From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Pete Holland <pholland27@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/1] netfilter: conntrack: make call to nf_log_packet due to helper rejection conditional on LOG_INVALID (resubmit)
Date: Sun, 4 Dec 2011 23:49:46 +0100 [thread overview]
Message-ID: <20111204224946.GC28125@1984> (raw)
In-Reply-To: <CANtneHLYOANXQ432me_htXrMcQkv-WVpNYTrwmxAjc2gV68iPA@mail.gmail.com>
Hi Peter,
On Fri, Dec 02, 2011 at 09:37:04AM -0800, Pete Holland wrote:
> From: Peter Holland <pholland27@gmail.com>
>
> Make the logging of dropped packets due to ct helper rejection
> conditional on LOG_INVALID.
> This is consistent with the other uses of nf_log_packet.
> Use protocol from conntrack tuple (original direction).
> Without this check, there is a possible DoS based on traffic induced
> log generation.
> (specifically this was noted in the wild by an attacker against the SIP helper)
>
> Signed-off-by: Peter Holland <pholland27@gmail.com>
> ---
> --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c.orig 2011-11-29
> 11:34:36.683717278 -0800
> +++ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c 2011-12-02
> 09:32:00.727064563 -0800
> @@ -116,8 +116,10 @@ static unsigned int ipv4_confirm(unsigne
> ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
> ct, ctinfo);
> if (ret != NF_ACCEPT) {
> - nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
> - "nf_ct_%s: dropping packet", helper->name);
> + if (LOG_INVALID(nf_ct_net(ct),
> + ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum))
You can use nf_ct_protonum here.
> + nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
> + "nf_ct_%s: dropping packet", helper->name);
> return ret;
> }
Below you can find:
/* adjust seqs for loopback traffic only in outgoing direction */
if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
!nf_is_loopback_packet(skb)) {
typeof(nf_nat_seq_adjust_hook) seq_adjust;
seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook);
if (!seq_adjust || !seq_adjust(skb, ct, ctinfo)) {
NF_CT_STAT_INC_ATOMIC(nf_ct_net(ct), drop);
^^^^^^^^^^^^
Please, declare in ipv4_confirm:
struct net *net = nf_ct_net(ct);
And use the net pointer in that function.
Same thing for the IPv6 side.
Thank you.
next prev parent reply other threads:[~2011-12-04 22:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-02 17:37 [PATCH 1/1] netfilter: conntrack: make call to nf_log_packet due to helper rejection conditional on LOG_INVALID (resubmit) Pete Holland
2011-12-04 22:49 ` Pablo Neira Ayuso [this message]
2011-12-05 18:09 ` Pete Holland
2011-12-05 22:37 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20111204224946.GC28125@1984 \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pholland27@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.