lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 15 Nov 2010 10:47:46 -0500 From: Eric Paris <eparis@...hat.com> To: Patrick McHardy <kaber@...sh.net> Cc: Hua Zhong <hzhong@...il.com>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, davem@...emloft.net, kuznet@....inr.ac.ru, pekkas@...core.fi, jmorris@...ei.org, yoshfuji@...ux-ipv6.org Subject: Re: [RFC PATCH] network: return errors if we know tcp_connect failed On Mon, 2010-11-15 at 11:32 +0100, Patrick McHardy wrote: > On 13.11.2010 00:14, Hua Zhong wrote: > >> On 11.11.2010 22:58, Hua Zhong wrote: > >>>> Yes, I realize this is little different than if the > >>>> SYN was dropped in the first network device, but it is different > >>>> because we know what happened! We know that connect() call failed > >>>> and that there isn't anything coming back. > >>> > >>> I would argue that -j DROP should behave exactly as the packet is > >> dropped in the network, while -j REJECT should signal the failure to > >> the application as soon as possible (which it doesn't seem to do). > >> > >> It sends an ICMP error or TCP reset. Interpretation is up to TCP. > > > > Huh? It's the OUTPUT chain we are talking about. There is no ICMP error or > > TCP reset. > > Of course there is. > > ICMP (default): > > iptables -A OUTPUT -p tcp -j REJECT > > TCP reset: > > iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset > > The second one will cause a hard error for the connection. Well I'm (I guess?) surprised that the --reject-with icmp doesn't do anything with a local outgoing connection but --reject-with tcp-reset does something like what I'm looking for. I notice the heavy lifting for this is done in net/ipv4/netfilter/ipt_REJECT.c::send_rest() (and something very similar for IPv6) I really don't want to duplicate that code into SELinux (for obvious reasons) and I'm wondering if anyone has objections to me making it available outside of netlink and/or suggestions on how to make that code available outside of netfilter (aka what header to expose it, and does it still make logical sense in ipt_REJECT.c or somewhere else?) -Eric -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists