re L4 conntracking netns conversion

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* re L4 conntracking netns conversion
@ 2013-03-07 11:50 Alexey Dobriyan
  2013-03-08  1:01 ` Gao feng
  0 siblings, 1 reply; 4+ messages in thread
From: Alexey Dobriyan @ 2013-03-07 11:50 UTC (permalink / raw)
  To: Gao feng, Eric W. Biederman, Pablo Neira Ayuso; +Cc: netdev, netfilter-devel

Lots of netns changes!

I can't verify right now, but unless I'm not mistaken,
every L4 protocol conversion is buggy/oopsable/remotely ddosable
because per-netns stuff is initialized after protocol is hooked into
master dispatcher.

See c296bb4d5d417d466c9bcc8afef68a3db5449a64.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: re L4 conntracking netns conversion
  2013-03-07 11:50 re L4 conntracking netns conversion Alexey Dobriyan
@ 2013-03-08  1:01 ` Gao feng
  2013-03-08  1:32   ` Eric W. Biederman
  0 siblings, 1 reply; 4+ messages in thread
From: Gao feng @ 2013-03-08  1:01 UTC (permalink / raw)
  To: Alexey Dobriyan
  Cc: Eric W. Biederman, Pablo Neira Ayuso, netdev, netfilter-devel

On 2013/03/07 19:50, Alexey Dobriyan wrote:
> Lots of netns changes!
> 
> I can't verify right now, but unless I'm not mistaken,
> every L4 protocol conversion is buggy/oopsable/remotely ddosable
> because per-netns stuff is initialized after protocol is hooked into
> master dispatcher.
> 

Doesn't we do register_pernet_subsys before we register hooks and l4proto?
Sorry I don't quite understand what you mean. :(

> See c296bb4d5d417d466c9bcc8afef68a3db5449a64.
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: re L4 conntracking netns conversion
  2013-03-08  1:01 ` Gao feng
@ 2013-03-08  1:32   ` Eric W. Biederman
  2013-03-08  1:56     ` Gao feng
  0 siblings, 1 reply; 4+ messages in thread
From: Eric W. Biederman @ 2013-03-08  1:32 UTC (permalink / raw)
  To: Gao feng; +Cc: Alexey Dobriyan, Pablo Neira Ayuso, netdev, netfilter-devel

Gao feng <gaofeng@cn.fujitsu.com> writes:

> On 2013/03/07 19:50, Alexey Dobriyan wrote:
>> Lots of netns changes!
>> 
>> I can't verify right now, but unless I'm not mistaken,
>> every L4 protocol conversion is buggy/oopsable/remotely ddosable
>> because per-netns stuff is initialized after protocol is hooked into
>> master dispatcher.
>> 
>
> Doesn't we do register_pernet_subsys before we register hooks and l4proto?
> Sorry I don't quite understand what you mean. :(

>> See c296bb4d5d417d466c9bcc8afef68a3db5449a64.

The registration in the referenced commit has register_pernet_subsys
happening after nf_ct_l4_proto_register.  The unregistration is also
happening in that order so something seems fishy.  If there is
an ordering dependency between the two unregistration should happen
in the opposite order of registration.

However, I don't know the code well enough to know if it is a problem or
not.

Eric

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: re L4 conntracking netns conversion
  2013-03-08  1:32   ` Eric W. Biederman
@ 2013-03-08  1:56     ` Gao feng
  0 siblings, 0 replies; 4+ messages in thread
From: Gao feng @ 2013-03-08  1:56 UTC (permalink / raw)
  To: Eric W. Biederman
  Cc: Alexey Dobriyan, Pablo Neira Ayuso, netdev, netfilter-devel

On 2013/03/08 09:32, Eric W. Biederman wrote:
> Gao feng <gaofeng@cn.fujitsu.com> writes:
> 
>> On 2013/03/07 19:50, Alexey Dobriyan wrote:
>>> Lots of netns changes!
>>>
>>> I can't verify right now, but unless I'm not mistaken,
>>> every L4 protocol conversion is buggy/oopsable/remotely ddosable
>>> because per-netns stuff is initialized after protocol is hooked into
>>> master dispatcher.
>>>
>>
>> Doesn't we do register_pernet_subsys before we register hooks and l4proto?
>> Sorry I don't quite understand what you mean. :(
> 
>>> See c296bb4d5d417d466c9bcc8afef68a3db5449a64.
> 
> The registration in the referenced commit has register_pernet_subsys
> happening after nf_ct_l4_proto_register.  The unregistration is also
> happening in that order so something seems fishy.  If there is
> an ordering dependency between the two unregistration should happen
> in the opposite order of registration.
> 

Yes, we have the incorrect order when registering l4proto_sctp/gre/dccp/udplite.

> However, I don't know the code well enough to know if it is a problem or
> not.
> 

Had better to fix this problem, Since the l4proto may access the memory before
register_pernet_subsys allocates it.

Thanks

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2013-03-08  1:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-03-07 11:50 re L4 conntracking netns conversion Alexey Dobriyan
2013-03-08  1:01 ` Gao feng
2013-03-08  1:32   ` Eric W. Biederman
2013-03-08  1:56     ` Gao feng

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).