lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <48C11918.8020508@trash.net>
Date:	Fri, 05 Sep 2008 13:33:44 +0200
From:	Patrick McHardy <kaber@...sh.net>
To:	Alexey Dobriyan <adobriyan@...il.com>
CC:	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
	containers@...ts.linux-foundation.org
Subject: Re: [PATCH 20/38] netns ct: NOTRACK in netns

Alexey Dobriyan wrote:
> On Thu, Sep 04, 2008 at 06:54:16PM +0200, Patrick McHardy wrote:
>> adobriyan@...il.com wrote:
>>> Make untracked conntrack per-netns. Compare conntracks with relevant
>>> untracked one.
>>>
>>> The following code you'll start laughing at this code:
>>>
>>> 	if (ct == ct->ct_net->ct.untracked)
>>> 		...
>>>
>>> let me remind you that ->ct_net is set in only one place, and never
>>> overwritten later.
>>>
>>> All of this requires some surgery with headers, otherwise horrible circular
>>> dependencies. And we lost nf_ct_is_untracked() as function, it became macro.
>> I think you could avoid this mess by using a struct nf_conntrack
>> for the untracked conntrack instead of struct nf_conn. It shouldn't
>> make any difference since its ignored anyways.
> 
> Ewww, can I?

I hope so :) A different possiblity suggest by Pablo some time ago
would be to mark untracked packets in skb->nfctinfo and not
attach a conntrack at all.

> Regardless of netns, switching to
> 
> 	struct nf_conntrack nf_conntrack_untracked;
> 
> means we must be absolutely sure that every place which uses, say,
> ct->status won't get untracked conntrack.
> 
> For example, does setting IPS_NAT_DONE_MASK and IPS_CONFIRMED_BIT on
> untracked conntracked really necessary?

I don't think so, untracked conntracks are skipped early in the NAT
table.

> In conntrack_mt_v0() "ct->status" can be used even for untracked connection,
> is this right?

It looks that way, but its not right. I think it should return false
for every match except on (untracked) state.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ