Message ID | 1377866623-25948-2-git-send-email-valentina.giusti@bmw-carit.de |
---|---|
State | Not Applicable |
Headers | show |
On Fri, Aug 30, 2013 at 02:43:43PM +0200, valentina.giusti@bmw-carit.de wrote: > From: Valentina Giusti <valentina.giusti@bmw-carit.de> > > Since (41063e9 ipv4: Early TCP socket demux), we can apply the owner > extension on the INPUT chain and match established TCP sockets. > However, because of the same commit, we can have skb->sk pointing to a > timewait socket, in which case accessing skb->sk->sk_socket is invalid. This only works for established TCP sockets. Thus, this rule: -A INPUT -m owner --socket-exists -j ACCEPT -A OUTPUT -m owner --socket-exists -j ACCEPT are semantically different depending on the path. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Pablo, thanks for having a look at this patch. On 09/04/2013 02:34 PM, Pablo Neira Ayuso wrote: > On Fri, Aug 30, 2013 at 02:43:43PM +0200, valentina.giusti@bmw-carit.de wrote: >> From: Valentina Giusti <valentina.giusti@bmw-carit.de> >> >> Since (41063e9 ipv4: Early TCP socket demux), we can apply the owner >> extension on the INPUT chain and match established TCP sockets. >> However, because of the same commit, we can have skb->sk pointing to a >> timewait socket, in which case accessing skb->sk->sk_socket is invalid. > This only works for established TCP sockets. Thus, this rule: > > -A INPUT -m owner --socket-exists -j ACCEPT > -A OUTPUT -m owner --socket-exists -j ACCEPT > > are semantically different depending on the path. True, in fact my idea is to enable early demultiplexing also for other kinds of sockets - as mentioned in the cover letter to this patch: http://marc.info/?l=netfilter-devel&m=137786715327396&w=2. Sorry, I should probably have made it clear that also this patch was part of the [RFC], since of course I didn't mean to have it applied now. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/xt_owner.c b/net/netfilter/xt_owner.c index ca2e577..df03cac 100644 --- a/net/netfilter/xt_owner.c +++ b/net/netfilter/xt_owner.c @@ -16,6 +16,7 @@ #include <net/sock.h> #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_owner.h> +#include <net/tcp_states.h> static int owner_check(const struct xt_mtchk_param *par) { @@ -34,7 +35,8 @@ owner_mt(const struct sk_buff *skb, struct xt_action_param *par) const struct xt_owner_match_info *info = par->matchinfo; const struct file *filp; - if (skb->sk == NULL || skb->sk->sk_socket == NULL) + if (skb->sk == NULL || skb->sk->sk_state == TCP_TIME_WAIT || + skb->sk->sk_socket == NULL) return (info->match ^ info->invert) == 0; else if (info->match & info->invert & XT_OWNER_SOCKET) /* @@ -76,7 +78,8 @@ static struct xt_match owner_mt_reg __read_mostly = { .checkentry = owner_check, .match = owner_mt, .matchsize = sizeof(struct xt_owner_match_info), - .hooks = (1 << NF_INET_LOCAL_OUT) | + .hooks = (1 << NF_INET_LOCAL_IN) | + (1 << NF_INET_LOCAL_OUT) | (1 << NF_INET_POST_ROUTING), .me = THIS_MODULE, };