From: Michal Kubecek <mkubecek@suse.cz>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: userspace conntrack helper and confirming the master conntrack
Date: Thu, 18 Jul 2019 12:18:06 +0200 [thread overview]
Message-ID: <20190718101806.GF24551@unicorn.suse.cz> (raw)
In-Reply-To: <20190718092128.zbw4qappq6jsb4ja@breakpoint.cc>
On Thu, Jul 18, 2019 at 11:21:28AM +0200, Florian Westphal wrote:
> > I added some more tracing and this is what seems to happen:
> >
> > - ipv4_confirm() is called for the conntrack from ip_output() via hook
> > - nf_confirm() calls attached helper and calls its help() function
> > which is nfnl_userspace_cthelper(), that returns 0x78003
> > - nf_confirm() returns that without calling nf_confirm_conntrack()
> > - verdict 0x78003 is returned to nf_hook_slow() which therefore calls
> > nf_queue() to pass this to userspace helper on queue 7
> > - nf_queue() returns 0 which is also returned by nf_hook_slow()
> > - the packet reappears in nf_reinject() where it passes through
> > nf_reroute() and nf_iterate() to the main switch statement
> > - it takes NF_ACCEPT branch to call okfn which is ip_finish_output()
> > - unless I missed something, there is nothing that could confirm the
> > conntrack after that
>
> I broke this with
> commit 827318feb69cb07ed58bb9b9dd6c2eaa81a116ad
> ("netfilter: conntrack: remove helper hook again").
>
> Seems we have to revert, i see no other solution at this time.
Thanks for the quick reply. I can confirm that with commit 827318feb69c
reverted, the helper works as expected.
Michal
next prev parent reply other threads:[~2019-07-18 10:18 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-18 8:49 userspace conntrack helper and confirming the master conntrack Michal Kubecek
2019-07-18 9:21 ` Florian Westphal
2019-07-18 10:18 ` Michal Kubecek [this message]
2019-07-19 16:47 ` Pablo Neira Ayuso
2019-09-04 12:16 ` Michal Kubecek
2019-09-10 23:24 ` Pablo Neira Ayuso
2019-09-11 8:17 ` Michal Kubecek
2020-05-13 17:54 ` Jacob Rasmussen
2020-05-15 14:36 ` Florian Westphal
2020-05-15 14:37 ` [PATCH nf] netfilter: make conntrack userspace helpers work again Florian Westphal
2020-05-15 15:17 ` userspace conntrack helper and confirming the master conntrack Michal Kubecek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190718101806.GF24551@unicorn.suse.cz \
--to=mkubecek@suse.cz \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.