[PATCH] ipv4: "conntrack zones" support for defrag user check in ip

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] ipv4: "conntrack zones" support for defrag user check in ip_expire
@ 2014-05-02 23:14 Vasily Averin
  2014-05-04 11:18 ` Pablo Neira Ayuso
  2014-05-05 14:07 ` Pablo Neira Ayuso
  0 siblings, 2 replies; 5+ messages in thread
From: Vasily Averin @ 2014-05-02 23:14 UTC (permalink / raw)
  To: Patrick McHardy
  Cc: Florian Westphal, netfilter-devel, netdev, Pablo Neira Ayuso,
	David S. Miller

Defrag user check in ip_expire was not updated after adding support for
"conntrack zones"

Signed-off-by: Vasily Averin <vvs@openvz.org>
---
 net/ipv4/ip_fragment.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index c10a3ce..ed32313 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg)
 		 * "Fragment Reassembly Timeout" message, per RFC792.
 		 */
 		if (qp->user == IP_DEFRAG_AF_PACKET ||
-		    (qp->user == IP_DEFRAG_CONNTRACK_IN &&
-		     skb_rtable(head)->rt_type != RTN_LOCAL))
+		    ((qp->user >= IP_DEFRAG_CONNTRACK_IN) &&
+		     (qp->user <= __IP_DEFRAG_CONNTRACK_IN_END) &&
+		     (skb_rtable(head)->rt_type != RTN_LOCAL)))
 			goto out_rcu_unlock;
 
 
-- 
1.7.5.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] ipv4: "conntrack zones" support for defrag user check in ip_expire
  2014-05-02 23:14 [PATCH] ipv4: "conntrack zones" support for defrag user check in ip_expire Vasily Averin
@ 2014-05-04 11:18 ` Pablo Neira Ayuso
  2014-05-04 12:58   ` Pablo Neira Ayuso
  2014-05-05 14:07 ` Pablo Neira Ayuso
  1 sibling, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-04 11:18 UTC (permalink / raw)
  To: Vasily Averin
  Cc: Patrick McHardy, Florian Westphal, netfilter-devel, netdev,
	David S. Miller

On Sat, May 03, 2014 at 03:14:04AM +0400, Vasily Averin wrote:
> Defrag user check in ip_expire was not updated after adding support for
> "conntrack zones"

I think this bug manifests as a RFC violation, as the router will send
the icmp time exceeeded message when using conntrack zones. Just would
like to confirm this, so we can include it in the patch description.
Thanks.

> Signed-off-by: Vasily Averin <vvs@openvz.org>
> ---
>  net/ipv4/ip_fragment.c |    5 +++--
>  1 files changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
> index c10a3ce..ed32313 100644
> --- a/net/ipv4/ip_fragment.c
> +++ b/net/ipv4/ip_fragment.c
> @@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg)
>  		 * "Fragment Reassembly Timeout" message, per RFC792.
>  		 */
>  		if (qp->user == IP_DEFRAG_AF_PACKET ||
> -		    (qp->user == IP_DEFRAG_CONNTRACK_IN &&
> -		     skb_rtable(head)->rt_type != RTN_LOCAL))
> +		    ((qp->user >= IP_DEFRAG_CONNTRACK_IN) &&
> +		     (qp->user <= __IP_DEFRAG_CONNTRACK_IN_END) &&
> +		     (skb_rtable(head)->rt_type != RTN_LOCAL)))
>  			goto out_rcu_unlock;
>  
>  
> -- 
> 1.7.5.4
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] ipv4: "conntrack zones" support for defrag user check in ip_expire
  2014-05-04 11:18 ` Pablo Neira Ayuso
@ 2014-05-04 12:58   ` Pablo Neira Ayuso
  2014-05-04 18:28     ` David Miller
  0 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-04 12:58 UTC (permalink / raw)
  To: David S. Miller
  Cc: Vasily Averin, Patrick McHardy, Florian Westphal, netfilter-devel,
	netdev

On Sun, May 04, 2014 at 01:18:50PM +0200, Pablo Neira Ayuso wrote:
> On Sat, May 03, 2014 at 03:14:04AM +0400, Vasily Averin wrote:
> > Defrag user check in ip_expire was not updated after adding support for
> > "conntrack zones"
> 
> I think this bug manifests as a RFC violation, as the router will send
> the icmp time exceeeded message when using conntrack zones. Just would
> like to confirm this, so we can include it in the patch description.
> Thanks.

@David: If no objection, I'll pick this patch given that it's a
netfilter bug.

I will also append to the patch description the comment above for the
record.

> > Signed-off-by: Vasily Averin <vvs@openvz.org>
> > ---
> >  net/ipv4/ip_fragment.c |    5 +++--
> >  1 files changed, 3 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
> > index c10a3ce..ed32313 100644
> > --- a/net/ipv4/ip_fragment.c
> > +++ b/net/ipv4/ip_fragment.c
> > @@ -232,8 +232,9 @@ static void ip_expire(unsigned long arg)
> >  		 * "Fragment Reassembly Timeout" message, per RFC792.
> >  		 */
> >  		if (qp->user == IP_DEFRAG_AF_PACKET ||
> > -		    (qp->user == IP_DEFRAG_CONNTRACK_IN &&
> > -		     skb_rtable(head)->rt_type != RTN_LOCAL))
> > +		    ((qp->user >= IP_DEFRAG_CONNTRACK_IN) &&
> > +		     (qp->user <= __IP_DEFRAG_CONNTRACK_IN_END) &&
> > +		     (skb_rtable(head)->rt_type != RTN_LOCAL)))
> >  			goto out_rcu_unlock;
> >  
> >  
> > -- 
> > 1.7.5.4
> > 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] ipv4: "conntrack zones" support for defrag user check in ip_expire
  2014-05-04 12:58   ` Pablo Neira Ayuso
@ 2014-05-04 18:28     ` David Miller
  0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2014-05-04 18:28 UTC (permalink / raw)
  To: pablo; +Cc: vvs, kaber, fw, netfilter-devel, netdev

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 4 May 2014 14:58:35 +0200

> On Sun, May 04, 2014 at 01:18:50PM +0200, Pablo Neira Ayuso wrote:
>> On Sat, May 03, 2014 at 03:14:04AM +0400, Vasily Averin wrote:
>> > Defrag user check in ip_expire was not updated after adding support for
>> > "conntrack zones"
>> 
>> I think this bug manifests as a RFC violation, as the router will send
>> the icmp time exceeeded message when using conntrack zones. Just would
>> like to confirm this, so we can include it in the patch description.
>> Thanks.
> 
> @David: If no objection, I'll pick this patch given that it's a
> netfilter bug.
> 
> I will also append to the patch description the comment above for the
> record.

That's perfectly fine, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] ipv4: "conntrack zones" support for defrag user check in ip_expire
  2014-05-02 23:14 [PATCH] ipv4: "conntrack zones" support for defrag user check in ip_expire Vasily Averin
  2014-05-04 11:18 ` Pablo Neira Ayuso
@ 2014-05-05 14:07 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-05 14:07 UTC (permalink / raw)
  To: Vasily Averin
  Cc: Patrick McHardy, Florian Westphal, netfilter-devel, netdev,
	David S. Miller

On Sat, May 03, 2014 at 03:14:04AM +0400, Vasily Averin wrote:
> Defrag user check in ip_expire was not updated after adding support for
> "conntrack zones"

Applied, thanks.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2014-05-05 14:07 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-02 23:14 [PATCH] ipv4: "conntrack zones" support for defrag user check in ip_expire Vasily Averin
2014-05-04 11:18 ` Pablo Neira Ayuso
2014-05-04 12:58   ` Pablo Neira Ayuso
2014-05-04 18:28     ` David Miller
2014-05-05 14:07 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).