* Re: owner-Match in 2.6.20-rc5 (fwd)
@ 2007-01-25 20:31 Jozsef Kadlecsik
2007-01-25 20:57 ` Jan Engelhardt
2007-01-25 21:01 ` David Miller
0 siblings, 2 replies; 7+ messages in thread
From: Jozsef Kadlecsik @ 2007-01-25 20:31 UTC (permalink / raw)
To: David Miller; +Cc: netfilter-devel
[-- Attachment #1: Type: TEXT/PLAIN, Size: 1471 bytes --]
Hi,
The report below was posted on the netfilter user list. Isn't there any
ill side effect by reverting the change?
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
---------- Forwarded message ----------
Date: Thu, 25 Jan 2007 20:16:17 +0100
From: Sebastian <netfilter@basti79.de>
To: netfilter@lists.netfilter.org
Subject: Re: owner-Match in 2.6.20-rc5
Am Donnerstag, den 25.01.2007, 10:23 +0100 schrieb Sebastian Claßen:
> Hi...
>
> Kernel: 2.6.20-rc5
> Iptables: v1.3.7-20070118
>
> The owner-Match seems not to match TCP-Packets any more. Can be tested
> by inserting the rule:
> iptables -I OUTPUT -m owner --uid-owner test-user -j LOG
>
> Simply su to the specified user and using netcat (nc) to send UDP and
> TCP packets shows only log entried with PROTO=UDP but none with TCP.
>
> Anyone can reproduce this and pearhaps got a solution??
>
> Greets
> Sebastian.
>
Hi again...
I've just found out where the problem is. In 2.6.20-rc1 changelog the
following thing was modified:
[TCP]: Don't set SKB owner in tcp_transmit_skb().
That seems to break the owner-match for TCP packets. I was able to undo
the change with the attached one-line patch which fixed the problem for
me.
Greets
Sebastian.
[-- Attachment #2: Type: TEXT/X-PATCH, Size: 402 bytes --]
--- linux-2.6.20-rc5.orig/net/ipv4/tcp_output.c 2007-01-25 20:10:04.000000000 +0100
+++ linux-2.6.20-rc5/net/ipv4/tcp_output.c 2007-01-25 14:43:48.000000000 +0100
@@ -467,6 +467,7 @@ static int tcp_transmit_skb(struct sock
th = (struct tcphdr *) skb_push(skb, tcp_header_size);
skb->h.th = th;
+ skb_set_owner_w(skb, sk);
/* Build TCP header and checksum it. */
th->source = inet->sport;
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: owner-Match in 2.6.20-rc5 (fwd)
2007-01-25 20:31 owner-Match in 2.6.20-rc5 (fwd) Jozsef Kadlecsik
@ 2007-01-25 20:57 ` Jan Engelhardt
2007-01-25 21:01 ` David Miller
1 sibling, 0 replies; 7+ messages in thread
From: Jan Engelhardt @ 2007-01-25 20:57 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: netfilter-devel, David Miller
On Jan 25 2007 21:31, Jozsef Kadlecsik wrote:
>On Thu, 25 Jan 2007 20:16:17 +0100, Sebastian wrote
>>Am Donnerstag, den 25.01.2007, 10:23 +0100 schrieb Sebastian Claßen:
>>> The owner-Match seems not to match TCP-Packets any more. Can be tested
>>> by inserting the rule:
>>> iptables -I OUTPUT -m owner --uid-owner test-user -j LOG
>>>
>>> Simply su to the specified user and using netcat (nc) to send UDP and
>>> TCP packets shows only log entried with PROTO=UDP but none with TCP.
>>
>> I've just found out where the problem is. In 2.6.20-rc1 changelog the
>> following thing was modified:
>> [TCP]: Don't set SKB owner in tcp_transmit_skb().
>>
>> That seems to break the owner-match for TCP packets. I was able to undo
>> the change with the attached one-line patch which fixed the problem for
>> me.
>
> The report [above] was posted on the netfilter user list. Isn't there any
> ill side effect by reverting the change?
>
As far as I know, the _pid_ part of the owner module was removed
because the sending process might not be the process who did the
write. (Is this right?)
If so, does not the same actually apply to the owner [EUID of the
process which sent it]?
-`J'
--
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: owner-Match in 2.6.20-rc5 (fwd)
2007-01-25 20:31 owner-Match in 2.6.20-rc5 (fwd) Jozsef Kadlecsik
2007-01-25 20:57 ` Jan Engelhardt
@ 2007-01-25 21:01 ` David Miller
2007-01-25 21:07 ` Jan Engelhardt
1 sibling, 1 reply; 7+ messages in thread
From: David Miller @ 2007-01-25 21:01 UTC (permalink / raw)
To: kadlec; +Cc: netdev, netfilter-devel
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Thu, 25 Jan 2007 21:31:56 +0100 (CET)
> The report below was posted on the netfilter user list. Isn't there any
> ill side effect by reverting the change?
Performance regression :-(
This optimization saves a whole handful of heavy atomic operations in
the packet transmit path of TCP.
As I understand it, the owner-Match is not in the upstream tree, and
it's the only thing that cares, so I see no reason to cater for it.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: owner-Match in 2.6.20-rc5 (fwd)
2007-01-25 21:01 ` David Miller
@ 2007-01-25 21:07 ` Jan Engelhardt
2007-01-25 22:01 ` David Miller
0 siblings, 1 reply; 7+ messages in thread
From: Jan Engelhardt @ 2007-01-25 21:07 UTC (permalink / raw)
To: David Miller; +Cc: kadlec, netdev, netfilter-devel
>> The report below was posted on the netfilter user list. Isn't there any
>> ill side effect by reverting the change?
>
>Performance regression :-(
>
>This optimization saves a whole handful of heavy atomic operations in
>the packet transmit path of TCP.
>
>As I understand it, the owner-Match is not in the upstream tree, and
>it's the only thing that cares, so I see no reason to cater for it.
For me, it's there.
-rw-r--r-- 1 jengelh users 2247 Jan 25 21:37
/erk/kernel/linux-2.6.20-rc6/net/ipv4/netfilter/ipt_owner.c
-`J'
--
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: owner-Match in 2.6.20-rc5 (fwd)
2007-01-25 21:07 ` Jan Engelhardt
@ 2007-01-25 22:01 ` David Miller
2007-01-25 22:14 ` Jan Engelhardt
0 siblings, 1 reply; 7+ messages in thread
From: David Miller @ 2007-01-25 22:01 UTC (permalink / raw)
To: jengelh; +Cc: kadlec, netdev, netfilter-devel
From: Jan Engelhardt <jengelh@linux01.gwdg.de>
Date: Thu, 25 Jan 2007 22:07:07 +0100 (MET)
>
> >> The report below was posted on the netfilter user list. Isn't there any
> >> ill side effect by reverting the change?
> >
> >Performance regression :-(
> >
> >This optimization saves a whole handful of heavy atomic operations in
> >the packet transmit path of TCP.
> >
> >As I understand it, the owner-Match is not in the upstream tree, and
> >it's the only thing that cares, so I see no reason to cater for it.
>
> For me, it's there.
> -rw-r--r-- 1 jengelh users 2247 Jan 25 21:37
> /erk/kernel/linux-2.6.20-rc6/net/ipv4/netfilter/ipt_owner.c
Ok, I'll see what I can do about this :-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: owner-Match in 2.6.20-rc5 (fwd)
2007-01-25 22:01 ` David Miller
@ 2007-01-25 22:14 ` Jan Engelhardt
2007-01-26 9:05 ` David Miller
0 siblings, 1 reply; 7+ messages in thread
From: Jan Engelhardt @ 2007-01-25 22:14 UTC (permalink / raw)
To: David Miller; +Cc: kadlec, netdev, netfilter-devel
>> >> The report below was posted on the netfilter user list. Isn't there any
>> >> ill side effect by reverting the change?
>> >
>> >Performance regression :-(
>> >
>> >This optimization saves a whole handful of heavy atomic operations in
>> >the packet transmit path of TCP.
>> >
>> >As I understand it, the owner-Match is not in the upstream tree, and
>> >it's the only thing that cares, so I see no reason to cater for it.
>>
>> For me, it's there.
>> -rw-r--r-- 1 jengelh users 2247 Jan 25 21:37
>> /erk/kernel/linux-2.6.20-rc6/net/ipv4/netfilter/ipt_owner.c
>
>Ok, I'll see what I can do about this :-)
>
People really depend on this. Much more than than pid/comm/smpunsafe stuff.
For example, a web server [cgi enabled, etc.] which also runs squid,
to force all webtraffic through it:
-A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner
squid -j REDIRECT --to-ports 3128
-`J'
--
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: owner-Match in 2.6.20-rc5 (fwd)
2007-01-25 22:14 ` Jan Engelhardt
@ 2007-01-26 9:05 ` David Miller
0 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2007-01-26 9:05 UTC (permalink / raw)
To: jengelh; +Cc: kadlec, netdev, netfilter-devel
From: Jan Engelhardt <jengelh@linux01.gwdg.de>
Date: Thu, 25 Jan 2007 23:14:49 +0100 (MET)
> People really depend on this. Much more than than pid/comm/smpunsafe stuff.
> For example, a web server [cgi enabled, etc.] which also runs squid,
> to force all webtraffic through it:
>
> -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner
> squid -j REDIRECT --to-ports 3128
FWIW I've simply reverted the change in question to fix this.
Will push to Linus soon.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2007-01-26 9:05 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-01-25 20:31 owner-Match in 2.6.20-rc5 (fwd) Jozsef Kadlecsik
2007-01-25 20:57 ` Jan Engelhardt
2007-01-25 21:01 ` David Miller
2007-01-25 21:07 ` Jan Engelhardt
2007-01-25 22:01 ` David Miller
2007-01-25 22:14 ` Jan Engelhardt
2007-01-26 9:05 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).