From mboxrd@z Thu Jan 1 00:00:00 1970 From: JC Subject: Re: tcp match silently drops packets Date: Mon, 17 Oct 2005 16:57:00 +0300 Message-ID: References: <4349D97A.9070708@snapgear.com> <200510160751.j9G7ph5t009316@toshiba.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Netfilter Developers Return-path: To: Henrik Nordstrom In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org On 17/10/05, Henrik Nordstrom wrote: > On Mon, 17 Oct 2005, JC wrote: > > >> For the exact same reason the match also hotdrops fragments which woul= d > >> overwrite the TCP header. > >> > >> In theory just the second criteria is a must (drop fragments which cou= ld > >> override an earlier decision), but as it's there the first also makes > >> sense to drop the first as we can not allow a fragment filling in the > >> missing pieces. > > > > Could someone please explain these two? > > An IP fragment with offset 1 can overwrite parts of the TCP header, and i= f > this check is not there an attacker could bypass port matches in iptables > by sending the packet in two fragments where the first fragment (which is > used by the tcp match) has ports which is allowed by the ruleset and late= r > the second fragment (which is ignored by the tcp match) overwrites the > port numbers with ports which would not be allowed by the ruleset. and that doesnt get picked up by conntrack as a different connection??