lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4B7D215A.6060400@trash.net>
Date:	Thu, 18 Feb 2010 12:15:38 +0100
From:	Patrick McHardy <kaber@...sh.net>
To:	Pablo Neira Ayuso <pablo@...filter.org>
CC:	Ramblewski David <David.Ramblewski@...sorigin.com>,
	Eric Dumazet <eric.dumazet@...il.com>,
	"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>,
	netdev <netdev@...r.kernel.org>
Subject: Re: kernel stack  trace using conntrack

Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
>> Ramblewski David wrote:
>>> Hi Eric,
>>>
>>> The conntrack patch works successfully.
>>>
>>>>> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
>>>>> index 0ffe689..d2657aa 100644
>>>>> --- a/net/netfilter/nf_conntrack_netlink.c
>>>>> +++ b/net/netfilter/nf_conntrack_netlink.c
>>>>> @@ -923,7 +923,7 @@ ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
>>>>>     unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
>>>>>     d = ct->status ^ status;
>>>>>
>>>>> -   if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
>>>>> +   if (d & (IPS_EXPECTED|IPS_DYING))
>>>>>             /* unchangeable */
>>>>>             return -EBUSY;
>>>> I think that we should explicitly report if the user unsets
>>>> IPS_CONFIRMED. Please, don't change this.
>>>>
>>>> Apart from that, the patch seems fine to me. Thanks!
>>> Problem is we now (I mean after my patch) enter
>>> ctnetlink_change_status() with ct->status being null (or at least,
>>> IPS_CONFIRMED not set)
>> Pablo, please let me know whether you want me to apply this.
> 
> ctnetlink_change_helper() also calls nf_ct_ext_add() for conntracks that
> are confirmed (in case of a helper update for an existing conntrack).
> That would also trigger the assertion. If we want to support helper
> assignation via ctnetlink for existing conntracks, we will need to add
> locking to the conntrack extension infrastructure to avoid races.
> 
> I don't see a clear solution for this yet.

I see, this is indeed a problem. Since the helper is known at the
first event, we could restrict this to only allow manual assignment
for newly created conntracks. Most helpers probably can't properly
cope with connections not seen from the beginning anyways.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ