| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 23 Aug 2013 09:52:03 +0200
From: Patrick McHardy <kaber@...sh.net>
To: pablo@...filter.org
Cc: netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
mph@....com, jesper.brouer@...il.com, as@....com
Subject: [PATCH RFC 0/6] SYNPROXY target v2
The following patches contain the current version of the SYNPROXY target.
Changes this the last posting are:
- use sysctl_ip_default_ttl instead of hardcoding 64
- use MAX_TCP_HEADER instead of LL_MAX_HEADER
- add some comments requested by Jesper regarding ack_seq initialization
in the server's SYN packet
- use consume_skb() instead of kfree_skb() in the synproxy hook
- remove a fixme and add explicit check for "-p tcp" in the SYNPROXY rule
in the IPv6 version
- some whitespace fixes
- a larger number of fixes for properly handling retransmissions and
out of order packets, please see the changelog included in patch 6/6
for details.
I've kept those in a seperate patch for now to ease review, we'll do
some more extensive testing on monday and I'll fold the changes in
their respective patches before the final submission.
Comments welcome.
Patrick McHardy (6):
netfilter: nf_conntrack: make sequence number adjustments usuable without NAT
net: syncookies: export cookie_v4_init_sequence/cookie_v4_check
netfilter: add SYNPROXY core/target
net: syncookies: export cookie_v6_init_sequence/cookie_v6_check
netfilter: add IPv6 SYNPROXY target
netfilter: synproxy: fix handling of retransmissions before established state
include/linux/netfilter.h | 9 +-
include/net/netfilter/nf_conntrack_extend.h | 6 +
include/net/netfilter/nf_conntrack_seqadj.h | 51 +++
include/net/netfilter/nf_conntrack_synproxy.h | 76 ++++
include/net/netfilter/nf_nat.h | 10 -
include/net/netfilter/nf_nat_helper.h | 19 -
include/net/tcp.h | 8 +
include/uapi/linux/netfilter/nf_conntrack_common.h | 3 +-
include/uapi/linux/netfilter/nfnetlink_conntrack.h | 15 +-
include/uapi/linux/netfilter/xt_SYNPROXY.h | 16 +
net/ipv4/netfilter/Kconfig | 13 +
net/ipv4/netfilter/Makefile | 1 +
net/ipv4/netfilter/ipt_SYNPROXY.c | 457 ++++++++++++++++++++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 7 +-
net/ipv4/syncookies.c | 29 +-
net/ipv6/netfilter/Kconfig | 13 +
net/ipv6/netfilter/Makefile | 1 +
net/ipv6/netfilter/ip6t_SYNPROXY.c | 480 +++++++++++++++++++++
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 7 +-
net/ipv6/syncookies.c | 25 +-
net/netfilter/Kconfig | 3 +
net/netfilter/Makefile | 5 +-
net/netfilter/nf_conntrack_core.c | 22 +-
net/netfilter/nf_conntrack_netlink.c | 115 +++--
net/netfilter/nf_conntrack_proto_tcp.c | 34 +-
net/netfilter/nf_conntrack_seqadj.c | 238 ++++++++++
net/netfilter/nf_nat_core.c | 16 +-
net/netfilter/nf_nat_helper.c | 228 +---------
net/netfilter/nf_nat_sip.c | 3 +-
net/netfilter/nf_synproxy_core.c | 431 ++++++++++++++++++
net/netfilter/nfnetlink_queue_ct.c | 8 +-
31 files changed, 1953 insertions(+), 396 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists