lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 13 Feb 2020 14:19:21 -0800 (PST)
From:   David Miller <davem@...emloft.net>
To:     Jason@...c4.com
Cc:     netdev@...r.kernel.org, netfilter-devel@...r.kernel.org
Subject: Re: [PATCH v4 net 0/5] icmp: account for NAT when sending icmps
 from ndo layer

From: "Jason A. Donenfeld" <Jason@...c4.com>
Date: Tue, 11 Feb 2020 20:47:04 +0100

> The ICMP routines use the source address for two reasons:
> 
> 1. Rate-limiting ICMP transmissions based on source address, so
>    that one source address cannot provoke a flood of replies. If
>    the source address is wrong, the rate limiting will be
>    incorrectly applied.
> 
> 2. Choosing the interface and hence new source address of the
>    generated ICMP packet. If the original packet source address
>    is wrong, ICMP replies will be sent from the wrong source
>    address, resulting in either a misdelivery, infoleak, or just
>    general network admin confusion.
> 
> Most of the time, the icmp_send and icmpv6_send routines can just reach
> down into the skb's IP header to determine the saddr. However, if
> icmp_send or icmpv6_send is being called from a network device driver --
> there are a few in the tree -- then it's possible that by the time
> icmp_send or icmpv6_send looks at the packet, the packet's source
> address has already been transformed by SNAT or MASQUERADE or some other
> transformation that CONNTRACK knows about. In this case, the packet's
> source address is most certainly the *wrong* source address to be used
> for the purpose of ICMP replies.
> 
> Rather, the source address we want to use for ICMP replies is the
> original one, from before the transformation occurred.
 ...

Series applied, thank you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ