| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Nov 2014 15:33:59 +0100 From: Jörg Marx <joerg.marx@...unet.com> To: Pablo Neira Ayuso <pablo@...filter.org> CC: Jesper Dangaard Brouer <brouer@...hat.com>, <programme110@...il.com>, <netfilter-devel@...r.kernel.org>, Florian Westphal <fw@...len.de>, <netdev@...r.kernel.org>, Patrick McHardy <kaber@...sh.net> Subject: Re: [PATCH nf] netfilter: conntrack: fix race in __nf_conntrack_confirm against get_next_corpse On 13.11.2014 13:08, Pablo Neira Ayuso wrote: >> For me there is little difference in choosing DROP or ACCEPT as verdict. >> > The packet/skb belongs to a formerly allowed connection, most likely >> > this connection is still allowed (but the conntrack hash entry is about >> > to be removed due to userspace is flushing the conntrack table). > __nf_conntrack_confirm() is only called for the first packet that we > see in a flow. If you just invoked the flush command once (which > should be the common case), then this is likely to be the first packet > of the flow (unless you already called flush anytime soon in the > past). Yes, you are right. As far as I remember it was very hard to trigger that critical moment, when the first packet triggered the insertion into the hash table. But the test and production systems showed this strange behaviour, that no traffic was allowed to flow for exactly 600 seconds. > >> > To minimize the impact (lost packets -> retransmit) I decided to allow >> > the skb in flight, so were is no lost packet at this place. > I understand your original motivation was to be conservative. Yes. > >> > When the connection is not allowed anymore (but was allowed up to now, >> > because the hash entry exists), the impact is one last packet 'slipping >> > through'. Feel free to change the verdict, IMHO it doesn't matter at all as long as the hash table is in a consistent state. The higher protocol layers will deal with the missing packet. > The general policy in conntrack is to not drop packets, but in this > case we'll leave things in inconsistent state (ie. we will likely > receive a reply packet in response to the original packet that has no > conntrack yet). Under heavy load this can happen anyway I guess? Thanks and best regards Jörg -- Dipl.-Inform. Jörg Marx Bereichsleiter Entwicklung Client- & Netzwerksicherheit Geschäftsbereich Public Sector secunet Security Networks AG Ammonstr. 74 D-01067 Dresden, Germany Telefon +49 201 54 54-3517 Telefax +49 201 54 54-1323 joerg.marx@...unet.com www.secunet.com secunet Security Networks AG Kronprinzenstr. 30 45128 Essen, Germany Amtsgericht Essen HRB 13615 Vorstand: Dr. Rainer Baumgart (Vors.), Thomas Pleines Aufsichtsratsvorsitzender: Dr. Peter Zattler -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists