lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Sun, 25 Sep 2016 13:47:29 +0200
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     KOVACS Krisztian <hidden@...abit.com>
Cc:     netfilter-devel@...r.kernel.org, netdev@...r.kernel.org,
        Alex Badics <alex.badics@...abit.com>,
        Eric Dumazet <eric.dumazet@...il.com>
Subject: Re: [PATCH] netfilter: xt_socket: fix transparent match for IPv6
 request sockets

On Fri, Sep 23, 2016 at 11:27:42AM +0200, KOVACS Krisztian wrote:
> The introduction of TCP_NEW_SYN_RECV state, and the addition of request
> sockets to the ehash table seems to have broken the --transparent option
> of the socket match for IPv6 (around commit a9407000).
> 
> Now that the socket lookup finds the TCP_NEW_SYN_RECV socket instead of the
> listener, the --transparent option tries to match on the no_srccheck flag
> of the request socket.
> 
> Unfortunately, that flag was only set for IPv4 sockets in tcp_v4_init_req()
> by copying the transparent flag of the listener socket. This effectively
> causes '-m socket --transparent' not match on the ACK packet sent by the
> client in a TCP handshake.
> 
> Based on the suggestion from Eric Dumazet, this change moves the code
> initializing no_srccheck to tcp_conn_request(), rendering the above
> scenario working again.

Applied, thanks Krisztian.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ