[PATCH] netfilter: use fwmark_reflect in nf_send_reset

[PATCH] netfilter: use fwmark_reflect in nf_send_reset

[Pau Espin Pedrol]

Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
the routing is checked later in the same code path.

Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
---
 net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
 net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index fd82202..d088295 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -126,6 +126,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set_noref(nskb, skb_dst(oldskb));
 
+	nskb->mark = IP4_REPLY_MARK(dev_net(oldskb->dev), oldskb->mark);
+
 	skb_reserve(nskb, LL_MAX_HEADER);
 	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
 				   ip4_dst_hoplimit(skb_dst(nskb)));
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index 1009040..008b0ce 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -152,6 +152,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
 
 	memset(&fl6, 0, sizeof(fl6));
 	fl6.flowi6_proto = IPPROTO_TCP;
+	fl6.flowi6_mark = IP6_REPLY_MARK(dev_net(oldskb->dev), oldskb->mark);
 	fl6.saddr = oip6h->daddr;
 	fl6.daddr = oip6h->saddr;
 	fl6.fl6_sport = otcph->dest;
@@ -180,6 +181,8 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
 
 	skb_dst_set(nskb, dst);
 
+	nskb->mark = fl6.flowi6_mark;
+
 	skb_reserve(nskb, hh_len + dst->header_len);
 	ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
 				    ip6_dst_hoplimit(dst));
-- 
2.7.4


-- 

------------------------------
DISCLAIMER.
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.

Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset

[Pablo Neira Ayuso]

Hi Pau,

Cc'ing Lorenzo, I think the original intention is to cover this case
too.

On Thu, Dec 15, 2016 at 01:43:43PM +0100, Pau Espin Pedrol wrote:
> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
> the routing is checked later in the same code path.

I think this is fixing e110861f8609. So please add this before your
Signed-off-by tag.

Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")

More comments below.

> Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
> ---
>  net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
>  net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
>  2 files changed, 5 insertions(+)
> 
> diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
> index fd82202..d088295 100644
> --- a/net/ipv4/netfilter/nf_reject_ipv4.c
> +++ b/net/ipv4/netfilter/nf_reject_ipv4.c
> @@ -126,6 +126,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
>  	/* ip_route_me_harder expects skb->dst to be set */
>  	skb_dst_set_noref(nskb, skb_dst(oldskb));
>  
> +	nskb->mark = IP4_REPLY_MARK(dev_net(oldskb->dev), oldskb->mark);

nf_send_reset() already takes 'struct net *' as parameter, so no need
to look up for net again via dev_net().

> +
>  	skb_reserve(nskb, LL_MAX_HEADER);
>  	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
>  				   ip4_dst_hoplimit(skb_dst(nskb)));
> diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
> index 1009040..008b0ce 100644
> --- a/net/ipv6/netfilter/nf_reject_ipv6.c
> +++ b/net/ipv6/netfilter/nf_reject_ipv6.c
> @@ -152,6 +152,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
>  
>  	memset(&fl6, 0, sizeof(fl6));
>  	fl6.flowi6_proto = IPPROTO_TCP;
> +	fl6.flowi6_mark = IP6_REPLY_MARK(dev_net(oldskb->dev), oldskb->mark);

Same thing here.

Please, address this feedback and send a v2. Thanks.

>  	fl6.saddr = oip6h->daddr;
>  	fl6.daddr = oip6h->saddr;
>  	fl6.fl6_sport = otcph->dest;
> @@ -180,6 +181,8 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
>  
>  	skb_dst_set(nskb, dst);
>  
> +	nskb->mark = fl6.flowi6_mark;
> +
>  	skb_reserve(nskb, hh_len + dst->header_len);
>  	ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
>  				    ip6_dst_hoplimit(dst));
> -- 
> 2.7.4
> 
> 
> -- 
> 
> ------------------------------
> DISCLAIMER.
> This email and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. 
> If you have received this email in error please notify the system manager. 
> This message contains confidential information and is intended only for the 
> individual named. If you are not the named addressee you should not 
> disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately by e-mail if you have received this e-mail by mistake and 
> delete this e-mail from your system. If you are not the intended recipient 
> you are notified that disclosing, copying, distributing or taking any 
> action in reliance on the contents of this information is strictly 
> prohibited.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] netfilter: use fwmark_reflect in nf_send_reset

[Pau Espin Pedrol]

Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
the routing is checked later in the same code path.

Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
---
 net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
 net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index fd82202..146d861 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -126,6 +126,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set_noref(nskb, skb_dst(oldskb));
 
+	nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);
+
 	skb_reserve(nskb, LL_MAX_HEADER);
 	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
 				   ip4_dst_hoplimit(skb_dst(nskb)));
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index 1009040..1e2cc8e 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -152,6 +152,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
 
 	memset(&fl6, 0, sizeof(fl6));
 	fl6.flowi6_proto = IPPROTO_TCP;
+	fl6.flowi6_mark = IP6_REPLY_MARK(net, oldskb->mark);
 	fl6.saddr = oip6h->daddr;
 	fl6.daddr = oip6h->saddr;
 	fl6.fl6_sport = otcph->dest;
@@ -180,6 +181,8 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
 
 	skb_dst_set(nskb, dst);
 
+	nskb->mark = fl6.flowi6_mark;
+
 	skb_reserve(nskb, hh_len + dst->header_len);
 	ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
 				    ip6_dst_hoplimit(dst));
-- 
2.7.4


-- 

------------------------------
DISCLAIMER.
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.

Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset

[Pablo Neira Ayuso]

Hi Pau,

On Fri, Dec 16, 2016 at 11:03:27AM +0100, Pau Espin Pedrol wrote:
> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
> the routing is checked later in the same code path.

Your patch works fine, I can see mark is reflected to TCP RST for
packets that are generated by netfilter.

However, it seems fwmark_reflect is broken here for TCP RST that are
generated by the stack, or at least I don't manage to trigger the
reflection with current git tree.

Using this simple ruleset to mark input packets:

# nft list ruleset
table ip x {
        chain y {
                type filter hook output priority 0; policy accept;
                log prefix "output: "
        }

        chain z {
                type filter hook input priority 0; policy accept;
                mark set 0x00000001
                log prefix "input: "
        }
}

Note input packets shows mark 0x1:

Dec 23 15:07:37 salvia kernel: [14895.204591] input: IN=eth0 OUT=
MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27691 DF
PROTO=TCP SPT=36341 DPT=24 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x1 

however, output shows no mark, so no reflection is going on:

Dec 23 15:07:37 salvia kernel: [14895.204643] output: IN= OUT=eth0
SRC=192.168.12.195 DST=192.168.12.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64
ID=52846 DF PROTO=TCP SPT=24 DPT=36341 WINDOW=0 RES=0x00 ACK RST
URGP=0 

fwmark_reflect works perfectly fine with ICMP:

Dec 23 15:11:21 salvia kernel: [15119.556780] input: IN=eth0 OUT=
MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=5429 SEQ=2 MARK=0x1
 
Dec 23 15:11:21 salvia kernel: [15119.556822] output: IN= OUT=eth0
SRC=192.168.2.195 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64
ID=25617 PROTO=ICMP TYPE=0 CODE=0 ID=5429 SEQ=2 MARK=0x1 

Thanks.

Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset

[Pau Espin Pedrol]

Hi,

I will try to find some time over next weeks to have a look at it.

If I understood correctly, RSTs generated from the stack are currently
not marked when fwmark_reflect is on no matter whether my patch is
applied or not. Did I understand correctly?

Which scenario did you use to trigger RST coming from the stack?
Sending RST out of the rcv window to emulate spoofing? sending non
only-SYN packets for connections not yet tracked in conntrack?
Pau Espin Pedrol


2016-12-23 15:16 GMT+01:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> Hi Pau,
>
> On Fri, Dec 16, 2016 at 11:03:27AM +0100, Pau Espin Pedrol wrote:
>> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
>> the routing is checked later in the same code path.
>
> Your patch works fine, I can see mark is reflected to TCP RST for
> packets that are generated by netfilter.
>
> However, it seems fwmark_reflect is broken here for TCP RST that are
> generated by the stack, or at least I don't manage to trigger the
> reflection with current git tree.
>
> Using this simple ruleset to mark input packets:
>
> # nft list ruleset
> table ip x {
>         chain y {
>                 type filter hook output priority 0; policy accept;
>                 log prefix "output: "
>         }
>
>         chain z {
>                 type filter hook input priority 0; policy accept;
>                 mark set 0x00000001
>                 log prefix "input: "
>         }
> }
>
> Note input packets shows mark 0x1:
>
> Dec 23 15:07:37 salvia kernel: [14895.204591] input: IN=eth0 OUT=
> MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27691 DF
> PROTO=TCP SPT=36341 DPT=24 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x1
>
> however, output shows no mark, so no reflection is going on:
>
> Dec 23 15:07:37 salvia kernel: [14895.204643] output: IN= OUT=eth0
> SRC=192.168.12.195 DST=192.168.12.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> ID=52846 DF PROTO=TCP SPT=24 DPT=36341 WINDOW=0 RES=0x00 ACK RST
> URGP=0
>
> fwmark_reflect works perfectly fine with ICMP:
>
> Dec 23 15:11:21 salvia kernel: [15119.556780] input: IN=eth0 OUT=
> MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=5429 SEQ=2 MARK=0x1
>
> Dec 23 15:11:21 salvia kernel: [15119.556822] output: IN= OUT=eth0
> SRC=192.168.2.195 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64
> ID=25617 PROTO=ICMP TYPE=0 CODE=0 ID=5429 SEQ=2 MARK=0x1
>
> Thanks.

Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset

[Pablo Neira Ayuso]

Hi Pau,

On Tue, Dec 27, 2016 at 10:51:09PM +0100, Pau Espin Pedrol wrote:
> Hi,
> 
> I will try to find some time over next weeks to have a look at it.
> 
> If I understood correctly, RSTs generated from the stack are currently
> not marked when fwmark_reflect is on no matter whether my patch is
> applied or not. Did I understand correctly?
> 
> Which scenario did you use to trigger RST coming from the stack?
> Sending RST out of the rcv window to emulate spoofing? sending non
> only-SYN packets for connections not yet tracked in conntrack?

Using the ruleset example below on 192.168.12.1, from another host I
run netcat as client with:

 # nc 192.168.12.1 24

(note that nothing is listening on 192.168.12.1, tcp port 24).

I get no mark reflected on the TCP RST packet that 192.168.12.1 sends
out to the host that runs netcat as client.

So it seems to me fwmark_reflect is broken.

> 2016-12-23 15:16 GMT+01:00 Pablo Neira Ayuso <pablo@netfilter.org>:
> > Hi Pau,
> >
> > On Fri, Dec 16, 2016 at 11:03:27AM +0100, Pau Espin Pedrol wrote:
> >> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
> >> the routing is checked later in the same code path.
> >
> > Your patch works fine, I can see mark is reflected to TCP RST for
> > packets that are generated by netfilter.
> >
> > However, it seems fwmark_reflect is broken here for TCP RST that are
> > generated by the stack, or at least I don't manage to trigger the
> > reflection with current git tree.
> >
> > Using this simple ruleset to mark input packets:
> >
> > # nft list ruleset
> > table ip x {
> >         chain y {
> >                 type filter hook output priority 0; policy accept;
> >                 log prefix "output: "
> >         }
> >
> >         chain z {
> >                 type filter hook input priority 0; policy accept;
> >                 mark set 0x00000001
> >                 log prefix "input: "
> >         }
> > }
> >
> > Note input packets shows mark 0x1:
> >
> > Dec 23 15:07:37 salvia kernel: [14895.204591] input: IN=eth0 OUT=
> > MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27691 DF
> > PROTO=TCP SPT=36341 DPT=24 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x1
> >
> > however, output shows no mark, so no reflection is going on:
> >
> > Dec 23 15:07:37 salvia kernel: [14895.204643] output: IN= OUT=eth0
> > SRC=192.168.12.195 DST=192.168.12.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > ID=52846 DF PROTO=TCP SPT=24 DPT=36341 WINDOW=0 RES=0x00 ACK RST
> > URGP=0
> >
> > fwmark_reflect works perfectly fine with ICMP:
> >
> > Dec 23 15:11:21 salvia kernel: [15119.556780] input: IN=eth0 OUT=
> > MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> > TYPE=8 CODE=0 ID=5429 SEQ=2 MARK=0x1
> >
> > Dec 23 15:11:21 salvia kernel: [15119.556822] output: IN= OUT=eth0
> > SRC=192.168.2.195 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64
> > ID=25617 PROTO=ICMP TYPE=0 CODE=0 ID=5429 SEQ=2 MARK=0x1
> >
> > Thanks.

[PATCH v2 1/2] netfilter: use fwmark_reflect in nf_send_reset

[Pau Espin Pedrol]

Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
the routing is checked later in the same code path.

Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
---
 net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++
 net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index fd8220213afc..146d86105183 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -126,6 +126,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook)
 	/* ip_route_me_harder expects skb->dst to be set */
 	skb_dst_set_noref(nskb, skb_dst(oldskb));
 
+	nskb->mark = IP4_REPLY_MARK(net, oldskb->mark);
+
 	skb_reserve(nskb, LL_MAX_HEADER);
 	niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
 				   ip4_dst_hoplimit(skb_dst(nskb)));
diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c
index 10090400c72f..eedee5d108d9 100644
--- a/net/ipv6/netfilter/nf_reject_ipv6.c
+++ b/net/ipv6/netfilter/nf_reject_ipv6.c
@@ -157,6 +157,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
 	fl6.fl6_sport = otcph->dest;
 	fl6.fl6_dport = otcph->source;
 	fl6.flowi6_oif = l3mdev_master_ifindex(skb_dst(oldskb)->dev);
+	fl6.flowi6_mark = IP6_REPLY_MARK(net, oldskb->mark);
 	security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6));
 	dst = ip6_route_output(net, NULL, &fl6);
 	if (dst->error) {
@@ -180,6 +181,8 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
 
 	skb_dst_set(nskb, dst);
 
+	nskb->mark = fl6.flowi6_mark;
+
 	skb_reserve(nskb, hh_len + dst->header_len);
 	ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
 				    ip6_dst_hoplimit(dst));
-- 
2.11.0


-- 

------------------------------
DISCLAIMER.
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.

[PATCH v2 2/2] tcp: fix mark propagation with fwmark_reflect enabled

[Pau Espin Pedrol]

From: Pau Espin Pedrol <pespin.shar@gmail.com>

Otherwise, RST packets generated by the TCP stack for non-existing
sockets always have mark 0.
The mark from the original packet is assigned to the netns_ipv4/6
socket used to send the response so that it can get copied into the
response skb when the socket sends it.

Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
Cc: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
---
 net/ipv4/ip_output.c | 1 +
 net/ipv6/tcp_ipv6.c  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index fac275c48108..b67719f45953 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1629,6 +1629,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb,
 	sk->sk_protocol = ip_hdr(skb)->protocol;
 	sk->sk_bound_dev_if = arg->bound_dev_if;
 	sk->sk_sndbuf = sysctl_wmem_default;
+	sk->sk_mark = fl4.flowi4_mark;
 	err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,
 			     len, 0, &ipc, &rt, MSG_DONTWAIT);
 	if (unlikely(err)) {
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 73bc8fc68acd..2b20622a5824 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -840,6 +840,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
 	dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
 	if (!IS_ERR(dst)) {
 		skb_dst_set(buff, dst);
+		ctl_sk->sk_mark = fl6.flowi6_mark;
 		ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass);
 		TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
 		if (rst)
-- 
2.11.0


-- 

------------------------------
DISCLAIMER.
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 
If you have received this email in error please notify the system manager. 
This message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail. Please notify the sender 
immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system. If you are not the intended recipient 
you are notified that disclosing, copying, distributing or taking any 
action in reliance on the contents of this information is strictly 
prohibited.

Re: [PATCH v2 2/2] tcp: fix mark propagation with fwmark_reflect enabled

[Pablo Neira Ayuso]

Cc'ing David:

On Fri, Jan 06, 2017 at 08:33:28PM +0100, Pau Espin Pedrol wrote:
> From: Pau Espin Pedrol <pespin.shar@gmail.com>
> 
> Otherwise, RST packets generated by the TCP stack for non-existing
> sockets always have mark 0.
> The mark from the original packet is assigned to the netns_ipv4/6
> socket used to send the response so that it can get copied into the
> response skb when the socket sends it.

@David, unless you want me to follow a different path, I'll take this
small chunk into my nf tree.

Netfilter specific fix for REJECT target comes at:
http://patchwork.ozlabs.org/patch/712119/

Thanks!

> Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies")
> Cc: Lorenzo Colitti <lorenzo@google.com>
> Signed-off-by: Pau Espin Pedrol <pau.espin@tessares.net>
> ---
>  net/ipv4/ip_output.c | 1 +
>  net/ipv6/tcp_ipv6.c  | 1 +
>  2 files changed, 2 insertions(+)
> 
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index fac275c48108..b67719f45953 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1629,6 +1629,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb,
>  	sk->sk_protocol = ip_hdr(skb)->protocol;
>  	sk->sk_bound_dev_if = arg->bound_dev_if;
>  	sk->sk_sndbuf = sysctl_wmem_default;
> +	sk->sk_mark = fl4.flowi4_mark;
>  	err = ip_append_data(sk, &fl4, ip_reply_glue_bits, arg->iov->iov_base,
>  			     len, 0, &ipc, &rt, MSG_DONTWAIT);
>  	if (unlikely(err)) {
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 73bc8fc68acd..2b20622a5824 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -840,6 +840,7 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
>  	dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
>  	if (!IS_ERR(dst)) {
>  		skb_dst_set(buff, dst);
> +		ctl_sk->sk_mark = fl6.flowi6_mark;
>  		ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass);
>  		TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
>  		if (rst)
> -- 
> 2.11.0
> 
> 
> -- 
> 
> ------------------------------
> DISCLAIMER.
> This email and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. 
> If you have received this email in error please notify the system manager. 
> This message contains confidential information and is intended only for the 
> individual named. If you are not the named addressee you should not 
> disseminate, distribute or copy this e-mail. Please notify the sender 
> immediately by e-mail if you have received this e-mail by mistake and 
> delete this e-mail from your system. If you are not the intended recipient 
> you are notified that disclosing, copying, distributing or taking any 
> action in reliance on the contents of this information is strictly 
> prohibited.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 2/2] tcp: fix mark propagation with fwmark_reflect enabled

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 9 Jan 2017 18:00:07 +0100

> @David, unless you want me to follow a different path, I'll take this
> small chunk into my nf tree.

No objection.

Re: [PATCH v2 1/2] netfilter: use fwmark_reflect in nf_send_reset

[Pablo Neira Ayuso]

On Fri, Jan 06, 2017 at 08:33:27PM +0100, Pau Espin Pedrol wrote:
> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
> the routing is checked later in the same code path.

Applied to my nf tree, thanks Pau.