| Message ID | 20100607145558.GA1939@jolsa.lab.eng.brq.redhat.com |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | David Miller |
| Headers | show |
Jiri Olsa wrote: > On Fri, Jun 04, 2010 at 02:03:17PM +0200, Patrick McHardy wrote: > >> Jiri Olsa wrote: >> >>> hi, >>> >>> I'd like to be able to sendout a single IP packet with MF flag set. >>> >>> When using RAW sockets the packet will get stuck in the >>> netfilter (NF_INET_LOCAL_OUT nf_defrag_ipv4 reassembly unit) >>> and wont ever make it out.. >>> >>> I made a change which bypass the outgoing reassembly for >>> RAW sockets, but I'm not sure wether it's too invasive.. >>> >> That would break reassembly (and thus connection tracking) for cases >> where its really intended. >> >> >>> Is there any standard for RAW sockets behaviour? >>> Or another way around? :) >>> >> You could use the NOTRACK target to bypass connection tracking. >> > > ok, > > I tried the NOTRACK target, but the packet is still going > throught reassembly, because the RAW filter has lower priority > then the connection track defragmentation.. > Right. > I was able to get it bypassed by attached patch and following > command: > > iptables -v -t raw -A OUTPUT -p icmp -j NOTRACK > > again, not sure if this is too invasive ;) > Well, we can't change it in the mainline kernel. > If this is not the way, I'd appreciatte any hint.. my goal is > to put malformed packet on the wire (more frags bit set for a > non fragmented packet) I don't have any good suggestions besides adding a flag to the IPCB and skipping defragmentation based on that. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wednesday 2010-06-09 16:16, Patrick McHardy wrote: >>>> I'd like to be able to sendout a single IP packet with MF flag set. >>>> >>>> When using RAW sockets the packet will get stuck in the >>>> netfilter (NF_INET_LOCAL_OUT nf_defrag_ipv4 reassembly unit) >>>> and wont ever make it out.. >>>> >>>> I made a change which bypass the outgoing reassembly for >>>> RAW sockets, but I'm not sure wether it's too invasive.. >>>> >>> That would break reassembly (and thus connection tracking) for cases >>> where its really intended. >>> >>>> Is there any standard for RAW sockets behaviour? >>>> Or another way around? :) >>>> >>> You could use the NOTRACK target to bypass connection tracking. >> >> I tried the NOTRACK target, but the packet is still going >> throught reassembly, because the RAW filter has lower priority >> then the connection track defragmentation.. > >Right. Blech. That reminds me of http://marc.info/?l=netfilter-devel&m=126581823826735&w=2 -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Jan Engelhardt wrote: > On Wednesday 2010-06-09 16:16, Patrick McHardy wrote: >>>> You could use the NOTRACK target to bypass connection tracking. >>>> >>> I tried the NOTRACK target, but the packet is still going >>> throught reassembly, because the RAW filter has lower priority >>> then the connection track defragmentation.. >>> >> Right. >> > > Blech. That reminds me of > http://marc.info/?l=netfilter-devel&m=126581823826735&w=2 > We already fixed that. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wednesday 2010-06-09 17:16, Patrick McHardy wrote: >Jan Engelhardt wrote: >> On Wednesday 2010-06-09 16:16, Patrick McHardy wrote: >>>>> You could use the NOTRACK target to bypass connection tracking. >>>>> >>>> I tried the NOTRACK target, but the packet is still going >>>> throught reassembly, because the RAW filter has lower priority >>>> then the connection track defragmentation.. >>> >>> Right. >> >> Blech. That reminds me of >> http://marc.info/?l=netfilter-devel&m=126581823826735&w=2 > >We already fixed that. I know, and I posted it for the understanding of the OP as to why RAW is after DEFRAG. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Jun 09, 2010 at 04:16:42PM +0200, Patrick McHardy wrote: > Jiri Olsa wrote: > > On Fri, Jun 04, 2010 at 02:03:17PM +0200, Patrick McHardy wrote: > > > >> Jiri Olsa wrote: > >> > >>> hi, > >>> > >>> I'd like to be able to sendout a single IP packet with MF flag set. > >>> > >>> When using RAW sockets the packet will get stuck in the > >>> netfilter (NF_INET_LOCAL_OUT nf_defrag_ipv4 reassembly unit) > >>> and wont ever make it out.. > >>> > >>> I made a change which bypass the outgoing reassembly for > >>> RAW sockets, but I'm not sure wether it's too invasive.. > >>> > >> That would break reassembly (and thus connection tracking) for cases > >> where its really intended. > >> > >> > >>> Is there any standard for RAW sockets behaviour? > >>> Or another way around? :) > >>> > >> You could use the NOTRACK target to bypass connection tracking. > >> > > > > ok, > > > > I tried the NOTRACK target, but the packet is still going > > throught reassembly, because the RAW filter has lower priority > > then the connection track defragmentation.. > > > > Right. > > I was able to get it bypassed by attached patch and following > > command: > > > > iptables -v -t raw -A OUTPUT -p icmp -j NOTRACK > > > > again, not sure if this is too invasive ;) > > > > Well, we can't change it in the mainline kernel. > > If this is not the way, I'd appreciatte any hint.. my goal is > > to put malformed packet on the wire (more frags bit set for a > > non fragmented packet) > > I don't have any good suggestions besides adding a flag to the IPCB > and skipping defragmentation based on that. ok, I can see a way when I set this via setsockopt to the socket, and check the value before the defragmentation.. would such a new setsock option be acceptable? I'm not sure I can see a way via IPCB, AFAICS it's for skb bound flags which arise during the skb processing. thanks, jirka -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Wed, Jun 09, 2010 at 05:20:37PM +0200, Jan Engelhardt wrote: > > On Wednesday 2010-06-09 17:16, Patrick McHardy wrote: > >Jan Engelhardt wrote: > >> On Wednesday 2010-06-09 16:16, Patrick McHardy wrote: > >>>>> You could use the NOTRACK target to bypass connection tracking. > >>>>> > >>>> I tried the NOTRACK target, but the packet is still going > >>>> throught reassembly, because the RAW filter has lower priority > >>>> then the connection track defragmentation.. > >>> > >>> Right. > >> > >> Blech. That reminds me of > >> http://marc.info/?l=netfilter-devel&m=126581823826735&w=2 > > > >We already fixed that. > > I know, and I posted it for the understanding of the OP > as to why RAW is after DEFRAG. thanks, it's helpful jirka -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Jiri Olsa wrote: > On Wed, Jun 09, 2010 at 04:16:42PM +0200, Patrick McHardy wrote: > >>> If this is not the way, I'd appreciatte any hint.. my goal is >>> to put malformed packet on the wire (more frags bit set for a >>> non fragmented packet) >>> >> I don't have any good suggestions besides adding a flag to the IPCB >> and skipping defragmentation based on that. >> > ok, > > I can see a way when I set this via setsockopt to the socket, > and check the value before the defragmentation.. would such a new > setsock option be acceptable? > > I'm not sure I can see a way via IPCB, AFAICS it's for skb bound flags > which arise during the skb processing. > Yes, a socket option is basically what I was suggesting, using the IPCB to mark the packet. But just marking the socket is fine of course. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/linux/netfilter_ipv4.h b/include/linux/netfilter_ipv4.h index 29c7727..d249b6a 100644 --- a/include/linux/netfilter_ipv4.h +++ b/include/linux/netfilter_ipv4.h @@ -53,8 +53,8 @@ enum nf_ip_hook_priorities { NF_IP_PRI_FIRST = INT_MIN, - NF_IP_PRI_CONNTRACK_DEFRAG = -400, - NF_IP_PRI_RAW = -300, + NF_IP_PRI_RAW = -400, + NF_IP_PRI_CONNTRACK_DEFRAG = -300, NF_IP_PRI_SELINUX_FIRST = -225, NF_IP_PRI_CONNTRACK = -200, NF_IP_PRI_MANGLE = -150, diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c index cb763ae..cb865d1 100644 --- a/net/ipv4/netfilter/nf_defrag_ipv4.c +++ b/net/ipv4/netfilter/nf_defrag_ipv4.c @@ -74,6 +74,9 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum, return NF_ACCEPT; #endif #endif + if (nf_ct_is_untracked(skb)) + return NF_ACCEPT; + /* Gather fragments. */ if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) { enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);