[PATCH 0/3] [-stable] Netfilter updates for stable 3.0 onwards

[PATCH 0/3] [-stable] Netfilter updates for stable 3.0 onwards

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi!

Please, consider the following Netfilter patches for stable 3.0 and
onwards inclusion.

The selected three patches are:

4a70bbf netfilter: Validate the sequence number of dataless ACK packets as well
64f509c netfilter: Mark SYN/ACK packets as invalid from original direction
[BACKPORT] 38fe36a netfilter: nf_nat: don't check for port change on ICMP tuples

The first two patches can be considered security fixes in the TCP connection
tracking to make harder off-path attacks. For more information you can read:
"Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel.

The latter fixes the re-routing of every ICMP packet going through NAT even
if it is not required, which is an expensive operation. That one has been
backported to 3.0.

Please, cherry-pick them. Thanks!

Jozsef Kadlecsik (2):
  netfilter: Mark SYN/ACK packets as invalid from original direction
  netfilter: Validate the sequence number of dataless ACK packets as well

Ulrich Weber (1):
  netfilter: nf_nat: don't check for port change on ICMP tuples

 net/ipv4/netfilter/nf_nat_standalone.c |    6 ++++--
 net/netfilter/nf_conntrack_proto_tcp.c |   29 ++++++++++-------------------
 2 files changed, 14 insertions(+), 21 deletions(-)

--
1.7.10.4

[PATCH 1/3] [-stable] netfilter: Mark SYN/ACK packets as invalid from original direction

[pablo]

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

Clients should not send such packets. By accepting them, we open
up a hole by wich ephemeral ports can be discovered in an off-path
attack.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_proto_tcp.c |   19 ++++++++-----------
 1 file changed, 8 insertions(+), 11 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 37bf943..1eb458c 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -159,21 +159,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
  *	sCL -> sSS
  */
 /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
-/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
+/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
 /*
  *	sNO -> sIV	Too late and no reason to do anything
  *	sSS -> sIV	Client can't send SYN and then SYN/ACK
  *	sS2 -> sSR	SYN/ACK sent to SYN2 in simultaneous open
- *	sSR -> sIG
- *	sES -> sIG	Error: SYNs in window outside the SYN_SENT state
- *			are errors. Receiver will reply with RST
- *			and close the connection.
- *			Or we are not in sync and hold a dead connection.
- *	sFW -> sIG
- *	sCW -> sIG
- *	sLA -> sIG
- *	sTW -> sIG
- *	sCL -> sIG
+ *	sSR -> sSR	Late retransmitted SYN/ACK in simultaneous open
+ *	sES -> sIV	Invalid SYN/ACK packets sent by the client
+ *	sFW -> sIV
+ *	sCW -> sIV
+ *	sLA -> sIV
+ *	sTW -> sIV
+ *	sCL -> sIV
  */
 /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
 /*fin*/    { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
-- 
1.7.10.4

[PATCH 2/3] [-stable] netfilter: Validate the sequence number of dataless ACK packets as well

[pablo]

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

We spare nothing by not validating the sequence number of dataless
ACK packets and enabling it makes harder off-path attacks.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_proto_tcp.c |   10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 1eb458c..a9d5f50 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -625,15 +625,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
 		ack = sack = receiver->td_end;
 	}
 
-	if (seq == end
-	    && (!tcph->rst
-		|| (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
+	if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
 		/*
-		 * Packets contains no data: we assume it is valid
-		 * and check the ack value only.
-		 * However RST segments are always validated by their
-		 * SEQ number, except when seq == 0 (reset sent answering
-		 * SYN.
+		 * RST sent answering SYN.
 		 */
 		seq = end = sender->td_end;
 
-- 
1.7.10.4

[PATCH 3/3] [-stable] netfilter: nf_nat: don't check for port change on ICMP tuples

[pablo]

From: Ulrich Weber <ulrich.weber@sophos.com>

ICMP tuples have id in src and type/code in dst.
So comparing src.u.all with dst.u.all will always fail here
and ip_xfrm_me_harder() is called for every ICMP packet,
even if there was no NAT.

This patch is a backport of:

[ 38fe36a netfilter: nf_nat: don't check for port change on ICMP tuples ]

Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv4/netfilter/nf_nat_standalone.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/netfilter/nf_nat_standalone.c b/net/ipv4/netfilter/nf_nat_standalone.c
index 483b76d..b2c3ed7 100644
--- a/net/ipv4/netfilter/nf_nat_standalone.c
+++ b/net/ipv4/netfilter/nf_nat_standalone.c
@@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum,
 
 		if ((ct->tuplehash[dir].tuple.src.u3.ip !=
 		     ct->tuplehash[!dir].tuple.dst.u3.ip) ||
-		    (ct->tuplehash[dir].tuple.src.u.all !=
+		    (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
+		     ct->tuplehash[dir].tuple.src.u.all !=
 		     ct->tuplehash[!dir].tuple.dst.u.all)
 		   )
 			return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
@@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum,
 				ret = NF_DROP;
 		}
 #ifdef CONFIG_XFRM
-		else if (ct->tuplehash[dir].tuple.dst.u.all !=
+		else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
+			 ct->tuplehash[dir].tuple.dst.u.all !=
 			 ct->tuplehash[!dir].tuple.src.u.all)
 			if (ip_xfrm_me_harder(skb))
 				ret = NF_DROP;
-- 
1.7.10.4

Re: [PATCH 0/3] [-stable] Netfilter updates for stable 3.0 onwards

[Greg KH]

On Fri, Nov 16, 2012 at 03:00:11PM +0100, pablo@netfilter.org wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> Hi!
> 
> Please, consider the following Netfilter patches for stable 3.0 and
> onwards inclusion.
> 
> The selected three patches are:
> 
> 4a70bbf netfilter: Validate the sequence number of dataless ACK packets as well
> 64f509c netfilter: Mark SYN/ACK packets as invalid from original direction
> [BACKPORT] 38fe36a netfilter: nf_nat: don't check for port change on ICMP tuples
> 
> The first two patches can be considered security fixes in the TCP connection
> tracking to make harder off-path attacks. For more information you can read:
> "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel.
> 
> The latter fixes the re-routing of every ICMP packet going through NAT even
> if it is not required, which is an expensive operation. That one has been
> backported to 3.0.
> 
> Please, cherry-pick them. Thanks!

All applied, thanks.

greg k-h

Re: [PATCH 0/3] [-stable] Netfilter updates for stable 3.0 onwards

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 369 bytes --]

On Fri, 2012-11-16 at 15:00 +0100, pablo@netfilter.org wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> Hi!
> 
> Please, consider the following Netfilter patches for stable 3.0 and
> onwards inclusion.
[...]

All queued up for 3.2, thanks.

Ben.

-- 
Ben Hutchings
Never attribute to conspiracy what can adequately be explained by stupidity.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]