linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Eric Paris <eparis@redhat.com>
To: Hua Zhong <hzhong@gmail.com>
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	davem@davemloft.net, kuznet@ms2.inr.ac.ru, pekkas@netcore.fi,
	jmorris@namei.org, yoshfuji@linux-ipv6.org, kaber@trash.net,
	eric.dumazet@gmail.com, paul.moore@hp.com
Subject: RE: [RFC PATCH] network: return errors if we know tcp_connect failed
Date: Fri, 12 Nov 2010 11:08:28 -0500	[thread overview]
Message-ID: <1289578108.3083.95.camel@localhost.localdomain> (raw)
In-Reply-To: <00c201cb81eb$84e18160$8ea48420$@com>

On Thu, 2010-11-11 at 13:58 -0800, Hua Zhong wrote:
> > Yes, I realize this is little different than if the
> > SYN was dropped in the first network device, but it is different
> > because we know what happened!  We know that connect() call failed
> > and that there isn't anything coming back.
> 
> I would argue that -j DROP should behave exactly as the packet is dropped in the network, while -j REJECT should signal the failure to the application as soon as possible (which it doesn't seem to do).
> 
> It does not only make sense, but also is a highly useful testing technique that we use -j DROP in OUTPUT to emulate network losses and see how the application behaves.

I guess I can be a bit more descriptive of my specific situation,
although I'm not sure it matters.  I don't actually plan to drop packets
with -j REJECT or -j DROP, that's just a simple example everyone can see
on their own machine.  I plan to have the packets drop in the selinux
netfilter hook.  The SELinux hook uses NF_DROP/NF_ACCEPT just like any
other netfilter hook.  Maybe the answer is that I need to duplicate the
-j REJECT type operations in the SELinux hook.  -j REJECT doesn't do
what I want today, but if that's the right way forward tell me and I'll
look down that path.

But the path I first started looking down rules in 2 distinct questions:

1) What should netfilter pass back up the stack.  From my looking at
this I see that nf_hook_slow() will convert NF_DROP into -EPERM and pass
that back up the stack.  Is this wrong?  Should it more intelligently
pass errors back up the stack?  Maybe it needs an NF_REJECT as well as
NF_DROP?  NF_DROP returns 0 maybe and NF_REJECT return EPERM?

2) What should the generic TCP code (tcp_connect()) do if the skb failed
to send.  Should it return error codes back up the stack somehow or
should they continue to be ignored?  Obviously continuing to just ignore
information we have doesn't make me happy (otherwise I wouldn't have
started scratching this itch).  But the point about ENOBUFS is well
taken.  Maybe I should make tcp_connect(), or the caller to
tcp_connect() more intelligent about specific error codes?

I'm looking for a path forward.  If SELinux is rejecting the SYN packets
on connect() I want to pass that info to userspace rather than just
hanging.  What's the best way to accomplish that?

-Eric


  parent reply	other threads:[~2010-11-12 16:10 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-11 21:03 [RFC PATCH] network: return errors if we know tcp_connect failed Eric Paris
2010-11-11 21:14 ` Eric Dumazet
2010-11-11 21:58 ` Hua Zhong
2010-11-12  7:36   ` Patrick McHardy
2010-11-12 23:14     ` Hua Zhong
2010-11-15 10:32       ` Patrick McHardy
2010-11-15 15:47         ` Eric Paris
2010-11-15 15:57           ` Patrick McHardy
2010-11-15 16:04             ` Patrick McHardy
2010-11-15 16:36             ` Patrick McHardy
2010-11-15 16:46               ` David Miller
2010-11-15 20:00           ` Alexey Kuznetsov
2010-11-12 16:08   ` Eric Paris [this message]
2010-11-12 16:15     ` Eric Dumazet
2010-11-12 16:35       ` David Lamparter
2010-11-12 16:53         ` Eric Paris
2010-11-12 16:54         ` Patrick McHardy
2010-11-12 17:57           ` a problem tcp_v4_err() Alexey Kuznetsov
2010-11-12 18:12             ` Eric Dumazet
2010-11-12 18:21               ` Eric Dumazet
2010-11-12 18:27                 ` Eric Dumazet
2010-11-12 18:31                   ` Alexey Kuznetsov
2010-11-12 18:29               ` Alexey Kuznetsov
2010-11-12 18:33                 ` Eric Dumazet
2010-11-12 19:22                   ` David Miller
2010-11-12 21:18                     ` Eric Dumazet
2010-11-12 21:36                       ` David Miller
2010-11-12 21:16           ` [RFC PATCH] network: return errors if we know tcp_connect failed David Lamparter
2010-11-12 21:18             ` David Miller
2010-11-12 17:46 ` Alexey Kuznetsov
2010-11-12 19:28   ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1289578108.3083.95.camel@localhost.localdomain \
    --to=eparis@redhat.com \
    --cc=davem@davemloft.net \
    --cc=eric.dumazet@gmail.com \
    --cc=hzhong@gmail.com \
    --cc=jmorris@namei.org \
    --cc=kaber@trash.net \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=paul.moore@hp.com \
    --cc=pekkas@netcore.fi \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).