lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 11 Dec 2012 12:43:38 -0700
From:	Andrew Collins <bsderandrew@...il.com>
To:	kadlec@...ckhole.kfki.hu
Cc:	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH 6/6] netfilter: nf_nat: Handle routing changes in
 MASQUERADE target

On Tue, Dec 4, 2012 at 10:31 AM, <pablo@...filter.org> wrote:
>
> From: Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>
>
> When the route changes (backup default route, VPNs) which affect a
> masqueraded target, the packets were sent out with the outdated source
> address. The patch addresses the issue by comparing the outgoing interface
> directly with the masqueraded interface in the nat table.
>
> Events are inefficient in this case, because it'd require adding route
> events to the network core and then scanning the whole conntrack table
> and re-checking the route for all entry.
>
> Signed-off-by: Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>
> Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>

Jozsef, a small question about this change.  Should this same check
not exist here:

        case IP_CT_NEW:
                /* Seen it before?  This can happen for loopback, retrans,
                 * or local packets.
                 */
                if (!nf_nat_initialized(ct, maniptype)) {
                        unsigned int ret;

                        ret = nf_nat_rule_find(skb, hooknum, in, out, ct);
                        if (ret != NF_ACCEPT)
                                return ret;
-               } else
+               } else {
                        pr_debug("Already setup manip %s for ct %p\n",
                                 maniptype == NF_NAT_MANIP_SRC ? "SRC" : "DST",
                                 ct);
+                       if (nf_nat_oif_changed(hooknum, ctinfo, nat, out)) {
+                               nf_ct_kill_acct(ct, ctinfo, skb);
+                               return NF_DROP;
+                       }
+               }
                break;

as well?  It's *significantly* less common than the case you fixed,
and perhaps just letting the state time out is acceptable, but I've
seen TCP connections get stuck with the wrong source address if we
haven't hit ESTABLISHED at the point when the routing change occurs
(most reproducible on high latency links).
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ