lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <33d60747-7550-1fba-a068-9b78aaedbc26@6wind.com>
Date:   Thu, 25 Apr 2019 12:07:54 +0200
From:   Nicolas Dichtel <nicolas.dichtel@...nd.com>
To:     Pablo Neira Ayuso <pablo@...filter.org>,
        netfilter-devel@...r.kernel.org,
        Kristian Evensen <kristian.evensen@...il.com>
Cc:     davem@...emloft.net, netdev@...r.kernel.org
Subject: Re: [PATCH 07/31] netfilter: ctnetlink: Support L3 protocol-filter on
 flush

Le 09/10/2018 à 01:01, Pablo Neira Ayuso a écrit :
> From: Kristian Evensen <kristian.evensen@...il.com>
> 
> The same connection mark can be set on flows belonging to different
> address families. This commit adds support for filtering on the L3
> protocol when flushing connection track entries. If no protocol is
> specified, then all L3 protocols match.
> 
> In order to avoid code duplication and a redundant check, the protocol
> comparison in ctnetlink_dump_table() has been removed. Instead, a filter
> is created if the GET-message triggering the dump contains an address
> family. ctnetlink_filter_match() is then used to compare the L3
> protocols.
> 
> Signed-off-by: Kristian Evensen <kristian.evensen@...il.com>
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
> ---
[snip] 					continue;
> @@ -1213,12 +1219,12 @@ static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
>  
>  static int ctnetlink_flush_conntrack(struct net *net,
>  				     const struct nlattr * const cda[],
> -				     u32 portid, int report)
> +				     u32 portid, int report, u8 family)
>  {
>  	struct ctnetlink_filter *filter = NULL;
>  
> -	if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
> -		filter = ctnetlink_alloc_filter(cda);
> +	if (family || (cda[CTA_MARK] && cda[CTA_MARK_MASK])) {
Since this patch, there is a regression with 'conntrack -F', it does not flush
anymore ipv6 conntrack entries.
In fact, the conntrack tool set by default the family to AF_INET and forbid to
set the family to something else (the '-f' option is not allowed for the command
'flush').

Any idea to fix this (without changing the conntrack tool) is welcomed.


Regards,
Nicolas

> +		filter = ctnetlink_alloc_filter(cda, family);
>  		if (IS_ERR(filter))
>  			return PTR_ERR(filter);
>  	}
> @@ -1257,7 +1263,7 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
>  	else {
>  		return ctnetlink_flush_conntrack(net, cda,
>  						 NETLINK_CB(skb).portid,
> -						 nlmsg_report(nlh));
> +						 nlmsg_report(nlh), u3);
>  	}
>  
>  	if (err < 0)
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ