Message ID | 5269121A.3040104@ee.oulu.fi |
---|---|
State | Not Applicable |
Headers | show |
Pekka Pietikäinen <pp@ee.oulu.fi> wrote: > On 24/10/13 15:05, Eric Dumazet wrote: > >sk_state 7 means TCP_CLOSE > > > >I do not see how a TCP_CLOSE socket can be matched... > > > Yep, TCP_CLOSE can't be right, sk_state isn't correct with early > demux perhaps? What is weird is that early_demux should NOT influence xt_socket because from the rules you posted you are using this in PREROUTING, which is before tcp early demux magic. Do you have any other netfilter rules (-j TPROXY perhaps?) that could explain why the skb has a socket attached in the first place by the time it ends up in the netfilter socket match? [ ip_rcv() orphans the skb before netfilter prerouting, so skb->sk should be NULL ] -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Pekka Pietikäinen <pp@ee.oulu.fi> wrote: > On 24/10/13 16:29, Florian Westphal wrote: [ restored nf-devel cc ] > >I don't understand. The packet seen by xt_socket is arriving from > >a remote machine, right? > Virtual machine that's on virbr0 yep, and packet that used to match > should be a synack to a connection initiated from the host. Ah. Now the picture is clear. Underlying tun device in bridge, which uses a socket internally (this is why skb->sk->sk_state is TCP_CLOSE). > bridge-nf-call-iptables = 0 and your patch + bridge-nf-call-iptable > = 1 both made my test work with unmodified xt_socket (and adding > debug prints shows sk_state is now sane) > > Oh. Adding some more debug prints it's the > "inet_sk(sk)->inet_rcv_saddr == 0" part that triggered. > > Before 3.11 sk=nf_tproxy_get_sock_v4() was always done, so I suppose > it was always working on sane data. Yep. When called from bridge netfilter the skb is not orphaned properly, so the tun sk is still around by the time xt_socket is consulted. Thanks for reporting! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
--- /usr/src/debug/kernel-3.11.fc19/linux-3.11.6-200.fc19.x86_64/net/netfilter/xt_socket.c 2013-09-02 23:46:10.000000000 +0300 +++ xt_socket.c 2013-10-24 15:07:59.592607433 +0300 @@ -115,6 +115,8 @@ struct nf_conn const *ct; enum ip_conntrack_info ctinfo; #endif + if (sk && sk->sk_state == TCP_CLOSE) + sk = NULL; if (iph->protocol == IPPROTO_UDP || iph->protocol == IPPROTO_TCP) { hp = skb_header_pointer(skb, ip_hdrlen(skb),