From: Jiri Wiesner <jwiesner@suse.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Florian Westphal <fw@strlen.de>,
"David S. Miller" <davem@davemloft.net>,
Michal Kubecek <mkubecek@suse.cz>
Subject: Re: [PATCH nf] netfilter: conntrack: sctp: use distinct states for new SCTP connections
Date: Sun, 19 Jan 2020 18:50:05 +0100 [thread overview]
Message-ID: <e53e196c-5300-982c-4c06-d20b31857b32@suse.com> (raw)
In-Reply-To: <20200118203900.4cbujiax7jcg73dk@salvia>
On 18/01/2020 21:39, Pablo Neira Ayuso wrote:
> On Sat, Jan 18, 2020 at 01:10:50PM +0100, Jiri Wiesner wrote:
>> The netlink notifications triggered by the INIT and INIT_ACK chunks
>> for a tracked SCTP association do not include protocol information
>> for the corresponding connection - SCTP state and verification tags
>> for the original and reply direction are missing. Since the connection
>> tracking implementation allows user space programs to receive
>> notifications about a connection and then create a new connection
>> based on the values received in a notification, it makes sense that
>> INIT and INIT_ACK notifications should contain the SCTP state
>> and verification tags available at the time when a notification
>> is sent. The missing verification tags cause a newly created
>> netfilter connection to fail to verify the tags of SCTP packets
>> when this connection has been created from the values previously
>> received in an INIT or INIT_ACK notification.
>>
>> A PROTOINFO event is cached in sctp_packet() when the state
>> of a connection changes. The CLOSED and COOKIE_WAIT state will
>> be used for connections that have seen an INIT and INIT_ACK chunk,
>> respectively. The distinct states will cause a connection state
>> change in sctp_packet().
> This problem shows through conntrack -E, correct?
>
> Thanks.
Yes, although "conntrack -E" does not display verification tags. These
are the first 3 notifications of an association as printed by "conntrack
-E" (output truncated after src=):
[NEW] ipv4 2 sctp 132 3 src=
[UPDATE] ipv4 2 sctp 132 3 src=
[UPDATE] ipv4 2 sctp 132 3 COOKIE_ECHOED src=
As you see, there is no connection state printed in the first two
notifications.
I used a custom tool which can print verification tags and formats its
output similarly to "conntrack -E":
[NEW] ipv4 2 sctp 132 3 0 0 src=
[UPDATE] ipv4 2 sctp 132 3 0 0 src=
[UPDATE] ipv4 2 sctp 132 3 COOKIE_ECHOED 50ced389 e967350e src=
The tags are printed as zero in the first two notifications, but that
rather means the tags have not been received in the notification. The
above test was done under Linux 5.5-rc4.
next prev parent reply other threads:[~2020-01-19 17:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-18 12:10 [PATCH nf] netfilter: conntrack: sctp: use distinct states for new SCTP connections Jiri Wiesner
2020-01-18 20:39 ` Pablo Neira Ayuso
2020-01-19 17:50 ` Jiri Wiesner [this message]
2020-01-24 18:49 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e53e196c-5300-982c-4c06-d20b31857b32@suse.com \
--to=jwiesner@suse.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=kadlec@netfilter.org \
--cc=mkubecek@suse.cz \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).