[PATCH 0/2] Netfilter SYNPROXY mss and wscale bugfix

[PATCH 0/2] Netfilter SYNPROXY mss and wscale bugfix

[Martin Topholm]

The following series fixes two bugs we have discovered in the netfilter
module SYNPROXY.

The first is related to the mss option not getting transferred to the
backend servers.

And the second it related to passing of the windows scaling option.

Martin Topholm (2):
  netfilter: synproxy: send mss option to backend
  netfilter: synproxy: correct wscale option passing

 net/ipv4/netfilter/ipt_SYNPROXY.c  | 1 +
 net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
 net/netfilter/nf_synproxy_core.c   | 7 ++++---
 3 files changed, 6 insertions(+), 3 deletions(-)

[PATCH 1/2] netfilter: synproxy: send mss option to backend

[Martin Topholm]

When the synproxy_parse_options is called on the client ack the mss
option will not be present. Consequently mss wont be included in the
backend syn packet, which falls back to 536 bytes mss.

Therefore XT_SYNPROXY_OPT_MSS is explicitly flagged when recovering mss
value from cookie.

Signed-off-by: Martin Topholm <mph@one.com>
Reviewed-by: Jesper Dangaard Brouer <brouer@redhat.com>
---
 net/ipv4/netfilter/ipt_SYNPROXY.c  | 1 +
 net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
 2 files changed, 2 insertions(+)

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 01cffea..f13bd91 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -244,6 +244,7 @@ synproxy_recv_client_ack(const struct synproxy_net *snet,
 
 	this_cpu_inc(snet->stats->cookie_valid);
 	opts->mss = mss;
+	opts->options |= XT_SYNPROXY_OPT_MSS;
 
 	if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
 		synproxy_check_timestamp_cookie(opts);
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index bf9f612..f78f41a 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -259,6 +259,7 @@ synproxy_recv_client_ack(const struct synproxy_net *snet,
 
 	this_cpu_inc(snet->stats->cookie_valid);
 	opts->mss = mss;
+	opts->options |= XT_SYNPROXY_OPT_MSS;
 
 	if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
 		synproxy_check_timestamp_cookie(opts);

[PATCH 2/2] netfilter: synproxy: correct wscale option passing

[Martin Topholm]

Timestamp are used to store additional syncookie parameters such as sack,
ecn, and wscale. The wscale value we need to encode is the client's
wscale, since we can't recover that later in the session. Next overwrite
the wscale option so the later synproxy_send_client_synack will send
the backend's wscale to the client.

Signed-off-by: Martin Topholm <mph@one.com>
Reviewed-by: Jesper Dangaard Brouer <brouer@redhat.com>
---
 net/netfilter/nf_synproxy_core.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index cdf4567..9858e3e 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -151,9 +151,10 @@ void synproxy_init_timestamp_cookie(const struct xt_synproxy_info *info,
 	opts->tsecr = opts->tsval;
 	opts->tsval = tcp_time_stamp & ~0x3f;
 
-	if (opts->options & XT_SYNPROXY_OPT_WSCALE)
-		opts->tsval |= info->wscale;
-	else
+	if (opts->options & XT_SYNPROXY_OPT_WSCALE) {
+		opts->tsval |= opts->wscale;
+		opts->wscale = info->wscale;
+	} else
 		opts->tsval |= 0xf;
 
 	if (opts->options & XT_SYNPROXY_OPT_SACK_PERM)

Re: [PATCH 0/2] Netfilter SYNPROXY mss and wscale bugfix

[Jesper Dangaard Brouer]

On Thu, 14 Nov 2013 15:35:29 +0100
Martin Topholm <mph@one.com> wrote:

> The following series fixes two bugs we have discovered in the netfilter
> module SYNPROXY.
> 
> The first is related to the mss option not getting transferred to the
> backend servers.
> 
> And the second it related to passing of the windows scaling option.
> 
> Martin Topholm (2):
>   netfilter: synproxy: send mss option to backend
>   netfilter: synproxy: correct wscale option passing
> 
>  net/ipv4/netfilter/ipt_SYNPROXY.c  | 1 +
>  net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
>  net/netfilter/nf_synproxy_core.c   | 7 ++++---
>  3 files changed, 6 insertions(+), 3 deletions(-)

ACK series

I have already reviewed the patches offlist with Martin and helped him
on howto submit patches etc.. Nice work Martin :-)

-- 
Best regards,
  Jesper Dangaard Brouer
  MSc.CS, Sr. Network Kernel Developer at Red Hat
  Author of http://www.iptv-analyzer.org
  LinkedIn: http://www.linkedin.com/in/brouer

Re: [PATCH 1/2] netfilter: synproxy: send mss option to backend

[Pablo Neira Ayuso]

On Thu, Nov 14, 2013 at 03:35:30PM +0100, Martin Topholm wrote:
> When the synproxy_parse_options is called on the client ack the mss
> option will not be present. Consequently mss wont be included in the
> backend syn packet, which falls back to 536 bytes mss.
> 
> Therefore XT_SYNPROXY_OPT_MSS is explicitly flagged when recovering mss
> value from cookie.

Applied, thanks Martin.

Re: [PATCH 2/2] netfilter: synproxy: correct wscale option passing

[Pablo Neira Ayuso]

On Thu, Nov 14, 2013 at 03:35:31PM +0100, Martin Topholm wrote:
> Timestamp are used to store additional syncookie parameters such as sack,
> ecn, and wscale. The wscale value we need to encode is the client's
> wscale, since we can't recover that later in the session. Next overwrite
> the wscale option so the later synproxy_send_client_synack will send
> the backend's wscale to the client.

Also applied, thanks.