Re: [RFC PATCH] network: return errors if we know tcp_connect failed

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Patrick McHardy

Subject: Re: [RFC PATCH] network: return errors if we know tcp_connect failed

Date: Monday, November 15, 2010 - 8:57 am

On 15.11.2010 16:47, Eric Paris wrote:
quoted text> On Mon, 2010-11-15 at 11:32 +0100, Patrick McHardy wrote:
>> On 13.11.2010 00:14, Hua Zhong wrote:
>>>> On 11.11.2010 22:58, Hua Zhong wrote:
>>>>>> Yes, I realize this is little different than if the
>>>>>> SYN was dropped in the first network device, but it is different
>>>>>> because we know what happened!  We know that connect() call failed
>>>>>> and that there isn't anything coming back.
>>>>>
>>>>> I would argue that -j DROP should behave exactly as the packet is
>>>> dropped in the network, while -j REJECT should signal the failure to
>>>> the application as soon as possible (which it doesn't seem to do).
>>>>
>>>> It sends an ICMP error or TCP reset. Interpretation is up to TCP.
>>>
>>> Huh? It's the OUTPUT chain we are talking about. There is no ICMP error or
>>> TCP reset.
>>
>> Of course there is.
>>
>> ICMP (default):
>>
>> iptables -A OUTPUT -p tcp -j REJECT
>>
>> TCP reset:
>>
>> iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
>>
>> The second one will cause a hard error for the connection.
> 
> Well I'm (I guess?) surprised that the --reject-with icmp doesn't do
> anything with a local outgoing connection but --reject-with tcp-reset
> does something like what I'm looking for.
> 
> I notice the heavy lifting for this is done in 
> net/ipv4/netfilter/ipt_REJECT.c::send_rest()
> (and something very similar for IPv6)
> 
> I really don't want to duplicate that code into SELinux (for obvious
> reasons) and I'm wondering if anyone has objections to me making it
> available outside of netlink and/or suggestions on how to make that code
> available outside of netfilter (aka what header to expose it, and does
> it still make logical sense in ipt_REJECT.c or somewhere else?)

I don't think having SELinux sending packets to handle local
connections is a very elegant design, its not a firewall after
all. What's wrong with reacting only to specific errno codes
in tcp_connect()? You could f.i. return -ECONNREFUSED from
SELinux, that one is pretty much guaranteed not to occur in
the network stack itself and can be returned directly.

That would need minor changes to nf_hook_slow so we can
encode errno values in the upper 16 bits of the verdict,
as we already do with the queue number. The added benefit
is that we don't have to return EPERM anymore when f.i.
rerouting fails.
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[RFC PATCH] network: return errors if we know tcp_connect ..., Eric Paris, (Thu Nov 11, 2:03 pm)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Eric Dumazet, (Thu Nov 11, 2:14 pm)

RE: [RFC PATCH] network: return errors if we know tcp_conn ..., Hua Zhong, (Thu Nov 11, 2:58 pm)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Patrick McHardy, (Fri Nov 12, 12:36 am)

RE: [RFC PATCH] network: return errors if we know tcp_conn ..., Eric Paris, (Fri Nov 12, 9:08 am)

RE: [RFC PATCH] network: return errors if we know tcp_conn ..., Eric Dumazet, (Fri Nov 12, 9:15 am)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., David Lamparter, (Fri Nov 12, 9:35 am)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Eric Paris, (Fri Nov 12, 9:53 am)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Patrick McHardy, (Fri Nov 12, 9:54 am)

a problem tcp_v4_err(), Alexey Kuznetsov, (Fri Nov 12, 10:57 am)

Re: a problem tcp_v4_err(), Eric Dumazet, (Fri Nov 12, 11:12 am)

Re: a problem tcp_v4_err(), Eric Dumazet, (Fri Nov 12, 11:21 am)

Re: a problem tcp_v4_err(), Eric Dumazet, (Fri Nov 12, 11:27 am)

Re: a problem tcp_v4_err(), Alexey Kuznetsov, (Fri Nov 12, 11:29 am)

Re: a problem tcp_v4_err(), Alexey Kuznetsov, (Fri Nov 12, 11:31 am)

Re: a problem tcp_v4_err(), Eric Dumazet, (Fri Nov 12, 11:33 am)

Re: a problem tcp_v4_err(), David Miller, (Fri Nov 12, 12:22 pm)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., David Miller, (Fri Nov 12, 12:28 pm)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., David Lamparter, (Fri Nov 12, 2:16 pm)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., David Miller, (Fri Nov 12, 2:18 pm)

Re: a problem tcp_v4_err(), Eric Dumazet, (Fri Nov 12, 2:18 pm)

Re: a problem tcp_v4_err(), David Miller, (Fri Nov 12, 2:36 pm)

RE: [RFC PATCH] network: return errors if we know tcp_conn ..., Hua Zhong, (Fri Nov 12, 4:14 pm)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Patrick McHardy, (Mon Nov 15, 3:32 am)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Eric Paris, (Mon Nov 15, 8:47 am)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Patrick McHardy, (Mon Nov 15, 8:57 am)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Patrick McHardy, (Mon Nov 15, 9:04 am)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Patrick McHardy, (Mon Nov 15, 9:36 am)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., David Miller, (Mon Nov 15, 9:46 am)

Re: [RFC PATCH] network: return errors if we know tcp_conn ..., Alexey Kuznetsov, (Mon Nov 15, 1:00 pm)


linux-kernel:
Paul Turner	[tg_shares_up rewrite v4 11/11] sched: update tg->shares after cpu.shares write
Mr. James W. Laferriere	Re: Linux 2.6.25-rc1 , syntax error near unexpected token `;'
Linus Torvalds	Linux 2.6.34-rc4
Colin Cross	[PATCH 12/21] ARM: tegra: Add suspend and hotplug support
Chuck Ebbert	Re: PCI: Unable to reserve mem region problem
git:
Fredrik Kuivinen	Re: fatal: unable to create '.git/index': File exists
Wink Saville	How-to combine several separate git repos?
Emily Ren	How to pull remote branch with specified commit id?
Denis Bueno	Git clone error
pradeep singh	git-update-server-info may be required,cannot clone and pull from a remote reposit...
linux-netdev:
Jamie Lokier	Re: POHMELFS high performance network filesystem. Transactions, failover, performa...
Timo Teräs	ip xfrm policy semantics
Jarek Poplawski	Re: socket api problem: can't bind an ipv6 socket to ::ffff:0.0.0.0
Michael S. Tsirkin	[PATCH 3/3] vhost: fix get_user_pages_fast error handling
Jeff Garzik	Re: [0/3] POHMELFS high performance network filesystem. First steps in parallel pr...
openbsd-misc:
Sevan / Venture37	Re: This is what Linus Torvalds calls openBSD crowd
Netmaffia.hu	Tini Lányok AKCIÓBAN OTTHON
Siju George	This is what Linus Torvalds calls openBSD crowd
Darrin Chandler	Re: OT: Python (was Re: vi in /bin)
frantisek holop	Re: splassert: vwakeup: and friends
git-commits-head:
Linux Kernel Mailing List	ASoC: fix registration of the SoC card in the Freescale MPC8610 drivers
Linux Kernel Mailing List	drivers/acpi: use kasprintf
Linux Kernel Mailing List	powerpc/fsl_msi: enable msi allocation in all banks
Linux Kernel Mailing List	bnx2x: Moving includes
Linux Kernel Mailing List	nfsd41: sanity check client drc maxreqs