| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4999434F.1050101@trash.net> Date: Mon, 16 Feb 2009 11:43:27 +0100 From: Patrick McHardy <kaber@...sh.net> To: Alan Stern <stern@...land.harvard.edu> CC: netdev@...r.kernel.org, Kernel development list <linux-kernel@...r.kernel.org> Subject: Re: [BUG] SNAT sometimes allows packets to pass through unchanged Alan Stern wrote: > On Thu, 12 Feb 2009, Patrick McHardy wrote: > >> If the connection has already timed out (from conntracks perspective), >> it has lost its state. Unless connection pickup is enabled, the packet >> will be marked as INVALID because it doesn't belong to a connection. >> You can control dropping of these packets yourself by adding the >> appropriate "-m state --state INVALID" rules. > > I tried adding a rule to log these unaccounted-for packets. Nothing > showed up, even when I could see the packets being sent. Where (table/chain/position) did you add this rule? >> That said, there were >> some bugs in the past few releases that caused some bad interaction >> between TCP and TCP conntrack (not sure anymore which one of both was >> to blame). Its possible that this is the root cause for this, so >> you might want to consider a kernel update. > > It does sound like the result of a bug. Do you have any pointers to > patches or locations to check in the source? Sorry, there were quite a few patches and I don't remember which ones exactly are related. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists