From: Tim Burress <tim@variosecure.net>
To: netfilter-devel@lists.netfilter.org
Subject: Re: Handling Port-Unreachable Response to UDP
Date: Tue, 29 Jul 2003 13:04:08 +0900 [thread overview]
Message-ID: <3F25F238.3000902@variosecure.net> (raw)
In-Reply-To: 1059403723.12254.10.camel@henrik.marasystems.com
Henrik Nordstrom wrote:
>mån 2003-07-28 klockan 15.52 skrev Tim Burress:
>
>
>
>>We've been looking at a problem in which a client sends a UDP packet to
>>a server on an unused port. This generates an ICMP port-unreachable
>>packet (as usual), but we find that this same ICMP packet can then be
>>replayed back to the client over and over. Apparently it gets through
>>netfilter because our standard rules allow RELATED traffic.
>>
>>
>
>Explain the context of "replayed back to the client over and over".
>
In a test of one of our systems, an engineer set up a scenario in which
a client and server machine were connected via a firewall running
iptables/netfilter. The client sends a UDP packet to an unused port on
the server, and the server responds with ICMP port-unreachable. This
packet is captured on the server side and then replayed back to the
client machine, passing safely through the firewall until the conntrack
associated with the original UDP "session" times out. Thus there are
really two issues, (1) the fact that multiple ICMP error messages pass
through in response to single "stimulus" packet, and (2) the fact that
replayed packets are getting through at all. We need to investigate the
second issue further, but the first one prompted some discussion. We
seem to be in a gray area since (as far as we know) there are no
standards governing how sessions consisting entirely of connectionless
protocols should respond to ICMP error messages. It seemed like deleting
the conntrack record for the UDP session might be worthwhile because it
closes off the possibility of flooding the client with ICMP error
messages, but it sounds like people are more concerned about the
overhead of setting up and tearing down conntrack records if the client
sends multiple UDP packets.
We're curious enough about this to benchmark it, though, so I was just
wondering what the proper procedure is to destroy a conntrack record. I
see several entrypoints in ip_conntrack_core.c that look promising, but
it's hard to tell what calls what sometimes when function pointers are
embedded in structures. Is it enough just to call destroy_conntrack() or
do we need to call clean_from_lists() first? Or is there a better way?
I'm not yet clear on how the data structures relate to each other.
Thanks for your replies!
Tim
next prev parent reply other threads:[~2003-07-29 4:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-28 13:52 Handling Port-Unreachable Response to UDP Tim Burress
2003-07-28 14:48 ` Henrik Nordstrom
2003-07-28 15:20 ` Maciej Soltysiak
2003-07-28 23:00 ` Henrik Nordstrom
2003-07-29 4:04 ` Tim Burress [this message]
2003-07-28 16:19 ` Michael Richardson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F25F238.3000902@variosecure.net \
--to=tim@variosecure.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.