diff mbox

netfilter: SYNPROXY: fix process non tcp packet bug in {ipv4,ipv6}_synproxy_hook

Message ID 1501221784-18226-1-git-send-email-xiaolou4617@gmail.com
State Changes Requested
Delegated to: Pablo Neira
Headers show

Commit Message

Lin Zhang July 28, 2017, 6:03 a.m. UTC 
In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet,
but the real server maybe reply an icmp error packet related to the 
exist tcp conntrack, so we will access wrong tcp data.

For fix it, we simply pass IP_CT_RELATED_REPLY packets.

Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
---
 net/ipv4/netfilter/ipt_SYNPROXY.c  | 2 +-
 net/ipv6/netfilter/ip6t_SYNPROXY.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Comments

Pablo Neira Ayuso Aug. 24, 2017, 2:07 p.m. UTC | #1 
On Fri, Jul 28, 2017 at 02:03:04PM +0800, Lin Zhang wrote:
> In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet,
> but the real server maybe reply an icmp error packet related to the 
> exist tcp conntrack, so we will access wrong tcp data.
> 
> For fix it, we simply pass IP_CT_RELATED_REPLY packets.
> 
> Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
> ---
>  net/ipv4/netfilter/ipt_SYNPROXY.c  | 2 +-
>  net/ipv6/netfilter/ip6t_SYNPROXY.c | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
> index f1528f7..3971fd9 100644
> --- a/net/ipv4/netfilter/ipt_SYNPROXY.c
> +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
> @@ -330,7 +330,7 @@ static unsigned int ipv4_synproxy_hook(void *priv,
>  	if (synproxy == NULL)
>  		return NF_ACCEPT;
>  
> -	if (nf_is_loopback_packet(skb))
> +	if (nf_is_loopback_packet(skb) || ctinfo == IP_CT_RELATED_REPLY)

If the intention is to inspect TCP traffic only, I would suggest you
just check for the protocol field here instead. So we are sure we only
deal with TCP traffic indeed.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index f1528f7..3971fd9 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -330,7 +330,7 @@  static unsigned int ipv4_synproxy_hook(void *priv,
 	if (synproxy == NULL)
 		return NF_ACCEPT;
 
-	if (nf_is_loopback_packet(skb))
+	if (nf_is_loopback_packet(skb) || ctinfo == IP_CT_RELATED_REPLY)
 		return NF_ACCEPT;
 
 	thoff = ip_hdrlen(skb);
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index ce203dd..c4bcefe 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -347,7 +347,7 @@  static unsigned int ipv6_synproxy_hook(void *priv,
 	if (synproxy == NULL)
 		return NF_ACCEPT;
 
-	if (nf_is_loopback_packet(skb))
+	if (nf_is_loopback_packet(skb) || ctinfo == IP_CT_RELATED_REPLY)
 		return NF_ACCEPT;
 
 	nexthdr = ipv6_hdr(skb)->nexthdr;