| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 1 Dec 2022 11:53:43 -0500
From: Xin Long <lucien.xin@...il.com>
To: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
Jarno Rajahalme <jarno@....org>
Cc: network dev <netdev@...r.kernel.org>, dev@...nvswitch.org,
ovs-dev@...nvswitch.org, davem@...emloft.net, kuba@...nel.org,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Pravin B Shelar <pshelar@....org>,
Jamal Hadi Salim <jhs@...atatu.com>,
Cong Wang <xiyou.wangcong@...il.com>,
Jiri Pirko <jiri@...nulli.us>,
Pablo Neira Ayuso <pablo@...filter.org>,
Florian Westphal <fw@...len.de>,
Davide Caratti <dcaratti@...hat.com>,
Oz Shlomo <ozsh@...dia.com>, Paul Blakey <paulb@...dia.com>,
Ilya Maximets <i.maximets@....org>,
Eelco Chaudron <echaudro@...hat.com>,
Aaron Conole <aconole@...hat.com>
Subject: Re: [PATCHv2 net-next 3/5] net: sched: return NF_ACCEPT when fails to
add nat ext in tcf_ct_act_nat
On Wed, Nov 23, 2022 at 9:24 AM Marcelo Ricardo Leitner
<marcelo.leitner@...il.com> wrote:
>
> On Tue, Nov 22, 2022 at 12:32:19PM -0500, Xin Long wrote:
> > This patch changes to return NF_ACCEPT when fails to add nat
> > ext before doing NAT in tcf_ct_act_nat(), to keep consistent
> > with OVS' processing in ovs_ct_nat().
> >
> > Reviewed-by: Saeed Mahameed <saeed@...nel.org>
> > Signed-off-by: Xin Long <lucien.xin@...il.com>
> > ---
> > net/sched/act_ct.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
> > index da0b7f665277..8869b3ef6642 100644
> > --- a/net/sched/act_ct.c
> > +++ b/net/sched/act_ct.c
> > @@ -994,7 +994,7 @@ static int tcf_ct_act_nat(struct sk_buff *skb,
> >
> > /* Add NAT extension if not confirmed yet. */
> > if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct))
> > - return NF_DROP; /* Can't NAT. */
> > + return NF_ACCEPT; /* Can't NAT. */
>
> I'm wondering if the fix should actually be in OVS, to make it drop
> the packet? Aaron, Eelco?
>
> If the user asked for NAT, and it can't NAT, it doesn't seem right to
> forward the packet while not performing the asked action.
>
> If we follow the code here, it may even commit the entry without the
> NAT extension, rendering the connection useless/broken per the first
> if condition above. It just won't try again.
nf_ct_nat_ext_add() returning NULL is caused by krealloc() failure
like an -ENOMEM error, and a similar thing could happen in
nfct_seqadj_ext_add() called by ovs_ct_nat() -> nf_nat_setup_info()
when doing NAT where it returns DROP. So I think it's right that
we should fix this in openvswitch instead of TC.
Anyway, in ovs_ct_nat():
if (!nf_ct_is_confirmed(ct) && !nf_ct_nat_ext_add(ct))
return NF_ACCEPT; /* Can't NAT. */
git blame shows this was added at the beginning by:
05752523e565 ("openvswitch: Interface with NAT.")
So add Jarno Rajahalme to Cc: list.
Thanks.
>
> >
> > if (ctinfo != IP_CT_NEW && (ct->status & IPS_NAT_MASK) &&
> > (ctinfo != IP_CT_RELATED || commit)) {
> > --
> > 2.31.1
> >
Powered by blists - more mailing lists