| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211021235819.GF7604@breakpoint.cc>
Date: Fri, 22 Oct 2021 01:58:19 +0200
From: Florian Westphal <fw@...len.de>
To: Eugene Crosser <crosser@...rage.org>
Cc: Florian Westphal <fw@...len.de>, netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org, dsahern@...nel.org,
pablo@...filter.org, lschlesinger@...venets.com
Subject: Re: [PATCH net-next 2/2] vrf: run conntrack only in context of
lower/physdev for locally generated packets
Eugene Crosser <crosser@...rage.org> wrote:
> > +static void vrf_nf_set_untracked(struct sk_buff *skb)
> > +{
> > + if (skb_get_nfct(skb) == 0)
> > + nf_ct_set(skb, 0, IP_CT_UNTRACKED);
> > +}
> > +
> > +static void vrf_nf_reset_ct(struct sk_buff *skb)
> > +{
> > + if (skb_get_nfct(skb) == IP_CT_UNTRACKED)
> > + nf_reset_ct(skb);
> > +}
> > +
>
> Isn't it possible that skb was marked UNTRACKED before entering this path, by a
> rule?
I don't think so, it should be called before any ruleset evaluation has
taken place.
> In such case 'set_untrackd' will do nothing, but 'reset_ct' will clear
> UNTRACKED status that was set elswhere. It seems wrong, am I missing something?
No, thats the catch. I can't find a better option.
I can add a patch to disable all of the NF_HOOK() invocations from vrf
which removes the ability to filter on vrf interface names.
The option to add a caller_id to nf_hook_state struct (so conntrack/nat
can detect when they are called from the vrf hooks) either needs
copypastry of entire NF_HOOK* inline functions into vrf (so the 'is-vrf'
flag can be enabled) or yet another argument to NF_HOOK().
It also leaks even more 'is vrf' checks into conntrack.
Powered by blists - more mailing lists