From: Patrick McHardy <kaber@trash.net>
To: Pete Holland <pholland27@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/1] netfilter: conntrack: make call to nf_log_packet due to helper rejection conditional on LOG_INVALID
Date: Wed, 30 Nov 2011 19:55:42 +0100 [thread overview]
Message-ID: <4ED67C2E.3050309@trash.net> (raw)
In-Reply-To: <CANtneHJMLjvP_ZwzO8JmS7zn_xuWCoXOQs6jQzY_4V0+=Z+uYg@mail.gmail.com>
On 11/30/2011 07:35 PM, Pete Holland wrote:
> sorry that should be
> ct->tuplehash[IP_CT_ORIGINAL].tuple.src.l3num
I'd prefer that to the IPPROTO_RAW usage.
> On Wed, Nov 30, 2011 at 10:33 AM, Pete Holland<pholland27@gmail.com> wrote:
>> it occurred to me that I should be able to extract the protocol number
>> from the the tuplehash in struct nf_conn. the original
>> direction tuple should always be there, and I could get it from there.
>>
>> so instead of using IPPROTO_RAW, I could use
>> ct->tuplehash[IP_CT_ORIGINAL].src.l3num
>>
>> i'm still pretty new in the netfilter code, so any thoughts are
>> greatly appreciated
>>
>> On Tue, Nov 29, 2011 at 12:08 PM, Pete Holland<pholland27@gmail.com> wrote:
>>> From: Peter Holland<pholland27@gmail.com>
>>>
>>> Make the logging of dropped packets due to ct helper rejection
>>> conditional on LOG_INVALID.
>>> This is consistent with the other uses of nf_log_packet.
>>> Use the IPPROTO_RAW filter since it is unclear based on the caller
>>> what protocol it actually is.
>>> Without this check, there is a possible DoS based on traffic induced
>>> log generation.
>>> (specifically this was noted in the wild by an attacker against the SIP helper)
>>>
>>> Signed-off-by: Peter Holland<pholland27@gmail.com>
next prev parent reply other threads:[~2011-11-30 18:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-29 20:08 [PATCH 1/1] netfilter: conntrack: make call to nf_log_packet due to helper rejection conditional on LOG_INVALID Pete Holland
2011-11-30 18:33 ` Pete Holland
2011-11-30 18:35 ` Pete Holland
2011-11-30 18:55 ` Patrick McHardy [this message]
2011-11-30 20:59 ` Pete Holland
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4ED67C2E.3050309@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pholland27@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.