lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Wed, 22 Oct 2014 14:28:20 +0200
From:	Pablo Neira Ayuso <pablo@...filter.org>
To:	Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>
Cc:	Marcelo Ricardo Leitner <mleitner@...hat.com>,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH] nf_conntrack_proto_tcp: allow server to become a client
 in TW handling

On Wed, Oct 15, 2014 at 09:27:43AM +0200, Jozsef Kadlecsik wrote:
> On Mon, 13 Oct 2014, Marcelo Ricardo Leitner wrote:
> 
> > When a port that was used to listen for inbound connections gets closed
> > and reused for outgoing connections (like rsh ends up doing for stderr
> > flow), current we may reject the SYN/ACK packet for the new connection
> > because tcp_conntracks states forbirds a port to become a client while
> > there is still a TIME_WAIT entry in there for it.
> > 
> > As TCP may expire the TIME_WAIT socket in 60s and conntrack's timeout
> > for it is 120s, there is a ~60s window that the application can end up
> > opening a port that conntrack will end up blocking.
> > 
> > This patch fixes this by simply allowing such state transition: if we
> > see a SYN, in TIME_WAIT state, on REPLY direction, move it to sSS. Note
> > that the rest of the code already handles this situation, more
> > specificly in tcp_packet(), first switch clause.
> 
> In those code branch if there was a valid FIN in either direction, we 
> destroy the old connection and a new will be created. That way the rules 
> about NEW connections will be applied, so the policies are not bypassed. 
> Otherwise we just ignore the SYN packet, so if it's invalid, we'll catch 
> the RST from the other side and destroy the conntrack entry. The event 
> flow looks OK to me.
> 
> > Signed-off-by: Marcelo Ricardo Leitner <mleitner@...hat.com>
> 
> Acked-by: Jozsef Kadlecsik <kadlec@...ckhole.kfki.hu>

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ