* Question about ipt_REJECT
@ 2009-12-29 7:37 Xiong Wu
2009-12-30 3:36 ` Bin Liang
2010-01-04 12:57 ` Patrick McHardy
0 siblings, 2 replies; 5+ messages in thread
From: Xiong Wu @ 2009-12-29 7:37 UTC (permalink / raw)
To: netfilter-devel
Hi All,
I found the TCP RST packet sent from ipt_REJECT target isn't able to
update related conntrack state.
I install a 2.6.30.10 kernel as a router and add a iptables rule with
REJECT target to reset specific connections. However I found when
the packets is handled by the ipt_REJECT and the TCP RST packet is
sent, the related conntrack state isn't updated to CLOSE state.
Then I review the ipt_REJECT codes. I found the target attach the old
conntrack to RST packet as:
{
nf_ct_attach(nskb, oldskb);
ip_local_out(nskb);
}
Therefor the nf_conntrack_in() will ignore this RST packet due to the
nfct is valid in skb.
{
if (skb->nfct) {
NF_CT_STAT_INC_ATOMIC(net, ignore);
return NF_ACCEPT;
}
}
Is there any reason to attach the old conntrack to new RST skb? I
think let the RST packet lookup and update related conntrack is
better.
Thanks,
Sean
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Question about ipt_REJECT
2009-12-29 7:37 Question about ipt_REJECT Xiong Wu
@ 2009-12-30 3:36 ` Bin Liang
2010-01-04 12:57 ` Patrick McHardy
1 sibling, 0 replies; 5+ messages in thread
From: Bin Liang @ 2009-12-30 3:36 UTC (permalink / raw)
To: Xiong Wu; +Cc: netfilter-devel
Hi,
If the conntrack is in ESTABLISHED state, will it still in this state
after the ipt_REJECT send the RST packet?
If yes, I think this is an issue.
Thanks,
-Bryan
On Tue, Dec 29, 2009 at 3:37 PM, Xiong Wu <xiong.wu1981@gmail.com> wrote:
>
> Hi All,
>
> I found the TCP RST packet sent from ipt_REJECT target isn't able to
> update related conntrack state.
>
> I install a 2.6.30.10 kernel as a router and add a iptables rule with
> REJECT target to reset specific connections. However I found when
> the packets is handled by the ipt_REJECT and the TCP RST packet is
> sent, the related conntrack state isn't updated to CLOSE state.
>
> Then I review the ipt_REJECT codes. I found the target attach the old
> conntrack to RST packet as:
> {
> nf_ct_attach(nskb, oldskb);
> ip_local_out(nskb);
> }
>
> Therefor the nf_conntrack_in() will ignore this RST packet due to the
> nfct is valid in skb.
> {
> if (skb->nfct) {
> NF_CT_STAT_INC_ATOMIC(net, ignore);
> return NF_ACCEPT;
> }
> }
>
>
> Is there any reason to attach the old conntrack to new RST skb? I
> think let the RST packet lookup and update related conntrack is
> better.
>
>
> Thanks,
> Sean
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Thanks,
-Bin
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Question about ipt_REJECT
2009-12-29 7:37 Question about ipt_REJECT Xiong Wu
2009-12-30 3:36 ` Bin Liang
@ 2010-01-04 12:57 ` Patrick McHardy
2010-01-10 13:24 ` Xiong Wu
1 sibling, 1 reply; 5+ messages in thread
From: Patrick McHardy @ 2010-01-04 12:57 UTC (permalink / raw)
To: Xiong Wu; +Cc: netfilter-devel
Xiong Wu wrote:
> Hi All,
>
> I found the TCP RST packet sent from ipt_REJECT target isn't able to
> update related conntrack state.
>
> I install a 2.6.30.10 kernel as a router and add a iptables rule with
> REJECT target to reset specific connections. However I found when
> the packets is handled by the ipt_REJECT and the TCP RST packet is
> sent, the related conntrack state isn't updated to CLOSE state.
>
> Then I review the ipt_REJECT codes. I found the target attach the old
> conntrack to RST packet as:
> {
> nf_ct_attach(nskb, oldskb);
> ip_local_out(nskb);
> }
>
> Therefor the nf_conntrack_in() will ignore this RST packet due to the
> nfct is valid in skb.
> {
> if (skb->nfct) {
> NF_CT_STAT_INC_ATOMIC(net, ignore);
> return NF_ACCEPT;
> }
> }
>
>
> Is there any reason to attach the old conntrack to new RST skb? I
> think let the RST packet lookup and update related conntrack is
> better.
The packet that is rejected might be half-way mangled by NAT (DNAT
performed, SNAT not yet performed). In this state conntrack is
be unable to associate the generated RST packet with the conntrack
entry. The same applies when you reject the first packet of a
connection which hasn't entered the hash tables yet.
Usually this shouldn't be a problem exactly because you would
normally reject the first packet of a connection, so it wouldn't
be placed in the conntrack hash.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Question about ipt_REJECT
2010-01-04 12:57 ` Patrick McHardy
@ 2010-01-10 13:24 ` Xiong Wu
2010-01-11 11:08 ` Patrick McHardy
0 siblings, 1 reply; 5+ messages in thread
From: Xiong Wu @ 2010-01-10 13:24 UTC (permalink / raw)
To: Patrick McHardy; +Cc: netfilter-devel
Hi,
I have to reject some connection which are confirmed, therefor I apply
the following patch to solve this problem. Please help me to review
this patch.
--- linux-2.6.32.3/net/ipv4/netfilter/ipt_REJECT.c 2010-01-07
07:07:45.000000000 +0800
+++ linux-2.6.32.3-new/net/ipv4/netfilter/ipt_REJECT.c 2010-01-10
21:18:11.000000000 +0800
@@ -23,6 +23,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_REJECT.h>
+#include <include/net/netfilter/nf_conntrack.h>
#ifdef CONFIG_BRIDGE_NETFILTER
#include <linux/netfilter_bridge.h>
#endif
@@ -40,6 +41,9 @@
const struct tcphdr *oth;
struct tcphdr _otcph, *tcph;
unsigned int addr_type;
+ enum ip_conntrack_info ctinfo;
+ const struct nf_conn *ct;
+
/* IP header checks: fragment. */
if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
@@ -120,7 +124,12 @@
if (nskb->len > dst_mtu(skb_dst(nskb)))
goto free_nskb;
- nf_ct_attach(nskb, oldskb);
+ /*only when the ct isn't confirmed, attach it to reset packet*/
+ ct = nf_ct_get(skb, &ctinfo);
+ if((ct != NULL) && (!nf_ct_is_confirmed(ct)))
+ {
+ nf_ct_attach(nskb, oldskb);
+ }
ip_local_out(nskb);
return;
Thanks,
Xiong
2010/1/4 Patrick McHardy <kaber@trash.net>:
> Xiong Wu wrote:
>> Hi All,
>>
>> I found the TCP RST packet sent from ipt_REJECT target isn't able to
>> update related conntrack state.
>>
>> I install a 2.6.30.10 kernel as a router and add a iptables rule with
>> REJECT target to reset specific connections. However I found when
>> the packets is handled by the ipt_REJECT and the TCP RST packet is
>> sent, the related conntrack state isn't updated to CLOSE state.
>>
>> Then I review the ipt_REJECT codes. I found the target attach the old
>> conntrack to RST packet as:
>> {
>> nf_ct_attach(nskb, oldskb);
>> ip_local_out(nskb);
>> }
>>
>> Therefor the nf_conntrack_in() will ignore this RST packet due to the
>> nfct is valid in skb.
>> {
>> if (skb->nfct) {
>> NF_CT_STAT_INC_ATOMIC(net, ignore);
>> return NF_ACCEPT;
>> }
>> }
>>
>>
>> Is there any reason to attach the old conntrack to new RST skb? I
>> think let the RST packet lookup and update related conntrack is
>> better.
>
> The packet that is rejected might be half-way mangled by NAT (DNAT
> performed, SNAT not yet performed). In this state conntrack is
> be unable to associate the generated RST packet with the conntrack
> entry. The same applies when you reject the first packet of a
> connection which hasn't entered the hash tables yet.
>
> Usually this shouldn't be a problem exactly because you would
> normally reject the first packet of a connection, so it wouldn't
> be placed in the conntrack hash.
>
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Question about ipt_REJECT
2010-01-10 13:24 ` Xiong Wu
@ 2010-01-11 11:08 ` Patrick McHardy
0 siblings, 0 replies; 5+ messages in thread
From: Patrick McHardy @ 2010-01-11 11:08 UTC (permalink / raw)
To: Xiong Wu; +Cc: netfilter-devel
Xiong Wu wrote:
> Hi,
>
> I have to reject some connection which are confirmed, therefor I apply
> the following patch to solve this problem. Please help me to review
> this patch.
As I said, this doesn't work properly since conntrack can't associate
packets generated in response to half-way NATed packets with the
original connection.
The manual conntrack association is necessary, you need to find a way
to make the packet visible to TCP conntrack. I think what might work
is to change the condition ignoring already-tracked packets in
nf_conntrack to only ignore packets using either nf_conntrack_untracked
or received in NF_INET_PRE_ROUTING.
> --- linux-2.6.32.3/net/ipv4/netfilter/ipt_REJECT.c 2010-01-07
> 07:07:45.000000000 +0800
> +++ linux-2.6.32.3-new/net/ipv4/netfilter/ipt_REJECT.c 2010-01-10
> 21:18:11.000000000 +0800
> @@ -23,6 +23,7 @@
> #include <linux/netfilter/x_tables.h>
> #include <linux/netfilter_ipv4/ip_tables.h>
> #include <linux/netfilter_ipv4/ipt_REJECT.h>
> +#include <include/net/netfilter/nf_conntrack.h>
> #ifdef CONFIG_BRIDGE_NETFILTER
> #include <linux/netfilter_bridge.h>
> #endif
> @@ -40,6 +41,9 @@
> const struct tcphdr *oth;
> struct tcphdr _otcph, *tcph;
> unsigned int addr_type;
> + enum ip_conntrack_info ctinfo;
> + const struct nf_conn *ct;
> +
>
> /* IP header checks: fragment. */
> if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
> @@ -120,7 +124,12 @@
> if (nskb->len > dst_mtu(skb_dst(nskb)))
> goto free_nskb;
>
> - nf_ct_attach(nskb, oldskb);
> + /*only when the ct isn't confirmed, attach it to reset packet*/
> + ct = nf_ct_get(skb, &ctinfo);
> + if((ct != NULL) && (!nf_ct_is_confirmed(ct)))
> + {
> + nf_ct_attach(nskb, oldskb);
> + }
>
> ip_local_out(nskb);
> return;
>
> Thanks,
> Xiong
>
> 2010/1/4 Patrick McHardy <kaber@trash.net>:
>> Xiong Wu wrote:
>>> Hi All,
>>>
>>> I found the TCP RST packet sent from ipt_REJECT target isn't able to
>>> update related conntrack state.
>>>
>>> I install a 2.6.30.10 kernel as a router and add a iptables rule with
>>> REJECT target to reset specific connections. However I found when
>>> the packets is handled by the ipt_REJECT and the TCP RST packet is
>>> sent, the related conntrack state isn't updated to CLOSE state.
>>>
>>> Then I review the ipt_REJECT codes. I found the target attach the old
>>> conntrack to RST packet as:
>>> {
>>> nf_ct_attach(nskb, oldskb);
>>> ip_local_out(nskb);
>>> }
>>>
>>> Therefor the nf_conntrack_in() will ignore this RST packet due to the
>>> nfct is valid in skb.
>>> {
>>> if (skb->nfct) {
>>> NF_CT_STAT_INC_ATOMIC(net, ignore);
>>> return NF_ACCEPT;
>>> }
>>> }
>>>
>>>
>>> Is there any reason to attach the old conntrack to new RST skb? I
>>> think let the RST packet lookup and update related conntrack is
>>> better.
>> The packet that is rejected might be half-way mangled by NAT (DNAT
>> performed, SNAT not yet performed). In this state conntrack is
>> be unable to associate the generated RST packet with the conntrack
>> entry. The same applies when you reject the first packet of a
>> connection which hasn't entered the hash tables yet.
>>
>> Usually this shouldn't be a problem exactly because you would
>> normally reject the first packet of a connection, so it wouldn't
>> be placed in the conntrack hash.
>>
>>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2010-01-11 11:08 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-29 7:37 Question about ipt_REJECT Xiong Wu
2009-12-30 3:36 ` Bin Liang
2010-01-04 12:57 ` Patrick McHardy
2010-01-10 13:24 ` Xiong Wu
2010-01-11 11:08 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).