lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <DB6PR0501MB2405C30CE23567587FC3C072A8850@DB6PR0501MB2405.eurprd05.prod.outlook.com>
Date:   Wed, 7 Dec 2016 17:27:07 +0000
From:   Kirila Adamova <kia@...n.ch>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: nfct_query hangs after multiple requests

Hi      
          
I am using nfct_query (libnetfilter_conntrack library) to get a connection from the conntrack table and then to update its connmark. This was working ok in a development environment, but when testing it in production with a lot of traffic, after around a minute, the daemon hangs on nfct_query and does not process any more data.      
          
Some background:      
- I am sending packets via NFLOG to the daemon (and setting a connmark 0x2/0x2)
- the daemon polls the NFLOG group and handles the packets via nflog_handle_packet      
- the callback registered with the nflog handle extracts the conntrack information from the packet header (L4 proto, src/dst ip, src/dst port)      
- an nf_conntrack pointer is created with this information      
- (calling another library which calls another callback)      
- if certain conditions are met      
-- register nfct callback -- nfct_callback_register(h, NFCT_T_ALL, my_nfct_callback, h)      
-- nfct_query with NFCT_Q_GET  to get the conntrack connection based on the ct data      
-- (in the nfct callback) check the connmark of the connection and run nfct query with NFCT_Q_UPDATE to update the connmark of that same connection      

The nfct_handle is opened at the start of the daemon and closed via signal handling at termination.      

After placing some debug prints in the code, I discovered that at some point nfct_query for NFCT_Q_GET is called, but it never enters the callback function.      

Debugging with strace showed the following:      
...      
recvfrom(4,"$\0\0\0\2\0\0\0h\4IX\22(\0\0\0\0\0\0\304\0\0\0\0\1\5\0h\4IX"..., 8192, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36      
sendto(4,"", 0, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0      
recvfrom(4,
---  and is hanging here.      

I am writing to this mailing list, hoping that somebody would have an idea how to proceed with debugging and what the issue might be. Obviously, it's the amount of connections. But there must be a way to handle them for longer than a minute. Once it hangs, it never resumes.      

Please let me know if you need any further information or part of the code.      

Versions used:      
libnetfilter_conntrack - 1.0.4      
libnetfilter_log  - 1.0.1      

Best regards      
Kirila

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ