Well, I have seen, that in one of the previous patches from pablo, he adds
if (ret == -NF_DROP)
inside the if (ret < 0)
but as NF_DROP is 0, it won't ever enter in if(ret == -NF_DROP)
I will make a patch...
On Thu March 12 2009 wrote Christoph Paasch:
> Hi,
>
> I have a question regarding the call to l4_packet, in nf_conntrack_in(...)
> from nf_conntrack_core.c
>
> When a module like TCP returns -NF_DROP in tcp_packet(...), the packet
> won't get dropped, because NF_DROP = 0, and in nf_conntrack_in the return
> of the call to l4_packet is checked:
> if (ret < 0) {
> ...
> }
>
> So, there is no way to drop packets after l4_packet.
>
> Why does this is implemented that way?
>
> There are several points in tcp_packet where the function returns -NF_DROP
> and the comments in this function say that the packet will get blocked.
>
> For example (from tcp_packet):
>
> if (index == TCP_SYNACK_SET
> && ct->proto.tcp.last_index == TCP_SYN_SET
> && ct->proto.tcp.last_dir != dir
> && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
> /* b) This SYN/ACK acknowledges a SYN that we earlier
> * ignored as invalid. This means that the client and
> * the server are both in sync, while the firewall is
> * not. We kill this session and block the SYN/ACK so
> * that the client cannot but retransmit its SYN and
> * thus initiate a clean new session.
> */
> write_unlock_bh(&tcp_lock);
> if (LOG_INVALID(net, IPPROTO_TCP))
> nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
> "nf_ct_tcp: killing out of sync session ");
> nf_ct_kill(ct);
> return -NF_DROP;
> }
>
> I hope, that I was clear.
> Could someone please explain this to me?
> And how can I block packets after the call to l4_packet?
>
> Thanks
>
> --
> Christoph Paasch
>
> www.rollerbulls.be
> --
--
Christoph Paasch
www.rollerbulls.be
--
Attachment:
signature.asc
Description: This is a digitally signed message part.
