From: Phil Oester <kernel@linuxace.com>
To: Patrick McHardy <kaber@trash.net>
Cc: Harald Welte <laforge@netfilter.org>,
Rusty Russell <rusty@rustcorp.com.au>,
netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] Fix NAT TCP sequence adjustment
Date: Mon, 4 Apr 2005 13:47:16 -0700 [thread overview]
Message-ID: <20050404204716.GA4067@linuxace.com> (raw)
In-Reply-To: <4250FA72.3020502@trash.net>
On Mon, Apr 04, 2005 at 10:27:30AM +0200, Patrick McHardy wrote:
> So in conclusion it seems simply doing "seq -= this_way->offset_after"
> without the seq != this_way->correction_pos check handles all cases
> correctly. Please someone verify I didn't make a mistake. I think a
> comment explaining the cases would also be appropriate.
I think you are only thinking in terms of positive sizediff, while this
is not always the case. Perhaps easiest to explain by observed example.
ip_nat_seq_adjust: seq 467631623 after co_pos 467631577
Adjusting sequence number from 467631623->467631622
...
ip_nat_mangle_packet: Shrinking packet by 1 from 66 bytes
adjust_tcp_sequence: sizediff = -1
adjust_tcp_sequence: Seq_offset before: offset_before=0,
offset_after=-1, correction_pos=467631577
adjust_tcp_sequence: Seq_offset after: offset_before=-1,
offset_after=-2, correction_pos=467631623
Given the above, assume we now receive a retransmit of this packet.
467631623 will have offset_before added to it by ip_nat_seq_adjust,
becoming 467631622. It will then have offset_after subtracted from
it in adjust_tcp_sequence, making it 467631624, which will then
cause a false positive on the before() test.
If we change the example above to a positive sizediff:
ip_nat_seq_adjust: seq 467631623 after co_pos 467631577
Adjusting sequence number from 467631623->467631624
...
ip_nat_mangle_packet: Extending packet by 1 from 66 bytes
adjust_tcp_sequence: sizediff = 1
adjust_tcp_sequence: Seq_offset before: offset_before=0,
offset_after=1, correction_pos=467631577
adjust_tcp_sequence: Seq_offset after: offset_before=1,
offset_after=2, correction_pos=467631623
Assuming a retransmit in this example,
467631623 will have offset_before added to it by ip_nat_seq_adjust,
becoming 467631624. It will then have offset_after subtracted from
it in adjust_tcp_sequence, making it 467631622 which will correctly
evaluate as being before correction_pos.
So as it stands, only retransmits on positive sizediff are handled
properly. But my original check to compensate for this was flawed,
since seq != correction_pos when entering adjust_tcp_sequence - but
it does seem clear we cannot blindly -= offset_after.
I think this will handle all permutations, since it essentially
reverses ip_nat_seq_adjust's adjustment before checking for retransmit.
if (seq - this_way->offset_before != this_way->correction_pos) {
seq -= this_way->offset_after;
if (this_way->offset_before == this_way->offset_after
|| before(this_way->correction_pos, seq)) {
this_way->correction_pos = seq;
this_way->offset_before = this_way->offset_after;
this_way->offset_after += sizediff;
}
}
Ack?
Phil
next prev parent reply other threads:[~2005-04-04 20:47 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-02 20:24 [PATCH] Fix NAT TCP sequence adjustment Phil Oester
2005-04-03 12:26 ` Milos Wimmer
2005-04-03 19:26 ` Patrick McHardy
2005-04-03 23:53 ` Phil Oester
2005-04-04 4:40 ` Phil Oester
2005-04-04 8:27 ` Patrick McHardy
2005-04-04 20:47 ` Phil Oester [this message]
2005-04-05 7:32 ` Patrick McHardy
2005-04-05 13:33 ` Patch lifetime " Amin Azez
2005-04-10 20:49 ` Harald Welte
2005-04-06 4:48 ` Phil Oester
2005-04-18 1:42 ` Patrick McHardy
2005-04-19 0:58 ` Phil Oester
2005-04-20 15:03 ` Patrick McHardy
2005-04-20 15:53 ` Phil Oester
2005-04-20 16:07 ` Patrick McHardy
2005-04-20 17:24 ` Phil Oester
2005-04-20 17:50 ` Patrick McHardy
2005-04-20 18:25 ` Phil Oester
2005-04-20 21:39 ` Martijn Lievaart
2005-04-21 1:41 ` Patrick McHardy
2005-04-21 1:38 ` Patrick McHardy
2005-04-21 12:31 ` Milos Wimmer
2005-04-21 12:32 ` Patrick McHardy
2005-04-21 13:31 ` Jonas Berlin
2005-04-21 23:01 ` Patrick McHardy
2005-04-27 0:44 ` Rusty Russell
2005-04-27 10:27 ` Patrick McHardy
2005-05-31 9:17 ` Rusty Russell
2005-05-31 13:02 ` Patrick McHardy
2005-05-31 13:48 ` Rusty Russell
2005-05-31 14:35 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050404204716.GA4067@linuxace.com \
--to=kernel@linuxace.com \
--cc=kaber@trash.net \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
--cc=rusty@rustcorp.com.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.