Hi Pau,
On Tue, Dec 27, 2016 at 10:51:09PM +0100, Pau Espin Pedrol wrote:
> Hi,
>
> I will try to find some time over next weeks to have a look at it.
>
> If I understood correctly, RSTs generated from the stack are currently
> not marked when fwmark_reflect is on no matter whether my patch is
> applied or not. Did I understand correctly?
>
> Which scenario did you use to trigger RST coming from the stack?
> Sending RST out of the rcv window to emulate spoofing? sending non
> only-SYN packets for connections not yet tracked in conntrack?
Using the ruleset example below on 192.168.12.1, from another host I
run netcat as client with:
# nc 192.168.12.1 24
(note that nothing is listening on 192.168.12.1, tcp port 24).
I get no mark reflected on the TCP RST packet that 192.168.12.1 sends
out to the host that runs netcat as client.
So it seems to me fwmark_reflect is broken.
> 2016-12-23 15:16 GMT+01:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>:
> > Hi Pau,
> >
> > On Fri, Dec 16, 2016 at 11:03:27AM +0100, Pau Espin Pedrol wrote:
> >> Otherwise, RST packets generated by ipt_REJECT always have mark 0 when
> >> the routing is checked later in the same code path.
> >
> > Your patch works fine, I can see mark is reflected to TCP RST for
> > packets that are generated by netfilter.
> >
> > However, it seems fwmark_reflect is broken here for TCP RST that are
> > generated by the stack, or at least I don't manage to trigger the
> > reflection with current git tree.
> >
> > Using this simple ruleset to mark input packets:
> >
> > # nft list ruleset
> > table ip x {
> > chain y {
> > type filter hook output priority 0; policy accept;
> > log prefix "output: "
> > }
> >
> > chain z {
> > type filter hook input priority 0; policy accept;
> > mark set 0x00000001
> > log prefix "input: "
> > }
> > }
> >
> > Note input packets shows mark 0x1:
> >
> > Dec 23 15:07:37 salvia kernel: [14895.204591] input: IN=eth0 OUT=
> > MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27691 DF
> > PROTO=TCP SPT=36341 DPT=24 WINDOW=14600 RES=0x00 SYN URGP=0 MARK=0x1
> >
> > however, output shows no mark, so no reflection is going on:
> >
> > Dec 23 15:07:37 salvia kernel: [14895.204643] output: IN= OUT=eth0
> > SRC=192.168.12.195 DST=192.168.12.1 LEN=40 TOS=0x00 PREC=0x00 TTL=64
> > ID=52846 DF PROTO=TCP SPT=24 DPT=36341 WINDOW=0 RES=0x00 ACK RST
> > URGP=0
> >
> > fwmark_reflect works perfectly fine with ICMP:
> >
> > Dec 23 15:11:21 salvia kernel: [15119.556780] input: IN=eth0 OUT=
> > MAC=... SRC=192.168.12.1 DST=192.168.12.195 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP
> > TYPE=8 CODE=0 ID=5429 SEQ=2 MARK=0x1
> >
> > Dec 23 15:11:21 salvia kernel: [15119.556822] output: IN= OUT=eth0
> > SRC=192.168.2.195 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64
> > ID=25617 PROTO=ICMP TYPE=0 CODE=0 ID=5429 SEQ=2 MARK=0x1
> >
> > Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
