linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Patrick McHardy <kaber@trash.net>
To: David Lamparter <equinox@diac24.net>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
	Eric Paris <eparis@redhat.com>, Hua Zhong <hzhong@gmail.com>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	davem@davemloft.net, kuznet@ms2.inr.ac.ru, pekkas@netcore.fi,
	jmorris@namei.org, yoshfuji@linux-ipv6.org, paul.moore@hp.com
Subject: Re: [RFC PATCH] network: return errors if we know tcp_connect failed
Date: Fri, 12 Nov 2010 17:54:29 +0100	[thread overview]
Message-ID: <4CDD7145.8070606@trash.net> (raw)
In-Reply-To: <20101112163543.GB122902@jupiter.n2.diac24.net>

Am 12.11.2010 17:35, schrieb David Lamparter:
> On Fri, Nov 12, 2010 at 05:15:32PM +0100, Eric Dumazet wrote:
>> Le vendredi 12 novembre 2010 à 11:08 -0500, Eric Paris a écrit :
>>
>>> 2) What should the generic TCP code (tcp_connect()) do if the skb failed
>>> to send.  Should it return error codes back up the stack somehow or
>>> should they continue to be ignored?  Obviously continuing to just ignore
>>> information we have doesn't make me happy (otherwise I wouldn't have
>>> started scratching this itch).  But the point about ENOBUFS is well
>>> taken.  Maybe I should make tcp_connect(), or the caller to
>>> tcp_connect() more intelligent about specific error codes?
>>>
>>> I'm looking for a path forward.  If SELinux is rejecting the SYN packets
>>> on connect() I want to pass that info to userspace rather than just
>>> hanging.  What's the best way to accomplish that?
>>>
>>
>> Eric, if you can differentiate a permanent reject, instead of a
>> temporary one (congestion, or rate limiting, or ENOBUF, or ...), then
>> yes, you could make tcp_connect() report to user the permanent error,
>> and ignore the temporary one.

Indeed. We could even make the NF_DROP return value configurable
by encoding it in the verdict.

> If the netfilter targets DROP/REJECT match the NF_DROP/NF_REJECT
> counterparts, which i guess they do but i didn't read the source ;),
> then SELinux should use NF_REJECT in my opinion.

There is no NF_REJECT.

> NF_DROP does exactly what the name says, it drops the packet aka
> basically puts it in /dev/null. As with writing to /dev/null, you don't
> get an error for that. Even more, if in the meantime the DROP rule does
> not match anymore, the 2nd or 3rd SYN from the connect() can come
> through and establish a connection (think of "-m statistic" & co.)
> 
> This is very different from REJECT.

Returning NF_DROP results in -EPERM getting reported back. As Eric
noticed, this is ignored for SYN packets.

> If REJECT doesn't immediately get reported to the application, that *is*
> a bug, but last time i checked i got EPERM immediately. I would fix
> SELinux to use the same mechanism.

NF_DROP returns -EPERM, the REJECT targets send packets to reject
a connection. Whether this is reported immediately depends on the
error and the protocol in question. Using a TCP reset immediately
resets the connection.

  parent reply	other threads:[~2010-11-12 16:54 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-11-11 21:03 [RFC PATCH] network: return errors if we know tcp_connect failed Eric Paris
2010-11-11 21:14 ` Eric Dumazet
2010-11-11 21:58 ` Hua Zhong
2010-11-12  7:36   ` Patrick McHardy
2010-11-12 23:14     ` Hua Zhong
2010-11-15 10:32       ` Patrick McHardy
2010-11-15 15:47         ` Eric Paris
2010-11-15 15:57           ` Patrick McHardy
2010-11-15 16:04             ` Patrick McHardy
2010-11-15 16:36             ` Patrick McHardy
2010-11-15 16:46               ` David Miller
2010-11-15 20:00           ` Alexey Kuznetsov
2010-11-12 16:08   ` Eric Paris
2010-11-12 16:15     ` Eric Dumazet
2010-11-12 16:35       ` David Lamparter
2010-11-12 16:53         ` Eric Paris
2010-11-12 16:54         ` Patrick McHardy [this message]
2010-11-12 17:57           ` a problem tcp_v4_err() Alexey Kuznetsov
2010-11-12 18:12             ` Eric Dumazet
2010-11-12 18:21               ` Eric Dumazet
2010-11-12 18:27                 ` Eric Dumazet
2010-11-12 18:31                   ` Alexey Kuznetsov
2010-11-12 18:29               ` Alexey Kuznetsov
2010-11-12 18:33                 ` Eric Dumazet
2010-11-12 19:22                   ` David Miller
2010-11-12 21:18                     ` Eric Dumazet
2010-11-12 21:36                       ` David Miller
2010-11-12 21:16           ` [RFC PATCH] network: return errors if we know tcp_connect failed David Lamparter
2010-11-12 21:18             ` David Miller
2010-11-12 17:46 ` Alexey Kuznetsov
2010-11-12 19:28   ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4CDD7145.8070606@trash.net \
    --to=kaber@trash.net \
    --cc=davem@davemloft.net \
    --cc=eparis@redhat.com \
    --cc=equinox@diac24.net \
    --cc=eric.dumazet@gmail.com \
    --cc=hzhong@gmail.com \
    --cc=jmorris@namei.org \
    --cc=kuznet@ms2.inr.ac.ru \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=paul.moore@hp.com \
    --cc=pekkas@netcore.fi \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).