From: Patrick McHardy <kaber@trash.net>
To: David Lamparter <equinox@diac24.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
Eric Paris <eparis@redhat.com>, Hua Zhong <hzhong@gmail.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
davem@davemloft.net, kuznet@ms2.inr.ac.ru, pekkas@netcore.fi,
jmorris@namei.org, yoshfuji@linux-ipv6.org, paul.moore@hp.com
Subject: Re: [RFC PATCH] network: return errors if we know tcp_connect failed
Date: Fri, 12 Nov 2010 17:54:29 +0100 [thread overview]
Message-ID: <4CDD7145.8070606@trash.net> (raw)
In-Reply-To: <20101112163543.GB122902@jupiter.n2.diac24.net>
Am 12.11.2010 17:35, schrieb David Lamparter:
> On Fri, Nov 12, 2010 at 05:15:32PM +0100, Eric Dumazet wrote:
>> Le vendredi 12 novembre 2010 à 11:08 -0500, Eric Paris a écrit :
>>
>>> 2) What should the generic TCP code (tcp_connect()) do if the skb failed
>>> to send. Should it return error codes back up the stack somehow or
>>> should they continue to be ignored? Obviously continuing to just ignore
>>> information we have doesn't make me happy (otherwise I wouldn't have
>>> started scratching this itch). But the point about ENOBUFS is well
>>> taken. Maybe I should make tcp_connect(), or the caller to
>>> tcp_connect() more intelligent about specific error codes?
>>>
>>> I'm looking for a path forward. If SELinux is rejecting the SYN packets
>>> on connect() I want to pass that info to userspace rather than just
>>> hanging. What's the best way to accomplish that?
>>>
>>
>> Eric, if you can differentiate a permanent reject, instead of a
>> temporary one (congestion, or rate limiting, or ENOBUF, or ...), then
>> yes, you could make tcp_connect() report to user the permanent error,
>> and ignore the temporary one.
Indeed. We could even make the NF_DROP return value configurable
by encoding it in the verdict.
> If the netfilter targets DROP/REJECT match the NF_DROP/NF_REJECT
> counterparts, which i guess they do but i didn't read the source ;),
> then SELinux should use NF_REJECT in my opinion.
There is no NF_REJECT.
> NF_DROP does exactly what the name says, it drops the packet aka
> basically puts it in /dev/null. As with writing to /dev/null, you don't
> get an error for that. Even more, if in the meantime the DROP rule does
> not match anymore, the 2nd or 3rd SYN from the connect() can come
> through and establish a connection (think of "-m statistic" & co.)
>
> This is very different from REJECT.
Returning NF_DROP results in -EPERM getting reported back. As Eric
noticed, this is ignored for SYN packets.
> If REJECT doesn't immediately get reported to the application, that *is*
> a bug, but last time i checked i got EPERM immediately. I would fix
> SELinux to use the same mechanism.
NF_DROP returns -EPERM, the REJECT targets send packets to reject
a connection. Whether this is reported immediately depends on the
error and the protocol in question. Using a TCP reset immediately
resets the connection.
next prev parent reply other threads:[~2010-11-12 16:54 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-11 21:03 [RFC PATCH] network: return errors if we know tcp_connect failed Eric Paris
2010-11-11 21:14 ` Eric Dumazet
2010-11-11 21:58 ` Hua Zhong
2010-11-12 7:36 ` Patrick McHardy
2010-11-12 23:14 ` Hua Zhong
2010-11-15 10:32 ` Patrick McHardy
2010-11-15 15:47 ` Eric Paris
2010-11-15 15:57 ` Patrick McHardy
2010-11-15 16:04 ` Patrick McHardy
2010-11-15 16:36 ` Patrick McHardy
2010-11-15 16:46 ` David Miller
2010-11-15 20:00 ` Alexey Kuznetsov
2010-11-12 16:08 ` Eric Paris
2010-11-12 16:15 ` Eric Dumazet
2010-11-12 16:35 ` David Lamparter
2010-11-12 16:53 ` Eric Paris
2010-11-12 16:54 ` Patrick McHardy [this message]
2010-11-12 17:57 ` a problem tcp_v4_err() Alexey Kuznetsov
2010-11-12 18:12 ` Eric Dumazet
2010-11-12 18:21 ` Eric Dumazet
2010-11-12 18:27 ` Eric Dumazet
2010-11-12 18:31 ` Alexey Kuznetsov
2010-11-12 18:29 ` Alexey Kuznetsov
2010-11-12 18:33 ` Eric Dumazet
2010-11-12 19:22 ` David Miller
2010-11-12 21:18 ` Eric Dumazet
2010-11-12 21:36 ` David Miller
2010-11-12 21:16 ` [RFC PATCH] network: return errors if we know tcp_connect failed David Lamparter
2010-11-12 21:18 ` David Miller
2010-11-12 17:46 ` Alexey Kuznetsov
2010-11-12 19:28 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CDD7145.8070606@trash.net \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=eparis@redhat.com \
--cc=equinox@diac24.net \
--cc=eric.dumazet@gmail.com \
--cc=hzhong@gmail.com \
--cc=jmorris@namei.org \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paul.moore@hp.com \
--cc=pekkas@netcore.fi \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).