1. 04 Sep, 2013 2 commits
    • Patrick McHardy's avatar
      netfilter: synproxy_core: fix warning in __nf_ct_ext_add_length() · f4de4c89
      Patrick McHardy authored
      With CONFIG_NETFILTER_DEBUG we get the following warning during SYNPROXY init:
      
      [   80.558906] WARNING: CPU: 1 PID: 4833 at net/netfilter/nf_conntrack_extend.c:80 __nf_ct_ext_add_length+0x217/0x220 [nf_conntrack]()
      
      The reason is that the conntrack template is set to confirmed before adding
      the extension and it is invalid to add extensions to already confirmed
      conntracks. Fix by adding the extensions before setting the conntrack to
      confirmed.
      Reported-by: default avatarJesper Dangaard Brouer <jesper.brouer@gmail.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Acked-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f4de4c89
    • Jesper Dangaard Brouer's avatar
      netfilter: more strict TCP flag matching in SYNPROXY · 775ada6d
      Jesper Dangaard Brouer authored
      Its seems Patrick missed to incoorporate some of my requested changes
      during review v2 of SYNPROXY netfilter module.
      
      Which were, to avoid SYN+ACK packets to enter the path, meant for the
      ACK packet from the client (from the 3WHS).
      
      Further there were a bug in ip6t_SYNPROXY.c, for matching SYN packets
      that didn't exclude the ACK flag.
      
      Go a step further with SYN packet/flag matching by excluding flags
      ACK+FIN+RST, in both IPv4 and IPv6 modules.
      
      The intented usage of SYNPROXY is as follows:
      (gracefully describing usage in commit)
      
       iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 80 --syn -j NOTRACK
       iptables -A INPUT -i eth0 -p tcp --dport 80 -m state UNTRACKED,INVALID \
               -j SYNPROXY --sack-perm --timestamp --mss 1480 --wscale 7 --ecn
      
       echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
      
      This does filter SYN flags early, for packets in the UNTRACKED state,
      but packets in the INVALID state with other TCP flags could still
      reach the module, thus this stricter flag matching is still needed.
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Acked-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      775ada6d
  2. 03 Sep, 2013 3 commits
  3. 01 Sep, 2013 22 commits
  4. 31 Aug, 2013 3 commits
  5. 30 Aug, 2013 10 commits