| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 10 Feb 2020 15:14:18 +0100
From: "Jason A. Donenfeld" <Jason@...c4.com>
To: netdev@...r.kernel.org, davem@...emloft.net
Cc: "Jason A. Donenfeld" <Jason@...c4.com>,
netfilter-devel@...r.kernel.org
Subject: [PATCH v2 net 0/5] icmp: account for NAT when sending icmps from ndo layer
The ICMP routines use the source address for two reasons:
1. Rate-limiting ICMP transmissions based on source address, so
that one source address cannot provoke a flood of replies. If
the source address is wrong, the rate limiting will be
incorrectly applied.
2. Choosing the interface and hence new source address of the
generated ICMP packet. If the original packet source address
is wrong, ICMP replies will be sent from the wrong source
address, resulting in either a misdelivery, infoleak, or just
general network admin confusion.
Most of the time, the icmp_send and icmpv6_send routines can just reach
down into the skb's IP header to determine the saddr. However, if
icmp_send or icmpv6_send is being called from a network device driver --
there are a few in the tree -- then it's possible that by the time
icmp_send or icmpv6_send looks at the packet, the packet's source
address has already been transformed by SNAT or MASQUERADE or some other
transformation that CONNTRACK knows about. In this case, the packet's
source address is most certainly the *wrong* source address to be used
for the purpose of ICMP replies.
Rather, the source address we want to use for ICMP replies is the
original one, from before the transformation occurred.
Fortunately, it's very easy to just ask CONNTRACK if it knows about this
packet, and if so, how to fix it up. The saddr is the only field in the
header we need to fix up, for the purposes of the subsequent processing
in the icmp_send and icmpv6_send functions, so we do the lookup very
early on, so that the rest of the ICMP machinery can progress as usual.
Changes v1->v2:
- icmpv6 takes subtly different types than icmpv4, like u32 instead of be32,
u8 instead of int.
- Since we're technically writing to the skb, we need to make sure it's not
a shared one [Dave, 2017].
- Restore the original skb data after icmp_send returns. All current users
are freeing the packet right after, so it doesn't matter, but future users
might not.
- Remove superfluous route lookup in sunvnet [Dave].
- Use NF_NAT instead of NF_CONNTRACK for condition [Florian].
- Include this cover letter [Dave].
Cc: netdev@...r.kernel.org
Cc: netfilter-devel@...r.kernel.org
Jason A. Donenfeld (5):
icmp: introduce helper for NAT'd source address in network device
context
gtp: use icmp_ndo_send helper
sunvnet: use icmp_ndo_send helper
wireguard: use icmp_ndo_send helper
xfrm: interface: use icmp_ndo_send helper
drivers/net/ethernet/sun/sunvnet_common.c | 23 +++--------------
drivers/net/gtp.c | 4 +--
drivers/net/wireguard/device.c | 4 +--
include/linux/icmpv6.h | 6 +++++
include/net/icmp.h | 6 +++++
net/ipv4/icmp.c | 29 ++++++++++++++++++++++
net/ipv6/ip6_icmp.c | 30 +++++++++++++++++++++++
net/xfrm/xfrm_interface.c | 6 ++---
8 files changed, 82 insertions(+), 26 deletions(-)
--
2.25.0
Powered by blists - more mailing lists