* [NETFILTER]: tcp_conntrack: accept RST|PSH as valid
@ 2007-03-11 10:19 Willy Tarreau
2007-03-11 10:19 ` [NETFILTER]: tcp_conntrack: factorize out the PUSH flag Willy Tarreau
2007-03-11 17:43 ` [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Pablo Neira Ayuso
0 siblings, 2 replies; 6+ messages in thread
From: Willy Tarreau @ 2007-03-11 10:19 UTC (permalink / raw)
To: netfilter-devel, kaber; +Cc: davem
This combination has been encountered on an IBM AS/400 in response
to packets sent to a closed session. There is no particular reason
to mark it invalid.
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 1 +
net/netfilter/nf_conntrack_proto_tcp.c | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 0a72eab..918205f 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -818,6 +818,7 @@ static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1
[TH_SYN|TH_ACK] = 1,
[TH_SYN|TH_ACK|TH_PUSH] = 1,
[TH_RST] = 1,
+ [TH_RST|TH_PUSH] = 1,
[TH_RST|TH_ACK] = 1,
[TH_RST|TH_ACK|TH_PUSH] = 1,
[TH_FIN|TH_ACK] = 1,
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 153d661..b51afd3 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -775,6 +775,7 @@ static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =
[TH_SYN|TH_ACK] = 1,
[TH_SYN|TH_ACK|TH_PUSH] = 1,
[TH_RST] = 1,
+ [TH_RST|TH_PUSH] = 1,
[TH_RST|TH_ACK] = 1,
[TH_RST|TH_ACK|TH_PUSH] = 1,
[TH_FIN|TH_ACK] = 1,
--
1.5.0.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [NETFILTER]: tcp_conntrack: factorize out the PUSH flag
2007-03-11 10:19 [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Willy Tarreau
@ 2007-03-11 10:19 ` Willy Tarreau
2007-03-13 15:50 ` Patrick McHardy
2007-03-11 17:43 ` [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Pablo Neira Ayuso
1 sibling, 1 reply; 6+ messages in thread
From: Willy Tarreau @ 2007-03-11 10:19 UTC (permalink / raw)
To: netfilter-devel, kaber; +Cc: davem
The PUSH flag is accepted with every other valid combination.
Let's get it out of the tcp_valid_flags table and reduce the
number of combinations we have to handle. This does not
significantly reduce the table size however (8 bytes).
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 17 ++++-------------
net/netfilter/nf_conntrack_proto_tcp.c | 17 ++++-------------
2 files changed, 8 insertions(+), 26 deletions(-)
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 918205f..4a09b3c 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -808,27 +808,18 @@ void ip_conntrack_tcp_update(struct sk_buff *skb,
#define TH_ECE 0x40
#define TH_CWR 0x80
-/* table of valid flag combinations - ECE and CWR are always valid */
-static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =
+/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
+static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
{
[TH_SYN] = 1,
- [TH_SYN|TH_PUSH] = 1,
[TH_SYN|TH_URG] = 1,
- [TH_SYN|TH_PUSH|TH_URG] = 1,
[TH_SYN|TH_ACK] = 1,
- [TH_SYN|TH_ACK|TH_PUSH] = 1,
[TH_RST] = 1,
- [TH_RST|TH_PUSH] = 1,
[TH_RST|TH_ACK] = 1,
- [TH_RST|TH_ACK|TH_PUSH] = 1,
[TH_FIN|TH_ACK] = 1,
+ [TH_FIN|TH_ACK|TH_URG] = 1,
[TH_ACK] = 1,
- [TH_ACK|TH_PUSH] = 1,
[TH_ACK|TH_URG] = 1,
- [TH_ACK|TH_URG|TH_PUSH] = 1,
- [TH_FIN|TH_ACK|TH_PUSH] = 1,
- [TH_FIN|TH_ACK|TH_URG] = 1,
- [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1,
};
/* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
@@ -873,7 +864,7 @@ static int tcp_error(struct sk_buff *skb,
}
/* Check TCP flags. */
- tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR));
+ tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR|TH_PUSH));
if (!tcp_valid_flags[tcpflags]) {
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index b51afd3..cac0a82 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -765,27 +765,18 @@ EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update);
#define TH_ECE 0x40
#define TH_CWR 0x80
-/* table of valid flag combinations - ECE and CWR are always valid */
-static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] =
+/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
+static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
{
[TH_SYN] = 1,
- [TH_SYN|TH_PUSH] = 1,
[TH_SYN|TH_URG] = 1,
- [TH_SYN|TH_PUSH|TH_URG] = 1,
[TH_SYN|TH_ACK] = 1,
- [TH_SYN|TH_ACK|TH_PUSH] = 1,
[TH_RST] = 1,
- [TH_RST|TH_PUSH] = 1,
[TH_RST|TH_ACK] = 1,
- [TH_RST|TH_ACK|TH_PUSH] = 1,
[TH_FIN|TH_ACK] = 1,
+ [TH_FIN|TH_ACK|TH_URG] = 1,
[TH_ACK] = 1,
- [TH_ACK|TH_PUSH] = 1,
[TH_ACK|TH_URG] = 1,
- [TH_ACK|TH_URG|TH_PUSH] = 1,
- [TH_FIN|TH_ACK|TH_PUSH] = 1,
- [TH_FIN|TH_ACK|TH_URG] = 1,
- [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1,
};
/* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
@@ -832,7 +823,7 @@ static int tcp_error(struct sk_buff *skb,
}
/* Check TCP flags. */
- tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR));
+ tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR|TH_PUSH));
if (!tcp_valid_flags[tcpflags]) {
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
--
1.5.0.3
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [NETFILTER]: tcp_conntrack: accept RST|PSH as valid
2007-03-11 10:19 [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Willy Tarreau
2007-03-11 10:19 ` [NETFILTER]: tcp_conntrack: factorize out the PUSH flag Willy Tarreau
@ 2007-03-11 17:43 ` Pablo Neira Ayuso
2007-03-13 15:51 ` Patrick McHardy
1 sibling, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2007-03-11 17:43 UTC (permalink / raw)
To: Willy Tarreau; +Cc: Jozsef Kadlecsik, netfilter-devel, kaber, davem
Bonjour Willy,
Willy Tarreau wrote:
> This combination has been encountered on an IBM AS/400 in response
> to packets sent to a closed session. There is no particular reason
> to mark it invalid.
I wonder if it is time to document this stuff. Would an interface to
configurate valid TCP flags settings from userspace be too much? Of
course, we would have a default configuration setup for them.
--
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [NETFILTER]: tcp_conntrack: factorize out the PUSH flag
2007-03-11 10:19 ` [NETFILTER]: tcp_conntrack: factorize out the PUSH flag Willy Tarreau
@ 2007-03-13 15:50 ` Patrick McHardy
0 siblings, 0 replies; 6+ messages in thread
From: Patrick McHardy @ 2007-03-13 15:50 UTC (permalink / raw)
To: Willy Tarreau; +Cc: netfilter-devel, davem
Willy Tarreau wrote:
> The PUSH flag is accepted with every other valid combination.
> Let's get it out of the tcp_valid_flags table and reduce the
> number of combinations we have to handle. This does not
> significantly reduce the table size however (8 bytes).
Thanks Willy, both applied. I edited out the ip_conntrack parts
since that is already removed in my 2.6.22 tree.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [NETFILTER]: tcp_conntrack: accept RST|PSH as valid
2007-03-11 17:43 ` [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Pablo Neira Ayuso
@ 2007-03-13 15:51 ` Patrick McHardy
2007-03-13 16:19 ` Jan Engelhardt
0 siblings, 1 reply; 6+ messages in thread
From: Patrick McHardy @ 2007-03-13 15:51 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Jozsef Kadlecsik, netfilter-devel, Willy Tarreau, davem
Pablo Neira Ayuso wrote:
> I wonder if it is time to document this stuff. Would an interface to
> configurate valid TCP flags settings from userspace be too much? Of
> course, we would have a default configuration setup for them.
I don't think we need this. Flags are either valid for everyone or
for nobody.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [NETFILTER]: tcp_conntrack: accept RST|PSH as valid
2007-03-13 15:51 ` Patrick McHardy
@ 2007-03-13 16:19 ` Jan Engelhardt
0 siblings, 0 replies; 6+ messages in thread
From: Jan Engelhardt @ 2007-03-13 16:19 UTC (permalink / raw)
To: Patrick McHardy
Cc: davem, netfilter-devel, Willy Tarreau, Pablo Neira Ayuso,
Jozsef Kadlecsik
On Mar 13 2007 16:51, Patrick McHardy wrote:
>Pablo Neira Ayuso wrote:
>> I wonder if it is time to document this stuff. Would an interface to
>> configurate valid TCP flags settings from userspace be too much? Of
>> course, we would have a default configuration setup for them.
>
>I don't think we need this. Flags are either valid for everyone or
>for nobody.
I agree. If you do not want certain TCP flag combinations, use iptables -j
DROP, no?
Jan
--
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-03-13 16:19 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-03-11 10:19 [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Willy Tarreau
2007-03-11 10:19 ` [NETFILTER]: tcp_conntrack: factorize out the PUSH flag Willy Tarreau
2007-03-13 15:50 ` Patrick McHardy
2007-03-11 17:43 ` [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Pablo Neira Ayuso
2007-03-13 15:51 ` Patrick McHardy
2007-03-13 16:19 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.