| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 13 Jun 2017 22:58:24 +0900
From: Lorenzo Colitti <lorenzo@...gle.com>
To: Jamal Hadi Salim <jhs@...atatu.com>
Cc: David Miller <davem@...emloft.net>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
mrv@...atatu.com, Jamal Hadi Salim <hadi@...atatu.com>
Subject: Re: [PATCH net-next 1/1] net: reflect mark on tcp syn ack packets
On Sat, Jun 10, 2017 at 10:31 PM, Jamal Hadi Salim <jhs@...atatu.com> wrote:
> skb->priority = sk->sk_priority;
> - skb->mark = sk->sk_mark;
> + if (!skb->mark)
> + skb->mark = sk->sk_mark;
It looks a bit iffy to take sk->sk_mark only if skb->mark is zero
instead of relying on the callers to tell this function what they
want. I think the patch is correct, but it might be better to fix the
other callers (dccp_make_response and dccp_ctl_make_reset) to set
skb->mark to what they want. Either way.
> tcp_ecn_make_synack(req, th);
> th->source = htons(ireq->ir_num);
> th->dest = ireq->ir_rmt_port;
> + if (sock_net(sk)->ipv4.sysctl_tcp_fwmark_accept)
> + skb->mark = ireq->ir_mark;
I think checking the sysctl here is unnecessary. It seems to me that
ir_mark already takes that into account. Its semantics (see
inet_request_mark) are:
- If listen socket has a nonzero mark, use that
- Else if sysctl_tcp_fwmark_accept is set and inbound SYN packet has
mark, use that
- Else zero.
which is what you want.
Other than that,
Reviewed-By: Lorenzo Colitti <lorenzo@...gle.com>
Please disregard my earlier comment about fwmark_reflect - I didn't
notice that the code sets ir_mark based on tcp_fwmark_accept, and
doesn't look at fwmark_reflect at all.
Powered by blists - more mailing lists