From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset Date: Thu, 5 Jan 2017 12:01:33 +0100 Message-ID: <20170105110133.GA2037@salvia> References: <1481805823-32636-1-git-send-email-pau.espin@tessares.net> <1481882607-461-1-git-send-email-pau.espin@tessares.net> <20161223141628.GA20986@salvia> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Pau Espin Pedrol , netfilter-devel@vger.kernel.org, Lorenzo Colitti To: Pau Espin Pedrol Return-path: Received: from mail.us.es ([193.147.175.20]:38782 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965870AbdAELBi (ORCPT ); Thu, 5 Jan 2017 06:01:38 -0500 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 2C84552323 for ; Thu, 5 Jan 2017 12:01:37 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 1B89CA7EE6 for ; Thu, 5 Jan 2017 12:01:37 +0100 (CET) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id E2E1E9EBD5 for ; Thu, 5 Jan 2017 12:01:34 +0100 (CET) Content-Disposition: inline In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: Hi Pau, On Tue, Dec 27, 2016 at 10:51:09PM +0100, Pau Espin Pedrol wrote: > Hi, > > I will try to find some time over next weeks to have a look at it. > > If I understood correctly, RSTs generated from the stack are currently > not marked when fwmark_reflect is on no matter whether my patch is > applied or not. Did I understand correctly? > > Which scenario did you use to trigger RST coming from the stack? > Sending RST out of the rcv window to emulate spoofing? sending non > only-SYN packets for connections not yet tracked in conntrack? Using the ruleset example below on 192.168.12.1, from another host I run netcat as client with: # nc 192.168.12.1 24 (note that nothing is listening on 192.168.12.1, tcp port 24). I get no mark reflected on the TCP RST packet that 192.168.12.1 sends out to the host that runs netcat as client. So it seems to me fwmark_reflect is broken. > 2016-12-23 15:16 GMT+01:00 Pablo Neira Ayuso : > > Hi Pau, > > > > On Fri, Dec 16, 2016 at 11:03:27AM +0100, Pau Espin Pedrol wrote: > >> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when > >> the routing is checked later in the same code path. > > > > Your patch works fine, I can see mark is reflected to TCP RST for > > packets that are generated by netfilter. > > > > However, it seems fwmark_reflect is broken here for TCP RST that are > > generated by the stack, or at least I don't manage to trigger the > > reflection with current git tree. > > > > Using this simple ruleset to mark input packets: > > > > # nft list ruleset > > table ip x { > > chain y { > > type filter hook output priority 0; policy accept; > > log prefix "output: " > > } > > > > chain z { > > type filter hook input priority 0; policy accept; > > mark set 0x00000001 > > log prefix "input: " > > } > > } > > > > Note input packets shows mark 0x1: > > > > Dec 23 15:07:37 salvia kernel: [14895.204591] input: IN=eth0 OUT= > > MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27691 DF > > PROTO=TCP SPT=36341 DPT=24 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x1 > > > > however, output shows no mark, so no reflection is going on: > > > > Dec 23 15:07:37 salvia kernel: [14895.204643] output: IN= OUT=eth0 > > SRC=192.168.12.195 DST=192.168.12.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64 > > ID=52846 DF PROTO=TCP SPT=24 DPT=36341 WINDOW=0 RES=0x00 ACK RST > > URGP=0 > > > > fwmark_reflect works perfectly fine with ICMP: > > > > Dec 23 15:11:21 salvia kernel: [15119.556780] input: IN=eth0 OUT= > > MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP > > TYPE=8 CODE=0 ID=5429 SEQ=2 MARK=0x1 > > > > Dec 23 15:11:21 salvia kernel: [15119.556822] output: IN= OUT=eth0 > > SRC=192.168.2.195 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 > > ID=25617 PROTO=ICMP TYPE=0 CODE=0 ID=5429 SEQ=2 MARK=0x1 > > > > Thanks.