Re: [PATCH] netfilter: use fwmark_reflect in nf_send_reset

Pau Espin Pedrol <pespin.shar@xxxxxxxxx> · Tue, 27 Dec 2016 22:51:09 +0100

Hi,

I will try to find some time over next weeks to have a look at it.

If I understood correctly, RSTs generated from the stack are currently
not marked when fwmark_reflect is on no matter whether my patch is
applied or not. Did I understand correctly?

Which scenario did you use to trigger RST coming from the stack?
Sending RST out of the rcv window to emulate spoofing? sending non
only-SYN packets for connections not yet tracked in conntrack?
Pau Espin Pedrol

2016-12-23 15:16 GMT+01:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
> Hi Pau,
>
> On Fri, Dec 16, 2016 at 11:03:27AM +0100, Pau Espin Pedrol wrote:
>> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
>> the routing is checked later in the same code path.
>
> Your patch works fine, I can see mark is reflected to TCP RST for
> packets that are generated by netfilter.
>
> However, it seems fwmark_reflect is broken here for TCP RST that are
> generated by the stack, or at least I don't manage to trigger the
> reflection with current git tree.
>
> Using this simple ruleset to mark input packets:
>
> # nft list ruleset
> table ip x {
>         chain y {
>                 type filter hook output priority 0; policy accept;
>                 log prefix "output: "
>         }
>
>         chain z {
>                 type filter hook input priority 0; policy accept;
>                 mark set 0x00000001
>                 log prefix "input: "
>         }
> }
>
> Note input packets shows mark 0x1:
>
> Dec 23 15:07:37 salvia kernel: [14895.204591] input: IN=eth0 OUT=
> MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27691 DF
> PROTO=TCP SPT=36341 DPT=24 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x1
>
> however, output shows no mark, so no reflection is going on:
>
> Dec 23 15:07:37 salvia kernel: [14895.204643] output: IN= OUT=eth0
> SRC=192.168.12.195 DST=192.168.12.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> ID=52846 DF PROTO=TCP SPT=24 DPT=36341 WINDOW=0 RES=0x00 ACK RST
> URGP=0
>
> fwmark_reflect works perfectly fine with ICMP:
>
> Dec 23 15:11:21 salvia kernel: [15119.556780] input: IN=eth0 OUT=
> MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> TYPE=8 CODE=0 ID=5429 SEQ=2 MARK=0x1
>
> Dec 23 15:11:21 salvia kernel: [15119.556822] output: IN= OUT=eth0
> SRC=192.168.2.195 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64
> ID=25617 PROTO=ICMP TYPE=0 CODE=0 ID=5429 SEQ=2 MARK=0x1
>
> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html