| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <201112081429.18441.hans.schillstrom@ericsson.com> Date: Thu, 8 Dec 2011 14:29:17 +0100 From: Hans Schillstrom <hans.schillstrom@...csson.com> To: Patrick McHardy <kaber@...sh.net> CC: Hans Schillstrom <hans@...illstrom.com>, "pablo@...filter.org" <pablo@...filter.org>, "jengelh@...ozas.de" <jengelh@...ozas.de>, "netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>, "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Re: IPv6 defrag question ? On Thursday 08 December 2011 12:10:49 Patrick McHardy wrote: > On 12/08/2011 10:12 AM, Hans Schillstrom wrote: > > Hi > > While testing HMARK and IPv6 with nf_defrag_ipv6 (and nf_conntrack_ipv6 loaded) I can't see the defrag ? > > > > From what I can see nf_conntrack_reasm goes into PREROUTING with prio -400 > > and HMARK in PREROUTING with prio -150 > > > > I was expecting that the reasaembled packet whould reach HMARK not the fragments. > > > > (Debug print from hmark) > > HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:30 plen:1408 (2008::10 - 1000::1) > > HMARK() mark:489, hash:4d04eaa1, frag:1, nhoffs:0 plen:86 (2008::10 - 1000::1) > > > > IPv4 do reassm. the packets not IPv6... > > Yeah, IPv6 currently only passes the defragmented packet through conntrack, > then associates the conntrack information with the individual fragments and > passes those on. I'll post patches for IPv6 NAT which will change this > to behave similar to IPv4 soon. > OK great, current beaiviour was kind of unexpected. BTW this piece of code looks like it's broken or I might have missunderstod this :-) at least /* queued */ causes some confusion . static unsigned int ipv6_defrag(unsigned int hooknum, ... reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb)); /* queued */ if (reasm == NULL) return NF_STOLEN; NF_STOLEN will only be returned when nf_ct_frag6_reasm() returns an error. (called by ct_frag6_gather) -- Regards Hans Schillstrom <hans.schillstrom@...csson.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists