Re: [PATCH nf-next 2/2] netfilter: x_tables: fix cgroup's NF_INET_LOCAL_IN sk lookups

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Wed, 25 Mar 2015 18:17:40 +0100

On Wed, Mar 25, 2015 at 05:39:04PM +0100, Daniel Borkmann wrote:
> On 03/25/2015 05:03 PM, Pablo Neira Ayuso wrote:
> >On Tue, Mar 24, 2015 at 04:30:29PM +0100, Daniel Borkmann wrote:
> >>diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
> >>index 7198d66..cd2468d 100644
> >>--- a/net/netfilter/xt_cgroup.c
> >>+++ b/net/netfilter/xt_cgroup.c
> >>@@ -16,8 +16,11 @@
> >>  #include <linux/module.h>
> >>  #include <linux/netfilter/x_tables.h>
> >>  #include <linux/netfilter/xt_cgroup.h>
> >>+
> >>  #include <net/sock.h>
> >>
> >>+#include "xt_sk_helper.h"
> >>+
> >>  MODULE_LICENSE("GPL");
> >>  MODULE_AUTHOR("Daniel Borkmann <dborkman@xxxxxxxxxx>");
> >>  MODULE_DESCRIPTION("Xtables: process control group matching");
> >>@@ -34,38 +37,85 @@ static int cgroup_mt_check(const struct xt_mtchk_param *par)
> >>  	return 0;
> >>  }
> >>
> >>-static bool
> >>-cgroup_mt(const struct sk_buff *skb, struct xt_action_param *par)
> >>+static bool cgroup_mt(const struct sk_buff *skb,
> >>+		      const struct xt_action_param *par,
> >>+		      struct sock *(*cgroup_mt_slow)(const struct sk_buff *skb,
> >>+						     const struct net_device *indev))
> >>  {
> >>  	const struct xt_cgroup_info *info = par->matchinfo;
> >>+	struct sock *sk = skb->sk;
> >>+	u32 sk_classid;
> >>+
> >>+	if (sk) {
> >>+		sk_classid = sk->sk_classid;
> >>+	} else {
> >>+		if (par->in != NULL)
> >>+			sk = cgroup_mt_slow(skb, par->in);
> >
> >Is this working with timewait sock?
> 
> Yes, all socket objects that are allocated (sk_alloc()) get a
> sk_classid of the current task. Given that both share the same
> lookup handler, we don't ignore them here as some xt_socket
> flags could after the lookup optionally do.

I mean, we may get a packet from the input path while in TIME_WAIT, and
sk will be actually a inet_timewait_sock, which has a different
layout (no sk_classid).

> >>+		if (sk == NULL)
> >>+			return false;
> >>+
> >>+		sk_classid = sk->sk_classid;
> >>+		sock_gen_put(sk);
> >>+	}
> >>+
> >>+	return (info->id == sk_classid) ^ info->invert;
> >>+}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html