* Ensure the checksum is correct */
if (!skb_csum_unnecessary(skb) && ip_vs_checksum_complete(skb, ihl)) {
@@ -886,6 +884,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
ip_vs_notrack(skb);
else
ip_vs_update_conntrack(skb, cp, 0);
+
+ignore_cp:
verdict = NF_ACCEPT;
out:
@@ -1385,8 +1385,11 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
*/
cp = pp->conn_out_get(ipvs, af, skb, &iph);
- if (likely(cp))
+ if (likely(cp)) {
+ if (IP_VS_FWD_METHOD(cp) != IP_VS_CONN_F_MASQ)
+ goto ignore_cp;
return handle_response(af, skb, pd, cp, &iph, hooknum);
+ }
/* Check for real-server-started requests */
if (atomic_read(&ipvs->conn_out_counter)) {
@@ -1444,9 +1447,15 @@ ip_vs_out(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, in
}
}
}
+
+out:
IP_VS_DBG_PKT(12, af, pp, skb, iph.off,
"ip_vs_out: packet continues traversal as normal");
return NF_ACCEPT;
+
+ignore_cp:
+ __ip_vs_conn_put(cp);
+ goto out;
}
/*
--
2.1.4
next prev parent reply other threads:[~2017-05-19 8:34 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-19 8:33 [PATCH 00/12] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2017-05-19 8:33 ` Pablo Neira Ayuso [this message]
2017-05-19 8:33 ` [PATCH 02/12] netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 03/12] netfilter: don't setup nat info for confirmed ct Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 04/12] netfilter: introduce nf_conntrack_helper_put helper function Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 05/12] netfilter: nfnl_cthelper: reject del request if helper obj is in use Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 06/12] netfilter: xtables: zero padding in data_to_user Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 07/12] netfilter: synproxy: fix conntrackd interaction Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 08/12] netfilter: nf_tables: can't assume lock is acquired when dumping set elems Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 09/12] netfilter: nf_tables: missing sanitization in data from userspace Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 10/12] netfilter: nf_tables: revisit chain/object refcounting from elements Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 11/12] ebtables: arpreply: Add the standard target sanity check Pablo Neira Ayuso
2017-05-19 8:33 ` [PATCH 12/12] netfilter: xtables: fix build failure from COMPAT_XT_ALIGN outside CONFIG_COMPAT Pablo Neira Ayuso
2017-05-21 17:00 ` [PATCH 00/12] Netfilter/IPVS fixes for net David Miller
2017-05-21 22:25 ` Pablo Neira Ayuso
2017-05-22 23:54 ` David Miller
2017-05-23 4:02 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1495182833-2272-2-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).