* [PATCH] ipt_REJECT shouldn't send replies for wrong udp csum
@ 2003-01-09 14:46 Harald Welte
2003-01-10 8:52 ` David S. Miller
0 siblings, 1 reply; 4+ messages in thread
From: Harald Welte @ 2003-01-09 14:46 UTC (permalink / raw)
To: David Miller; +Cc: Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 2287 bytes --]
Hi Dave!
This is another patch of the series of patches you will receive from me today.
Please apply to 2.4.x and 2.5.x, thanks.
Author: Patrick McHardy <kaber@trash.net>
ipt_REJECT sends unreachables in response to UDP packets with invalid
checksums, thereby exposing the existance of a firewall (as described
in phrack #60, "broken crc firewall spotting" (or something like this),
www.phrack.com). The patch makes ipt_REJECT verify UDP checksums if
set.
diff -urN linux-2.4.21-pre2-clean/net/ipv4/netfilter/ipt_REJECT.c linux-2.4.21-pre2/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.21-pre2-clean/net/ipv4/netfilter/ipt_REJECT.c 2002-11-29 00:53:15.000000000 +0100
+++ linux-2.4.21-pre2/net/ipv4/netfilter/ipt_REJECT.c 2003-01-05 19:59:27.000000000 +0100
@@ -6,6 +6,8 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
+#include <linux/udp.h>
+#include <linux/icmp.h>
#include <net/icmp.h>
#include <net/ip.h>
#include <net/tcp.h>
@@ -157,6 +159,7 @@
static void send_unreach(struct sk_buff *skb_in, int code)
{
struct iphdr *iph;
+ struct udphdr *udph;
struct icmphdr *icmph;
struct sk_buff *nskb;
u32 saddr;
@@ -186,6 +189,19 @@
if (iph->frag_off&htons(IP_OFFSET))
return;
+ /* if UDP checksum is set, verify it's correct */
+ if (iph->protocol == IPPROTO_UDP
+ && skb_in->tail-(u8*)iph >= sizeof(struct udphdr)) {
+ int datalen = skb_in->len - (iph->ihl<<2);
+ udph = (struct udphdr *)((char *)iph + (iph->ihl<<2));
+ if (udph->check
+ && csum_tcpudp_magic(iph->saddr, iph->daddr,
+ datalen, IPPROTO_UDP,
+ csum_partial((char *)udph, datalen,
+ 0)) != 0)
+ return;
+ }
+
/* If we send an ICMP error to an ICMP error a mess would result.. */
if (iph->protocol == IPPROTO_ICMP
&& skb_in->tail-(u8*)iph >= sizeof(struct icmphdr)) {
--
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
as I'm the dictator." -- George W. Bush Dec 18, 2000
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH] ipt_REJECT shouldn't send replies for wrong udp csum
@ 2003-01-09 14:47 Harald Welte
2003-01-10 8:55 ` David S. Miller
0 siblings, 1 reply; 4+ messages in thread
From: Harald Welte @ 2003-01-09 14:47 UTC (permalink / raw)
To: David Miller; +Cc: Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 3198 bytes --]
Hi Dave!
This is another patch of the series of patches you will receive from me today.
Please apply to 2.4.x and 2.5.x, thanks.
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
As 2.4.20 came out with newnat included, there were several reports on
excessive logging of reused FTP expectations.
The patch fixes the problem by separating the two possible cases:
when the conntrack helper is registered with the reuse flag enabled, then
the logging is converted to debugging (not enabled by default), otherwise
the logging is kept to notify the admin on the violation of the given protocol.
diff -Nru --exclude .depend --exclude *.o --exclude *.ver --exclude .*.flags --exclude *.orig --exclude *.rej --exclude *~ linux-2.4.20-plain/net/ipv4/netfilter/ip_conntrack_core.c linux-2.4.20-ftp/net/ipv4/netfilter/ip_conntrack_core.c
--- linux-2.4.20-plain/net/ipv4/netfilter/ip_conntrack_core.c Fri Nov 29 00:53:15 2002
+++ linux-2.4.20-ftp/net/ipv4/netfilter/ip_conntrack_core.c Tue Jan 7 19:43:29 2003
@@ -966,23 +966,28 @@
related_to->expecting >= related_to->helper->max_expected) {
struct list_head *cur_item;
/* old == NULL */
- if (net_ratelimit())
- printk(KERN_WARNING
- "ip_conntrack: max number of expected "
- "connections %i of %s reached for "
- "%u.%u.%u.%u->%u.%u.%u.%u%s\n",
- related_to->helper->max_expected,
- related_to->helper->name,
- NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
- NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip),
- related_to->helper->flags & IP_CT_HELPER_F_REUSE_EXPECT ?
- ", reusing" : "");
if (!(related_to->helper->flags &
IP_CT_HELPER_F_REUSE_EXPECT)) {
WRITE_UNLOCK(&ip_conntrack_lock);
+ if (net_ratelimit())
+ printk(KERN_WARNING
+ "ip_conntrack: max number of expected "
+ "connections %i of %s reached for "
+ "%u.%u.%u.%u->%u.%u.%u.%u\n",
+ related_to->helper->max_expected,
+ related_to->helper->name,
+ NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
+ NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
return -EPERM;
}
-
+ DEBUGP("ip_conntrack: max number of expected "
+ "connections %i of %s reached for "
+ "%u.%u.%u.%u->%u.%u.%u.%u, reusing\n",
+ related_to->helper->max_expected,
+ related_to->helper->name,
+ NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip),
+ NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
+
/* choose the the oldest expectation to evict */
list_for_each(cur_item, &related_to->sibling_list) {
struct ip_conntrack_expect *cur;
--
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
as I'm the dictator." -- George W. Bush Dec 18, 2000
[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] ipt_REJECT shouldn't send replies for wrong udp csum
2003-01-09 14:47 Harald Welte
@ 2003-01-10 8:55 ` David S. Miller
0 siblings, 0 replies; 4+ messages in thread
From: David S. Miller @ 2003-01-10 8:55 UTC (permalink / raw)
To: laforge; +Cc: netfilter-devel
From: Harald Welte <laforge@gnumonks.org>
Date: Thu, 9 Jan 2003 15:47:50 +0100
Please apply to 2.4.x and 2.5.x, thanks.
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
As 2.4.20 came out with newnat included, there were several reports on
excessive logging of reused FTP expectations.
Applied, but watch those subject lines :-)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-01-10 8:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-09 14:46 [PATCH] ipt_REJECT shouldn't send replies for wrong udp csum Harald Welte
2003-01-10 8:52 ` David S. Miller
-- strict thread matches above, loose matches on Subject: below --
2003-01-09 14:47 Harald Welte
2003-01-10 8:55 ` David S. Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.