From patchwork Fri Oct 21 09:00:35 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Westphal X-Patchwork-Id: 684958 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3t0fp069mSz9svs for ; Fri, 21 Oct 2016 20:02:32 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932221AbcJUJCL (ORCPT ); Fri, 21 Oct 2016 05:02:11 -0400 Received: from Chamillionaire.breakpoint.cc ([146.0.238.67]:36742 "EHLO Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750859AbcJUJCJ (ORCPT ); Fri, 21 Oct 2016 05:02:09 -0400 Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.84_2) (envelope-from ) id 1bxVgp-0004yu-Io; Fri, 21 Oct 2016 11:00:35 +0200 Date: Fri, 21 Oct 2016 11:00:35 +0200 From: Florian Westphal To: XU Tianwen Cc: yasuyuki.kozakai@toshiba.co.jp, pablo@netfilter.org, kaber@trash.net, kadlec@blackhole.kfki.hu, davem@davemloft.net, kuznet@ms2.inr.ac.ru, jmorris@namei.org, yoshfuji@linux-ipv6.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] Netfilter: Fix an ICMPv6 bug which caused by a latter ICMPv6 NA packet to inherit the mark of previous NS packet. Message-ID: <20161021090035.GA32634@breakpoint.cc> References: <1477038230-17288-1-git-send-email-evan.xu.tianwen@gmail.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1477038230-17288-1-git-send-email-evan.xu.tianwen@gmail.com> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org XU Tianwen wrote: > The root cause is an ICMPv6 packet hits an untracked connection and inherits a mark from the previous packet to which it is not related, IMO it doesn't make sense to inherit mark for nf_conntrack_untracked. > > Signed-off-by: XU Tianwen > --- > net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c > index f5a61bc..1be9000 100644 > --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c > +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c > @@ -223,6 +223,9 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl, > if (type >= 0 && type < sizeof(noct_valid_new) && > noct_valid_new[type]) { > skb->nfct = &nf_ct_untracked_get()->ct_general; > +#ifdef CONFIG_NF_CONNTRACK_MARK > + ((struct nf_conn *)skb->nfct)->mark = 0; > +#endif > skb->nfctinfo = IP_CT_NEW; > nf_conntrack_get(skb->nfct); > return NF_ACCEPT; > -- > 2.1.2 Where does that bogus mark come from in first place? Untracked mark should always be 0. Maybe we need this instead? --- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c @@ -44,7 +44,7 @@ connmark_tg(struct sk_buff *skb, const struct xt_action_param *par) u_int32_t newmark; ct = nf_ct_get(skb, &ctinfo); - if (ct == NULL) + if (ct == NULL || nf_ct_is_untracked(ct)) return XT_CONTINUE;