From patchwork Fri Jan 6 19:33:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pau Espin Pedrol X-Patchwork-Id: 712119 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3twF9T10bvz9sCg for ; Sat, 7 Jan 2017 06:34:20 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=tessares-net.20150623.gappssmtp.com header.i=@tessares-net.20150623.gappssmtp.com header.b="stlr/hp4"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757464AbdAFTeT (ORCPT ); Fri, 6 Jan 2017 14:34:19 -0500 Received: from mail-wm0-f51.google.com ([74.125.82.51]:35749 "EHLO mail-wm0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756428AbdAFTeS (ORCPT ); Fri, 6 Jan 2017 14:34:18 -0500 Received: by mail-wm0-f51.google.com with SMTP id a197so37693053wmd.0 for ; Fri, 06 Jan 2017 11:34:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tessares-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7ZqYFZqUtZN/WxaQSjr4rnQN7iUdaHbFVwYpeYCiKoc=; b=stlr/hp4iX4z+4+5BlHgCuIYORVqN4nwTVNS6NnR0CNYceEbChxnp+8vmDQxvZ8tWj pEIRhz8FROhr9/pMYjBC5VgdVKTkUWUl1LA7i7+HAI70/4TdFloSSAlY/WV1nbWiTHDv CCWyBbz0CPpn0aPRLBqbY1b6zelcH6eJ2McsJjMNNUebqXTBt+D8a3VRma54TdjAvBqJ 40K0ANQxYuY2ecl0HRbuxOqgmj6IK1jX21KRdPTvrli+Efd7oXq1Z9gCjwO6eI9ONFg/ XuT7NK4LlECd3E9DWlx6zv3dyW0rAwPh2/9+BMbGaphaa8ICydD/QG7mN+a3lTQRir2u hbxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:to:cc:subject:date:message-id :in-reply-to:references; bh=7ZqYFZqUtZN/WxaQSjr4rnQN7iUdaHbFVwYpeYCiKoc=; b=BLkQo6M7xsCjviEoKm7LwB6/hZIqS29cV5nVFy9xs9dBcgFnO0cZJkD3/Vh5KusqDK X85Pf6gxLni3oMB0k2M4Ifcm2FuHWLBbisn9a+9HeNL67s63PUxUo89nJUsQjvWQvw9V IS/AC/bqV1ohGjmNZR5Zee00CYm4vn57zRnfVTszB5qrDqwVCWraCb5HZ7h0PLOFuQvd 76pSGMTuohEP9ksBc8W3xkZGr7KdirEerjPXkbWf3bGOj8z9R7dTGr5G7ISOo5qeHfR6 cyas4XmNCCeI9Pptio2wONiBP7qOw0fBI37sRBYRKdiy93pEGZfar/EygVCpyWNQtmo0 R/2w== X-Gm-Message-State: AIkVDXKNd+m17L8noyc7HPkSKJBLEs4oP7IA8guZ7p9r6/TTFMpjLG7erjC/597T2hSozvEgMuchVozaTQ5dDTD+MGIUQPhV1/LZJA0/6fthg06k5WaW5OTJN6ybAf6NXHUjS0MRGuoqqLoG MIME-Version: 1.0 X-Received: by 10.223.147.134 with SMTP id 6mr2500025wrp.53.1483731257231; Fri, 06 Jan 2017 11:34:17 -0800 (PST) Received: from localhost.localdomain (158.pool62-37-171.dynamic.orange.es. [62.37.171.158]) by smtp.gmail.com with ESMTPSA id b15sm4868767wma.5.2017.01.06.11.34.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 06 Jan 2017 11:34:16 -0800 (PST) From: Pau Espin Pedrol To: netfilter-devel@vger.kernel.org Cc: pespin.shar@gmail.com, Pau Espin Pedrol , Lorenzo Colitti Subject: [PATCH v2 1/2] netfilter: use fwmark_reflect in nf_send_reset Date: Fri, 6 Jan 2017 20:33:27 +0100 Message-Id: <20170106193328.24272-1-pau.espin@tessares.net> X-Mailer: git-send-email 2.11.0 In-Reply-To: <1481882607-461-1-git-send-email-pau.espin@tessares.net> References: <1481882607-461-1-git-send-email-pau.espin@tessares.net> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Otherwise, RST packets generated by ipt_REJECT always have mark 0 when the routing is checked later in the same code path. Fixes: e110861f8609 ("net: add a sysctl to reflect the fwmark on replies") Cc: Lorenzo Colitti Signed-off-by: Pau Espin Pedrol --- net/ipv4/netfilter/nf_reject_ipv4.c | 2 ++ net/ipv6/netfilter/nf_reject_ipv6.c | 3 +++ 2 files changed, 5 insertions(+) diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c index fd8220213afc..146d86105183 100644 --- a/net/ipv4/netfilter/nf_reject_ipv4.c +++ b/net/ipv4/netfilter/nf_reject_ipv4.c @@ -126,6 +126,8 @@ void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook) /* ip_route_me_harder expects skb->dst to be set */ skb_dst_set_noref(nskb, skb_dst(oldskb)); + nskb->mark = IP4_REPLY_MARK(net, oldskb->mark); + skb_reserve(nskb, LL_MAX_HEADER); niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP, ip4_dst_hoplimit(skb_dst(nskb))); diff --git a/net/ipv6/netfilter/nf_reject_ipv6.c b/net/ipv6/netfilter/nf_reject_ipv6.c index 10090400c72f..eedee5d108d9 100644 --- a/net/ipv6/netfilter/nf_reject_ipv6.c +++ b/net/ipv6/netfilter/nf_reject_ipv6.c @@ -157,6 +157,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook) fl6.fl6_sport = otcph->dest; fl6.fl6_dport = otcph->source; fl6.flowi6_oif = l3mdev_master_ifindex(skb_dst(oldskb)->dev); + fl6.flowi6_mark = IP6_REPLY_MARK(net, oldskb->mark); security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6)); dst = ip6_route_output(net, NULL, &fl6); if (dst->error) { @@ -180,6 +181,8 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook) skb_dst_set(nskb, dst); + nskb->mark = fl6.flowi6_mark; + skb_reserve(nskb, hh_len + dst->header_len); ip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP, ip6_dst_hoplimit(dst));