From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41797 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1422755AbbEOVFX (ORCPT ); Fri, 15 May 2015 17:05:23 -0400 Message-ID: <1431723913.6315.128.camel@decadent.org.uk> Subject: Re: [ 16/48] netfilter: conntrack: disable generic tracking for known protocols From: Ben Hutchings To: Willy Tarreau Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Florian Westphal , Daniel Borkmann , Jozsef Kadlecsik , Pablo Neira Ayuso Date: Fri, 15 May 2015 22:05:13 +0100 In-Reply-To: <20150515080530.975043758@1wt.eu> References: <20150515080530.975043758@1wt.eu> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-ZDJIJRa9974C4r97wm3q" Mime-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: --=-ZDJIJRa9974C4r97wm3q Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 2015-05-15 at 10:05 +0200, Willy Tarreau wrote: > 2.6.32-longterm review patch. If anyone has any objections, please let m= e know. >=20 > ------------------ >=20 > From: Florian Westphal >=20 > commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream >=20 > Given following iptables ruleset: >=20 > -P FORWARD DROP > -A FORWARD -m sctp --dport 9 -j ACCEPT > -A FORWARD -p tcp --dport 80 -j ACCEPT > -A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT >=20 > One would assume that this allows SCTP on port 9 and TCP on port 80. > Unfortunately, if the SCTP conntrack module is not loaded, this allows > *all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT, > which we think is a security issue. >=20 > This is because on the first SCTP packet on port 9, we create a dummy > "generic l4" conntrack entry without any port information (since > conntrack doesn't know how to extract this information). >=20 > All subsequent packets that are unknown will then be in established > state since they will fallback to proto_generic and will match the > 'generic' entry. >=20 > Our originally proposed version [1] completely disabled generic protocol > tracking, but Jozsef suggests to not track protocols for which a more > suitable helper is available, hence we now mitigate the issue for in > tree known ct protocol helpers only, so that at least NAT and direction > information will still be preserved for others. >=20 > [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html >=20 > Joint work with Daniel Borkmann. >=20 > Signed-off-by: Florian Westphal > Signed-off-by: Daniel Borkmann > Acked-by: Jozsef Kadlecsik > Signed-off-by: Pablo Neira Ayuso > [bwh: Backported to 2.6.32: adjust context] Signed-off-by: Ben Hutchings > Signed-off-by: Willy Tarreau [...] --=20 Ben Hutchings It is impossible to make anything foolproof because fools are so ingenious. --=-ZDJIJRa9974C4r97wm3q Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIVAwUAVVZfiee/yOyVhhEJAQpWzRAArJLH5EgblBX8hzMT7s9IEy2xJsavSgel ZA+Jd7LWk6ns8WWszPHs7YW+ABW/Zv4RxO5TC17uivhZdy0y8AT2rYLGDccDaSW+ +FuIOLPfpuNiG9+k/dY5COebzOY9wSIl6h+UOKKBfc+PSGTNvr/U+m2rvU20yIHQ XVIr6cVfslzCJDsmKG4yz2UNs/YSn1e/HBhXvMUy82C9dtkAquSrD2XbVSkgSbWp IqCPzXq7X3kvObijjFaOr2A3VPJ4Tme06SxWWe4FwYE0c9FSTQPUFa4skl2ZbK15 SjaAr+ugVed6ZreOQ9Z6sY+m7Drdm6F52BLHLygDzJAjF8fLcc2/jTShnaeSe/7O T5XJgaRH1IH7jg9Q4Vcwcy9ZRCwLoPl5wFhTd0lXM6ziIuJ02txr7OODza6t/oZv z0HC5r1cO3AigYEDx1gCMtV3FWxYOov56ailRk+sX6AUteRm/+AZRwo7z5oFqVKG KFccoIK+nvC/7WEPQDH4QihAVDnCgI29z10bE7iLwea7QqIYJXeWeZ/3loXresCy S7tTA5rkAwedOrTGqZeosXAMmb9SCzbrb+sTLtkYesVk4awE60RwIf/9/YuyURO4 4T8PathXVKIj1Lr3w4RQxz7enrRvayLAVfuMjQ+Vz3ljBe5BhpWrNJhiQwJM/TkK lTnyq4lIsbk= =W9/a -----END PGP SIGNATURE----- --=-ZDJIJRa9974C4r97wm3q--