* [NETFILTER]: tcp_conntrack: accept RST|PSH as valid @ 2007-03-11 10:19 Willy Tarreau 2007-03-11 10:19 ` [NETFILTER]: tcp_conntrack: factorize out the PUSH flag Willy Tarreau 2007-03-11 17:43 ` [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Pablo Neira Ayuso 0 siblings, 2 replies; 6+ messages in thread From: Willy Tarreau @ 2007-03-11 10:19 UTC (permalink / raw) To: netfilter-devel, kaber; +Cc: davem This combination has been encountered on an IBM AS/400 in response to packets sent to a closed session. There is no particular reason to mark it invalid. Signed-off-by: Willy Tarreau <w@1wt.eu> --- net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 1 + net/netfilter/nf_conntrack_proto_tcp.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c index 0a72eab..918205f 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c @@ -818,6 +818,7 @@ static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1 [TH_SYN|TH_ACK] = 1, [TH_SYN|TH_ACK|TH_PUSH] = 1, [TH_RST] = 1, + [TH_RST|TH_PUSH] = 1, [TH_RST|TH_ACK] = 1, [TH_RST|TH_ACK|TH_PUSH] = 1, [TH_FIN|TH_ACK] = 1, diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 153d661..b51afd3 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -775,6 +775,7 @@ static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] = [TH_SYN|TH_ACK] = 1, [TH_SYN|TH_ACK|TH_PUSH] = 1, [TH_RST] = 1, + [TH_RST|TH_PUSH] = 1, [TH_RST|TH_ACK] = 1, [TH_RST|TH_ACK|TH_PUSH] = 1, [TH_FIN|TH_ACK] = 1, -- 1.5.0.3 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [NETFILTER]: tcp_conntrack: factorize out the PUSH flag 2007-03-11 10:19 [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Willy Tarreau @ 2007-03-11 10:19 ` Willy Tarreau 2007-03-13 15:50 ` Patrick McHardy 2007-03-11 17:43 ` [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Pablo Neira Ayuso 1 sibling, 1 reply; 6+ messages in thread From: Willy Tarreau @ 2007-03-11 10:19 UTC (permalink / raw) To: netfilter-devel, kaber; +Cc: davem The PUSH flag is accepted with every other valid combination. Let's get it out of the tcp_valid_flags table and reduce the number of combinations we have to handle. This does not significantly reduce the table size however (8 bytes). Signed-off-by: Willy Tarreau <w@1wt.eu> --- net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 17 ++++------------- net/netfilter/nf_conntrack_proto_tcp.c | 17 ++++------------- 2 files changed, 8 insertions(+), 26 deletions(-) diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c index 918205f..4a09b3c 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c @@ -808,27 +808,18 @@ void ip_conntrack_tcp_update(struct sk_buff *skb, #define TH_ECE 0x40 #define TH_CWR 0x80 -/* table of valid flag combinations - ECE and CWR are always valid */ -static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] = +/* table of valid flag combinations - PUSH, ECE and CWR are always valid */ +static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] = { [TH_SYN] = 1, - [TH_SYN|TH_PUSH] = 1, [TH_SYN|TH_URG] = 1, - [TH_SYN|TH_PUSH|TH_URG] = 1, [TH_SYN|TH_ACK] = 1, - [TH_SYN|TH_ACK|TH_PUSH] = 1, [TH_RST] = 1, - [TH_RST|TH_PUSH] = 1, [TH_RST|TH_ACK] = 1, - [TH_RST|TH_ACK|TH_PUSH] = 1, [TH_FIN|TH_ACK] = 1, + [TH_FIN|TH_ACK|TH_URG] = 1, [TH_ACK] = 1, - [TH_ACK|TH_PUSH] = 1, [TH_ACK|TH_URG] = 1, - [TH_ACK|TH_URG|TH_PUSH] = 1, - [TH_FIN|TH_ACK|TH_PUSH] = 1, - [TH_FIN|TH_ACK|TH_URG] = 1, - [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1, }; /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */ @@ -873,7 +864,7 @@ static int tcp_error(struct sk_buff *skb, } /* Check TCP flags. */ - tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR)); + tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR|TH_PUSH)); if (!tcp_valid_flags[tcpflags]) { if (LOG_INVALID(IPPROTO_TCP)) nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL, diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index b51afd3..cac0a82 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -765,27 +765,18 @@ EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update); #define TH_ECE 0x40 #define TH_CWR 0x80 -/* table of valid flag combinations - ECE and CWR are always valid */ -static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] = +/* table of valid flag combinations - PUSH, ECE and CWR are always valid */ +static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] = { [TH_SYN] = 1, - [TH_SYN|TH_PUSH] = 1, [TH_SYN|TH_URG] = 1, - [TH_SYN|TH_PUSH|TH_URG] = 1, [TH_SYN|TH_ACK] = 1, - [TH_SYN|TH_ACK|TH_PUSH] = 1, [TH_RST] = 1, - [TH_RST|TH_PUSH] = 1, [TH_RST|TH_ACK] = 1, - [TH_RST|TH_ACK|TH_PUSH] = 1, [TH_FIN|TH_ACK] = 1, + [TH_FIN|TH_ACK|TH_URG] = 1, [TH_ACK] = 1, - [TH_ACK|TH_PUSH] = 1, [TH_ACK|TH_URG] = 1, - [TH_ACK|TH_URG|TH_PUSH] = 1, - [TH_FIN|TH_ACK|TH_PUSH] = 1, - [TH_FIN|TH_ACK|TH_URG] = 1, - [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1, }; /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */ @@ -832,7 +823,7 @@ static int tcp_error(struct sk_buff *skb, } /* Check TCP flags. */ - tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR)); + tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR|TH_PUSH)); if (!tcp_valid_flags[tcpflags]) { if (LOG_INVALID(IPPROTO_TCP)) nf_log_packet(pf, 0, skb, NULL, NULL, NULL, -- 1.5.0.3 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [NETFILTER]: tcp_conntrack: factorize out the PUSH flag 2007-03-11 10:19 ` [NETFILTER]: tcp_conntrack: factorize out the PUSH flag Willy Tarreau @ 2007-03-13 15:50 ` Patrick McHardy 0 siblings, 0 replies; 6+ messages in thread From: Patrick McHardy @ 2007-03-13 15:50 UTC (permalink / raw) To: Willy Tarreau; +Cc: netfilter-devel, davem Willy Tarreau wrote: > The PUSH flag is accepted with every other valid combination. > Let's get it out of the tcp_valid_flags table and reduce the > number of combinations we have to handle. This does not > significantly reduce the table size however (8 bytes). Thanks Willy, both applied. I edited out the ip_conntrack parts since that is already removed in my 2.6.22 tree. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [NETFILTER]: tcp_conntrack: accept RST|PSH as valid 2007-03-11 10:19 [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Willy Tarreau 2007-03-11 10:19 ` [NETFILTER]: tcp_conntrack: factorize out the PUSH flag Willy Tarreau @ 2007-03-11 17:43 ` Pablo Neira Ayuso 2007-03-13 15:51 ` Patrick McHardy 1 sibling, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2007-03-11 17:43 UTC (permalink / raw) To: Willy Tarreau; +Cc: Jozsef Kadlecsik, netfilter-devel, kaber, davem Bonjour Willy, Willy Tarreau wrote: > This combination has been encountered on an IBM AS/400 in response > to packets sent to a closed session. There is no particular reason > to mark it invalid. I wonder if it is time to document this stuff. Would an interface to configurate valid TCP flags settings from userspace be too much? Of course, we would have a default configuration setup for them. -- The dawn of the fourth age of Linux firewalling is coming; a time of great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [NETFILTER]: tcp_conntrack: accept RST|PSH as valid 2007-03-11 17:43 ` [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Pablo Neira Ayuso @ 2007-03-13 15:51 ` Patrick McHardy 2007-03-13 16:19 ` Jan Engelhardt 0 siblings, 1 reply; 6+ messages in thread From: Patrick McHardy @ 2007-03-13 15:51 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Jozsef Kadlecsik, netfilter-devel, Willy Tarreau, davem Pablo Neira Ayuso wrote: > I wonder if it is time to document this stuff. Would an interface to > configurate valid TCP flags settings from userspace be too much? Of > course, we would have a default configuration setup for them. I don't think we need this. Flags are either valid for everyone or for nobody. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [NETFILTER]: tcp_conntrack: accept RST|PSH as valid 2007-03-13 15:51 ` Patrick McHardy @ 2007-03-13 16:19 ` Jan Engelhardt 0 siblings, 0 replies; 6+ messages in thread From: Jan Engelhardt @ 2007-03-13 16:19 UTC (permalink / raw) To: Patrick McHardy Cc: davem, netfilter-devel, Willy Tarreau, Pablo Neira Ayuso, Jozsef Kadlecsik On Mar 13 2007 16:51, Patrick McHardy wrote: >Pablo Neira Ayuso wrote: >> I wonder if it is time to document this stuff. Would an interface to >> configurate valid TCP flags settings from userspace be too much? Of >> course, we would have a default configuration setup for them. > >I don't think we need this. Flags are either valid for everyone or >for nobody. I agree. If you do not want certain TCP flag combinations, use iptables -j DROP, no? Jan -- ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-03-13 16:19 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-03-11 10:19 [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Willy Tarreau 2007-03-11 10:19 ` [NETFILTER]: tcp_conntrack: factorize out the PUSH flag Willy Tarreau 2007-03-13 15:50 ` Patrick McHardy 2007-03-11 17:43 ` [NETFILTER]: tcp_conntrack: accept RST|PSH as valid Pablo Neira Ayuso 2007-03-13 15:51 ` Patrick McHardy 2007-03-13 16:19 ` Jan Engelhardt
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.