From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Joseph Conley <joseph.j.conley@gmail.com>
Cc: netfilter-devel@vger.kernel.org, Joe Conley <joe.conley@lairdtech.com>
Subject: Re: [PATCH] netfilter: conntrack: Fix ifdef checks for CONFIG_NF_CONNTRACK_MARK
Date: Fri, 23 Dec 2016 15:55:34 +0100 [thread overview]
Message-ID: <20161223145534.GA14038@salvia> (raw)
In-Reply-To: <CAGCFG8vM+6zpCbH_HxLvx2JfdVyF-bdr2Owk-kwbnw0vKoNwuw@mail.gmail.com>
On Mon, Dec 19, 2016 at 10:40:50AM -0500, Joseph Conley wrote:
> On Thu, Dec 15, 2016 at 3:55 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > On Wed, Dec 14, 2016 at 04:35:57PM -0500, joseph.j.conley@gmail.com wrote:
> > > From: Joe Conley <joe.conley@lairdtech.com>
> > >
> > > Two missing ifdef checks for CONFIG_NF_CONNTRACK_MARK were causing
> > > EOPNOTSUPP to be returned. Every single place that cda[CTA_MARK] or cda[CTA_MARK_MASK]
> > > was checked was inside a #ifdef for CONFIG_NF_CONNTRACK_MARK except for these
> > > two places. The reason for this change stems from this commit:
> > > 866476f323465a8afef10b14b48d5136bf5c51fe (netfilter: conntrack: Flush connections with a given mark)
> > >
> > > This allows conntrack -L to be ran succesfully when CONFIG_NF_CONNTRACK_MARK
> > > is not enabled.
> >
> > I would like to understand how you're triggering this problem. If it
> > is a plain 'conntrack -L' command line invocation that triggers the
> > problem, then it's probably a userspace problem since we should not
> > send any mark attribute to the kernel if not set.
>
> Building the kernel with CONFIG_NF_CONNTRACK_MARK disabled will cause
> conntrack -L to return EOPNOTSUPP because of the missing ifdef checks.
> Building the kernel with it enabled allows conntrack -L to run
> successfully. At first, I thought this was a userspace bug as well but
> it is not. Every single place CTA_MARK or CTA_MARK_MASK is used is
> inside an ifdef check for CONFIG_NF_CONNTRACK_MARK except for these
> two places. There is no clear reason as to why. There is no reason
> that conntrack -L should return EOPNOTSUPP when
> CONFIG_NF_CONNTRACK_MARK is disabled.
I think this a userspace bug, since we shouldn't send mark filter if
not set by the user.
Kernel rejects with EOPNOTSUPP to indicate userspace that the mark
filtering that requests is not supported. This check is good so user
knows that this mark-based filtering doesn't work.
Just sent a patch for userspace, thanks a lot for reporting.
prev parent reply other threads:[~2016-12-23 14:55 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-14 21:35 [PATCH] netfilter: conntrack: Fix ifdef checks for CONFIG_NF_CONNTRACK_MARK joseph.j.conley
2016-12-15 20:55 ` Pablo Neira Ayuso
2016-12-19 15:40 ` Joseph Conley
2016-12-23 14:55 ` Pablo Neira Ayuso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161223145534.GA14038@salvia \
--to=pablo@netfilter.org \
--cc=joe.conley@lairdtech.com \
--cc=joseph.j.conley@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).