Re: defense against conntrack attacks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Henrik Nordstrom <hno@marasystems.com>
To: Harald Welte <laforge@gnumonks.org>, don-nf@isis.cs3-inc.com (Don Cohen)
Cc: netfilter-devel@lists.samba.org
Subject: Re: defense against conntrack attacks
Date: Sun, 16 Jun 2002 22:55:23 +0200	[thread overview]
Message-ID: <200206162255.24397@henrik.marasystems.com> (raw)
In-Reply-To: <20020616221633.J2543@sunbeam.de.gnumonks.org>

On Sunday 16 June 2002 22.16, Harald Welte wrote:

> > If you recall my posting in April, you won't be surprised that I
> > want to put the connection creation code well after the current
> > postrouting hook.  After that hook the packet is enqueued for
> > traffic control, and it can be dropped between then and when it
> > is dequeued to be sent.  So I'd like to create a new hook after
> > that dequeue, and this is where I propose to create the
> > connection record.
>
> This sounds odd.  First, this is too revolutionary to the overall
> concept.
>
> Second, you need conntrack information before postrouting:
>
> - for doing DNAT [which _needs_ to happen before the routing
> decision] - for any stateful rules in the FORWARD chain of the
> filter table - for any stateful rules in the INPUT chain of the
> filter table

This proposal reminds me a lot of a similar proposal I made some 
(many) months ago.

Instead of creating the conntrack entry upon entry, create it "just in 
time", i.e. when first code requiring a conntrack entry is executed. 
Simply put any call to ip_conntrack_get().

This would be

  Any NAT target
  Any state/conntrack match
  etc..
  with a counter-measure in the nat table to not cause it to 
automatically initiate tracking (today calls ip_conntrack_get to tell 
if the packet should enter the table or not).

This approach makes the "conntrack exception" quite natural in most 
ruleset by my opinion; if you don't have any state or NAT rules 
touching the connection then it won't be tracked, but adds a bit of 
complexity to the design and collides with the sub-goal of being able 
to later add NAT rules without the risk of disturbing existing 
connections.

After our discussions the last time manual excepmtion is probably 
preferable I think. Less risk of confusion over what is being tracked 
and what not, and considerably less of a design change. But I have 
not yet fully given up the "just in time" idea.

Regards
Henrik

next prev parent reply	other threads:[~2002-06-16 20:55 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20020615132638.84C444509@lists.samba.org>
2002-06-15 22:38 ` defense against conntrack attacks Don Cohen
2002-06-16 20:16   ` Harald Welte
2002-06-16 20:55     ` Henrik Nordstrom [this message]
2002-06-16 22:57     ` Don Cohen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200206162255.24397@henrik.marasystems.com \
    --to=hno@marasystems.com \
    --cc=don-nf@isis.cs3-inc.com \
    --cc=laforge@gnumonks.org \
    --cc=netfilter-devel@lists.samba.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.