lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230113125629.GD19463@breakpoint.cc>
Date:   Fri, 13 Jan 2023 13:56:29 +0100
From:   Florian Westphal <fw@...len.de>
To:     "Russell King (Oracle)" <linux@...linux.org.uk>
Cc:     Florian Westphal <fw@...len.de>, netdev@...r.kernel.org,
        netfilter-devel@...r.kernel.org, coreteam@...filter.org
Subject: Re: 6.1: possible bug with netfilter conntrack?

Russell King (Oracle) <linux@...linux.org.uk> wrote:
[..]
> Digging through the tcpdump and logs, it seems what is going on is:
> 
> public interface			dmz interface
> origin -> mailserver SYN		origin -> mailserver SYN
> mailserver -> origin SYNACK		mailserver -> origin SYNACK
> origin -> mailserver ACK
> mailserver -> origin RST
> mailserver -> origin SYNACK		mailserver -> origin SYNACK
> mailserver -> origin SYNACK		mailserver -> origin SYNACK
> mailserver -> origin SYNACK		mailserver -> origin SYNACK
> mailserver -> origin SYNACK		mailserver -> origin SYNACK
> ...
> 
> Here is an example from the public interface:
> 
> 09:52:36.599398 IP 103.14.225.112.63461 > 78.32.30.218.587: Flags [SEW], seq 3387227814, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
> 09:52:36.599893 IP 78.32.30.218.587 > 103.14.225.112.63461: Flags [S.], seq 816385329, ack 3387227815, win 64240, options [mss 1452,nop,nop,sackOK,nop,wscale 7], length 0
> 09:52:36.820464 IP 103.14.225.112.63461 > 78.32.30.218.587: Flags [.], ack 1, win 260, length 0
> 09:52:36.820549 IP 78.32.30.218.587 > 103.14.225.112.63461: Flags [R], seq 816385330, win 0, length 0
> 09:52:37.637548 IP 78.32.30.218.587 > 103.14.225.112.63461: Flags [S.], seq 816385329, ack 3387227815, win 64240, options [mss 1452,nop,nop,sackOK,nop,wscale 7], length 0
> 
> and the corresponding trace on the mailserver:
> 09:52:36.599729 IP 103.14.225.112.63461 > 78.32.30.218.587: Flags [SEW], seq 3387227814, win 8192, options [mss 1452,nop,wscale 8,nop,nop,sackOK], length 0
> 09:52:36.599772 IP 78.32.30.218.587 > 103.14.225.112.63461: Flags [S.], seq 816385329, ack 3387227815, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
> 09:52:37.637421 IP 78.32.30.218.587 > 103.14.225.112.63461: Flags [S.], seq 816385329, ack 3387227815, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
> 
> So, my first observation is that conntrack is reacting to the ACK
> packet on the public interface, and marking the connection established,
> but a firewall rule is rejecting the connection when that ACK packet is
> received by sending a TCP reset. It looks like conntrack does not see 
> this packet,

Right, this is silly.  I'll see about this; the rst packet
bypasses conntrack because nf_send_reset attaches the exising
entry of the packet its replying to -- tcp conntrack gets skipped for
the generated RST.

But this is also the case in 5.16, so no idea why this is surfacing now.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ