lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20090325173742.3C509E601C@farside.isc.org>
Date:	Wed, 25 Mar 2009 17:37:42 +0000
From:	Francis Dupont <Francis_Dupont@....org>
To:	Patrick McHardy <kaber@...sh.net>
cc:	David Miller <davem@...emloft.net>, Francis.Dupont@...pont.fr,
	linux-kernel@...r.kernel.org, coreteam@...filter.org,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: netfilter spurious ELOOP 

> Just to clarify: does the problem happens when you have the MARK rule
> above in a user-defined chain that has more then one jump leading to
> it or does it also happen in other cases?

=> I triggered the bug with a real world example:
 - first add a rule with a MARK target using a set mark with the first/sign
  bit set to one. This target is coded with this mark put at the same
  place than the verdict field of standard targets. (note this should
  be triggered by a lot of targets but I got it with MARK)
 - try to add another rule (with -A or -I but this works too with restore,
  the idea is to get a replace ioctl with an illegal value in a verdict
  position).
 - if you are (un?)lucky you get the ELOOP error.

If you read my proposed fix the problem is pretty easy to understand.
I asked diff to give enough context for human (i.e., more than needed
to apply it as a patch).

Thanks

Francis_Dupont@....org

PS: I really need a bug-ticket-etc number because some business is implied
(BTW IMHO you prefer to get the report once and by the most direct path,
don't you?)
PPS: here I've cut & paste the config I used to track the bug:

-------------------------------- save file --------------------------------
# Generated by iptables-save v1.4.2 on Tue Mar 24 18:54:43 2009
*filter
:INPUT ACCEPT [11843:1222672]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [7216:1221713]
COMMIT
# Completed on Tue Mar 24 18:54:43 2009
# Generated by iptables-save v1.4.2 on Tue Mar 24 18:54:43 2009
*mangle
:PREROUTING ACCEPT [1209557:93278988]
:INPUT ACCEPT [1209182:93208843]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [668677:2806960697]
:POSTROUTING ACCEPT [668677:2806960697]
:MARKOUT1 - [0:0]
-A PREROUTING -d 10.0.200.2/32 -p tcp -m tcp --dport 5001 -j MARKOUT1 
-A MARKOUT1 -j MARK --set-xmark 0x80000001/0xffffffff 
-A MARKOUT1 -j CONNMARK --save-mark --nfmask 0x3fffffff --ctmask 0x3fffffff 
-A MARKOUT1 -j ACCEPT 
COMMIT
# Completed on Tue Mar 24 18:54:43 2009
-------------------------------- cut here  --------------------------------

I got the bug with the UDP counterpart:

iptables -t mangle -A PREROUTING -d 10.0.200.2/32 -p udp --dport 5001 \
-j MARKOUT1
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ