| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <77b0addceb098af07f3bb20fbb708d190ae58b03.camel@alliedtelesis.co.nz>
Date: Thu, 16 Sep 2021 20:30:37 +0000
From: Cole Dishington <Cole.Dishington@...iedtelesis.co.nz>
To: "fw@...len.de" <fw@...len.de>
CC: "coreteam@...filter.org" <coreteam@...filter.org>,
"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>,
"davem@...emloft.net" <davem@...emloft.net>,
"pablo@...filter.org" <pablo@...filter.org>,
Anthony Lineham <Anthony.Lineham@...iedtelesis.co.nz>,
"shuah@...nel.org" <shuah@...nel.org>,
"kadlec@...filter.org" <kadlec@...filter.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"kuba@...nel.org" <kuba@...nel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
Blair Steven <Blair.Steven@...iedtelesis.co.nz>,
Scott Parlane <Scott.Parlane@...iedtelesis.co.nz>
Subject: Re: [PATCH net v4] net: netfilter: Fix port selection of FTP for
NF_NAT_RANGE_PROTO_SPECIFIED
On Thu, 2021-09-16 at 13:26 +0200, Florian Westphal wrote:
> Cole Dishington <Cole.Dishington@...iedtelesis.co.nz> wrote:
> > + /* Avoid applying nat->range to the reply direction */
> > + if (!exp->dir || !nat->range_info.min_proto.all || !nat-
> > >range_info.max_proto.all) {
> > + min = ntohs(exp->saved_proto.tcp.port);
> > + range_size = 65535 - min + 1;
> > + } else {
> > + min = ntohs(nat->range_info.min_proto.all);
> > + range_size = ntohs(nat->range_info.max_proto.all) - min
> > + 1;
> > + }
> > +
> > /* Try to get same port: if not, try to change it. */
> > - for (port = ntohs(exp->saved_proto.tcp.port); port != 0;
> > port++) {
> > - int ret;
> > + first_port = ntohs(exp->saved_proto.tcp.port);
> > + if (min > first_port || first_port > (min + range_size - 1))
> > + first_port = min;
> >
> > + for (i = 0, port = first_port; i < range_size; i++, port =
> > (port - first_port + i) % range_size) {
>
> This looks complicated. As far as I understand, this could instead
> be
> written like this (not even compile tested):
>
> /* Avoid applying nat->range to the reply direction */
> if (!exp->dir || !nat->range_info.min_proto.all || !nat-
> >range_info.max_proto.all) {
> min = 1;
> max = 65535;
> range_size = 65535;
> } else {
> min = ntohs(nat->range_info.min_proto.all);
> max = ntohs(nat->range_info.max_proto.all);
> range_size = max - min + 1;
> }
The original code defined the range as [ntohs(exp->saved_proto.tcp.port), 65535]. The above would
cause a change in behaviour, should we try to avoid it?
>
> /* Try to get same port: if not, try to change it. */
> port = ntohs(exp->saved_proto.tcp.port);
>
> if (port < min || port > max)
> port = min;
>
> for (i = 0; i < range_size; i++) {
> exp->tuple.dst.u.tcp.port = htons(port);
> ret = nf_ct_expect_related(exp, 0);
> if (ret != -EBUSY)
> break;
> port++;
> if (port > max)
> port = min;
> }
>
> if (ret != 0) {
> ...
>
> AFAICS this is the same, we loop at most range_size times,
> in case range_size is 64k, we will loop through all (hmmm,
> not good actually, but better make that a different change)
> else through given min - max range.
>
> If orig port was in-range, we try it first, then increment.
> If port exceeds upper bound, cycle back to min.
>
> What do you think?
Looks good, just the one question above.
Thanks for your time reviewing!
Powered by blists - more mailing lists