From: "Jörg Marx" <joerg.marx@secunet.com>
To: Jesper Dangaard Brouer <brouer@redhat.com>,
Pablo Neira Ayuso <pablo@netfilter.org>
Cc: <programme110@gmail.com>, <netfilter-devel@vger.kernel.org>,
Florian Westphal <fw@strlen.de>, <netdev@vger.kernel.org>,
Patrick McHardy <kaber@trash.net>
Subject: Re: [PATCH nf] netfilter: conntrack: fix race in __nf_conntrack_confirm against get_next_corpse
Date: Wed, 12 Nov 2014 11:57:31 +0100 [thread overview]
Message-ID: <54633D1B.5090404@secunet.com> (raw)
In-Reply-To: <20141112083500.5404e5f4@redhat.com>
On 12.11.2014 08:35, Jesper Dangaard Brouer wrote:
Hi,
I wrote the patch in 2010, so find some arguments below:
>>> > > + nf_ct_del_from_dying_or_unconfirmed_list(ct);
>>> > >
>>> > > if (unlikely(nf_ct_is_dying(ct))) {
>>> > > + nf_ct_add_to_dying_list(ct);
>>> > > nf_conntrack_double_unlock(hash, reply_hash);
>>> > > local_bh_enable();
>>> > > return NF_ACCEPT;
>> >
>> > Not directly related to your patch, but I don't find a good reason why
>> > we're accepting this packet.
>> >
>> > If the conntrack from the unconfirmed list is dying, then the object
>> > will be released by when the packet leaves the stack to its
>> > destination. With stateful filtering depending in place, the follow up
>> > packet in the reply direction will likely be considered invalid (if
>> > tcp tracking is on). Fortunately for us, the origin will likely
>> > retransmit the syn again, so the ct will be setup accordingly.
>> >
>> > So, why should we allow this to go through?
> True, it also seems strange to me that we accept this packet.
The raise was triggered in a scenario when we tested high-load IPsec
tunnels and flushed the conntrack hashs from userspace.
For me there is little difference in choosing DROP or ACCEPT as verdict.
The packet/skb belongs to a formerly allowed connection, most likely
this connection is still allowed (but the conntrack hash entry is about
to be removed due to userspace is flushing the conntrack table).
To minimize the impact (lost packets -> retransmit) I decided to allow
the skb in flight, so were is no lost packet at this place.
When the connection is not allowed anymore (but was allowed up to now,
because the hash entry exists), the impact is one last packet 'slipping
through'.
Today I would still decide the way I did in 2010.
>
>> > This return verdict was introduced in: fc35077 ("netfilter:
>> > nf_conntrack: fix a race in __nf_conntrack_confirm against
>> > nf_ct_get_next_corpse()") btw.
> And the commit does not argue why NF_ACCEPT was chosen...
>
> -- Best regards, Jesper Dangaard Brouer MSc.CS, Sr. Network Kernel
> Developer at Red Hat Author of http://www.iptv-analyzer.org LinkedIn:
> http://www.linkedin.com/in/brouer
best regards
Jörg Marx
--
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2014-11-12 10:57 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <012601cff7d1$7ce2d620$76a88260$@gmail.com>
2014-11-06 13:00 ` netfilter: nf_conntrack: there maybe a bug in __nf_conntrack_confirm, when it race against get_next_corpse Jesper Dangaard Brouer
2014-11-06 13:36 ` [PATCH nf] netfilter: conntrack: fix race in __nf_conntrack_confirm " Jesper Dangaard Brouer
2014-11-10 16:54 ` Pablo Neira Ayuso
2014-11-12 7:35 ` Jesper Dangaard Brouer
2014-11-12 10:57 ` Jörg Marx [this message]
2014-11-13 12:08 ` Pablo Neira Ayuso
2014-11-13 14:33 ` Jörg Marx
2014-11-14 16:40 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54633D1B.5090404@secunet.com \
--to=joerg.marx@secunet.com \
--cc=brouer@redhat.com \
--cc=fw@strlen.de \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=programme110@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).