[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20141113120826.GA8224@salvia>
Date: Thu, 13 Nov 2014 13:08:26 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: Jörg Marx <joerg.marx@...unet.com>
Cc: Jesper Dangaard Brouer <brouer@...hat.com>, programme110@...il.com,
netfilter-devel@...r.kernel.org, Florian Westphal <fw@...len.de>,
netdev@...r.kernel.org, Patrick McHardy <kaber@...sh.net>
Subject: Re: [PATCH nf] netfilter: conntrack: fix race in
__nf_conntrack_confirm against get_next_corpse
On Wed, Nov 12, 2014 at 11:57:31AM +0100, Jörg Marx wrote:
> On 12.11.2014 08:35, Jesper Dangaard Brouer wrote:
>
> Hi,
>
> I wrote the patch in 2010, so find some arguments below:
>
> >>> > > + nf_ct_del_from_dying_or_unconfirmed_list(ct);
> >>> > >
> >>> > > if (unlikely(nf_ct_is_dying(ct))) {
> >>> > > + nf_ct_add_to_dying_list(ct);
> >>> > > nf_conntrack_double_unlock(hash, reply_hash);
> >>> > > local_bh_enable();
> >>> > > return NF_ACCEPT;
> >> >
> >> > Not directly related to your patch, but I don't find a good reason why
> >> > we're accepting this packet.
> >> >
> >> > If the conntrack from the unconfirmed list is dying, then the object
> >> > will be released by when the packet leaves the stack to its
> >> > destination. With stateful filtering depending in place, the follow up
> >> > packet in the reply direction will likely be considered invalid (if
> >> > tcp tracking is on). Fortunately for us, the origin will likely
> >> > retransmit the syn again, so the ct will be setup accordingly.
> >> >
> >> > So, why should we allow this to go through?
> > True, it also seems strange to me that we accept this packet.
>
> The raise was triggered in a scenario when we tested high-load IPsec
> tunnels and flushed the conntrack hashs from userspace.
>
> For me there is little difference in choosing DROP or ACCEPT as verdict.
> The packet/skb belongs to a formerly allowed connection, most likely
> this connection is still allowed (but the conntrack hash entry is about
> to be removed due to userspace is flushing the conntrack table).
__nf_conntrack_confirm() is only called for the first packet that we
see in a flow. If you just invoked the flush command once (which
should be the common case), then this is likely to be the first packet
of the flow (unless you already called flush anytime soon in the
past).
> To minimize the impact (lost packets -> retransmit) I decided to allow
> the skb in flight, so were is no lost packet at this place.
I understand your original motivation was to be conservative.
> When the connection is not allowed anymore (but was allowed up to now,
> because the hash entry exists), the impact is one last packet 'slipping
> through'.
The general policy in conntrack is to not drop packets, but in this
case we'll leave things in inconsistent state (ie. we will likely
receive a reply packet in response to the original packet that has no
conntrack yet).
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists