[PATCH RFC 0/6] SYNPROXY target v2

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Patrick McHardy <kaber@trash.net>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org,
	mph@one.com, jesper.brouer@gmail.com, as@one.com
Subject: [PATCH RFC 0/6] SYNPROXY target v2
Date: Fri, 23 Aug 2013 09:52:03 +0200	[thread overview]
Message-ID: <1377244329-20146-1-git-send-email-kaber@trash.net> (raw)

The following patches contain the current version of the SYNPROXY target.
Changes this the last posting are:

- use sysctl_ip_default_ttl instead of hardcoding 64

- use MAX_TCP_HEADER instead of LL_MAX_HEADER

- add some comments requested by Jesper regarding ack_seq initialization
  in the server's SYN packet

- use consume_skb() instead of kfree_skb() in the synproxy hook

- remove a fixme and add explicit check for "-p tcp" in the SYNPROXY rule
  in the IPv6 version

- some whitespace fixes

- a larger number of fixes for properly handling retransmissions and
  out of order packets, please see the changelog included in patch 6/6
  for details.
  
  I've kept those in a seperate patch for now to ease review, we'll do
  some more extensive testing on monday and I'll fold the changes in
  their respective patches before the final submission.

Comments welcome.


Patrick McHardy (6):
      netfilter: nf_conntrack: make sequence number adjustments usuable without NAT
      net: syncookies: export cookie_v4_init_sequence/cookie_v4_check
      netfilter: add SYNPROXY core/target
      net: syncookies: export cookie_v6_init_sequence/cookie_v6_check
      netfilter: add IPv6 SYNPROXY target
      netfilter: synproxy: fix handling of retransmissions before established state

 include/linux/netfilter.h                          |   9 +-
 include/net/netfilter/nf_conntrack_extend.h        |   6 +
 include/net/netfilter/nf_conntrack_seqadj.h        |  51 +++
 include/net/netfilter/nf_conntrack_synproxy.h      |  76 ++++
 include/net/netfilter/nf_nat.h                     |  10 -
 include/net/netfilter/nf_nat_helper.h              |  19 -
 include/net/tcp.h                                  |   8 +
 include/uapi/linux/netfilter/nf_conntrack_common.h |   3 +-
 include/uapi/linux/netfilter/nfnetlink_conntrack.h |  15 +-
 include/uapi/linux/netfilter/xt_SYNPROXY.h         |  16 +
 net/ipv4/netfilter/Kconfig                         |  13 +
 net/ipv4/netfilter/Makefile                        |   1 +
 net/ipv4/netfilter/ipt_SYNPROXY.c                  | 457 ++++++++++++++++++++
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c     |   7 +-
 net/ipv4/syncookies.c                              |  29 +-
 net/ipv6/netfilter/Kconfig                         |  13 +
 net/ipv6/netfilter/Makefile                        |   1 +
 net/ipv6/netfilter/ip6t_SYNPROXY.c                 | 480 +++++++++++++++++++++
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c     |   7 +-
 net/ipv6/syncookies.c                              |  25 +-
 net/netfilter/Kconfig                              |   3 +
 net/netfilter/Makefile                             |   5 +-
 net/netfilter/nf_conntrack_core.c                  |  22 +-
 net/netfilter/nf_conntrack_netlink.c               | 115 +++--
 net/netfilter/nf_conntrack_proto_tcp.c             |  34 +-
 net/netfilter/nf_conntrack_seqadj.c                | 238 ++++++++++
 net/netfilter/nf_nat_core.c                        |  16 +-
 net/netfilter/nf_nat_helper.c                      | 228 +---------
 net/netfilter/nf_nat_sip.c                         |   3 +-
 net/netfilter/nf_synproxy_core.c                   | 431 ++++++++++++++++++
 net/netfilter/nfnetlink_queue_ct.c                 |   8 +-
 31 files changed, 1953 insertions(+), 396 deletions(-)

next             reply	other threads:[~2013-08-23  7:52 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-08-23  7:52 Patrick McHardy [this message]
2013-08-23  7:52 ` [PATCH 1/6] netfilter: nf_conntrack: make sequence number adjustments usuable without NAT Patrick McHardy
2013-08-23  7:52 ` [PATCH 2/6] net: syncookies: export cookie_v4_init_sequence/cookie_v4_check Patrick McHardy
2013-08-23  7:52 ` [PATCH 3/6] netfilter: add SYNPROXY core/target Patrick McHardy
2013-08-23  7:52 ` [PATCH 4/6] net: syncookies: export cookie_v6_init_sequence/cookie_v6_check Patrick McHardy
2013-08-23  7:52 ` [PATCH 5/6] netfilter: add IPv6 SYNPROXY target Patrick McHardy
2013-08-23  7:52 ` [PATCH 6/6] netfilter: synproxy: fix handling of retransmissions before established state Patrick McHardy
2013-08-26 20:24 ` [PATCH RFC 0/6] SYNPROXY target v2 David Miller
2013-08-26 22:42 ` Pablo Neira Ayuso
2013-08-27  6:56   ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1377244329-20146-1-git-send-email-kaber@trash.net \
    --to=kaber@trash.net \
    --cc=as@one.com \
    --cc=jesper.brouer@gmail.com \
    --cc=mph@one.com \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).