Re: Question about ipt_REJECT

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: Xiong Wu <xiong.wu1981@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: Question about ipt_REJECT
Date: Mon, 04 Jan 2010 13:57:22 +0100	[thread overview]
Message-ID: <4B41E5B2.1080609@trash.net> (raw)
In-Reply-To: <c794cd670912282337v5a57508cwbc4c815cf53d363b@mail.gmail.com>

Xiong Wu wrote:
> Hi All,
> 
> I found the TCP RST packet sent from ipt_REJECT target isn't able to
> update related conntrack state.
> 
> I install a 2.6.30.10 kernel as a router and add a iptables rule with
> REJECT target to reset specific connections.  However  I found  when
> the packets is handled by the ipt_REJECT and the TCP RST packet is
> sent, the related conntrack state isn't updated to CLOSE state.
> 
> Then I review the ipt_REJECT codes. I found the target attach the old
> conntrack to RST packet as:
> {
>    nf_ct_attach(nskb, oldskb);
>    ip_local_out(nskb);
> }
> 
> Therefor the nf_conntrack_in() will ignore this RST packet due to the
> nfct is valid in skb.
> {
>      if (skb->nfct) {
>                     NF_CT_STAT_INC_ATOMIC(net, ignore);
>                     return NF_ACCEPT;
>      }
> }
> 
> 
> Is there any reason to attach the old conntrack to new RST skb?  I
> think let the RST packet lookup and update related conntrack is
> better.

The packet that is rejected might be half-way mangled by NAT (DNAT
performed, SNAT not yet performed). In this state conntrack is
be unable to associate the generated RST packet with the conntrack
entry. The same applies when you reject the first packet of a
connection which hasn't entered the hash tables yet.

Usually this shouldn't be a problem exactly because you would
normally reject the first packet of a connection, so it wouldn't
be placed in the conntrack hash.

next prev parent reply	other threads:[~2010-01-04 12:57 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-12-29  7:37 Question about ipt_REJECT Xiong Wu
2009-12-30  3:36 ` Bin Liang
2010-01-04 12:57 ` Patrick McHardy [this message]
2010-01-10 13:24   ` Xiong Wu
2010-01-11 11:08     ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4B41E5B2.1080609@trash.net \
    --to=kaber@trash.net \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=xiong.wu1981@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).