redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/net/ipv6
History
Jesper Dangaard Brouer 775ada6d9f netfilter: more strict TCP flag matching in SYNPROXY 
Its seems Patrick missed to incoorporate some of my requested changes
during review v2 of SYNPROXY netfilter module.

Which were, to avoid SYN+ACK packets to enter the path, meant for the
ACK packet from the client (from the 3WHS).

Further there were a bug in ip6t_SYNPROXY.c, for matching SYN packets
that didn't exclude the ACK flag.

Go a step further with SYN packet/flag matching by excluding flags
ACK+FIN+RST, in both IPv4 and IPv6 modules.

The intented usage of SYNPROXY is as follows:
(gracefully describing usage in commit)

 iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 80 --syn -j NOTRACK
 iptables -A INPUT -i eth0 -p tcp --dport 80 -m state UNTRACKED,INVALID \
         -j SYNPROXY --sack-perm --timestamp --mss 1480 --wscale 7 --ecn

 echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose

This does filter SYN flags early, for packets in the UNTRACKED state,
but packets in the INVALID state with other TCP flags could still
reach the module, thus this stricter flag matching is still needed.

Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-09-04 11:43:11 +02:00
..
netfilter netfilter: more strict TCP flag matching in SYNPROXY 2013-09-04 11:43:11 +02:00
addrconf.c ipv6: move in6_dev_finish_destroy() into core kernel 2013-08-31 22:30:00 -04:00
addrconf_core.c ipv6: move in6_dev_finish_destroy() into core kernel 2013-08-31 22:30:00 -04:00
addrlabel.c rtnetlink: Remove passing of attributes into rtnl_doit functions 2013-03-22 10:31:16 -04:00
af_inet6.c vxlan: add ipv6 proxy support 2013-08-31 22:30:01 -04:00
ah6.c net: Add skb_unclone() helper function. 2013-02-15 15:10:37 -05:00
anycast.c net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
datagram.c net: proc_fs: trivial: print UIDs as unsigned int 2013-08-15 14:37:46 -07:00
esp6.c net: esp{4,6}: fix potential MTU calculation overflows 2013-08-05 12:26:50 -07:00
exthdrs.c ipv6: Store Router Alert option in IP6CB directly. 2013-01-13 20:17:14 -05:00
exthdrs_core.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
exthdrs_offload.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
fib6_rules.c fib_rules: fix suppressor names and default values 2013-08-03 10:40:23 -07:00
icmp.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
inet6_connection_sock.c ipv6: use newly introduced __ipv6_addr_needs_scope_id and ipv6_iface_scope_id 2013-03-08 12:29:22 -05:00
inet6_hashtables.c soreuseport: TCP/IPv6 implementation 2013-01-23 13:44:01 -05:00
ip6_checksum.c ipv6: move csum_ipv6_magic() and udp6_csum_init() into static library 2013-01-08 17:56:10 -08:00
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-08-16 15:37:26 -07:00
ip6_flowlabel.c ipv6 flowlabel: add __rcu annotations 2013-03-07 16:33:10 -05:00
ip6_gre.c ip6tnl: add x-netns support 2013-08-15 01:00:20 -07:00
ip6_icmp.c ipv6: Kill ipv6 dependency of icmpv6_send(). 2013-04-29 13:54:36 -04:00
ip6_input.c net: add SNMP counters tracking incoming ECN bits 2013-08-08 22:24:59 -07:00
ip6_offload.c ipv6: Add generic UDP Tunnel segmentation 2013-08-31 22:30:01 -04:00
ip6_offload.h ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
ip6_output.c ipv6: move ip6_local_out into core kernel 2013-08-31 22:30:00 -04:00
ip6_tunnel.c ip6_tunnel: ensure to always have a link local address 2013-08-20 23:45:42 -07:00
ip6mr.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-08-03 21:36:46 -07:00
ipcomp6.c
ipv6_sockglue.c ipv6: rename datagram_send_ctl and datagram_recv_ctl 2013-01-31 13:53:08 -05:00
Kconfig Tunneling: use IP Tunnel stats APIs. 2013-03-26 12:27:19 -04:00
Makefile net: ipv6: Add IPv6 support to the ping socket. 2013-05-25 21:07:49 -07:00
mcast.c net: ipv6: mcast: minor: use defines for rfc3810/8.1 lengths 2013-08-20 23:52:02 -07:00
mip6.c ipv6: Correct comparisons and calculations using skb->tail and skb-transport_header 2013-05-28 23:49:07 -07:00
ndisc.c vxlan: add ipv6 proxy support 2013-08-31 22:30:01 -04:00
netfilter.c netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6 2013-05-23 11:58:55 +02:00
output_core.c ipv6: move ip6_local_out into core kernel 2013-08-31 22:30:00 -04:00
ping.c net: ipv6: fix wrong ping_v6_sendmsg return value 2013-07-03 17:42:05 -07:00
proc.c net: add SNMP counters tracking incoming ECN bits 2013-08-08 22:24:59 -07:00
protocol.c ipv6: Pull IPv6 GSO registration out of the module 2012-11-15 17:39:24 -05:00
raw.c icmpv6_filter: allow ICMPv6 messages with bodies < 4 bytes 2013-08-02 15:15:50 -07:00
reassembly.c ipv6: drop packets with multiple fragmentation headers 2013-08-20 00:11:24 -07:00
route.c ipv6: move ip6_dst_hoplimit() into core kernel 2013-08-31 22:29:59 -04:00
sit.c ipv4 tunnels: use net_eq() helper to check netns 2013-08-15 01:00:20 -07:00
syncookies.c net: syncookies: export cookie_v6_init_sequence/cookie_v6_check 2013-08-28 00:28:04 +02:00
sysctl_net_ipv6.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
tcp_ipv6.c net: proc_fs: trivial: print UIDs as unsigned int 2013-08-15 14:37:46 -07:00
tcpv6_offload.c net: Remove code duplication between offload structures 2012-11-15 17:39:51 -05:00
tunnel6.c
udp.c net: rename ll methods to busy-poll 2013-07-10 17:08:27 -07:00
udp_impl.h ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
udp_offload.c net: unify skb_udp_tunnel_segment() and skb_udp6_tunnel_segment() 2013-08-31 22:30:01 -04:00
udplite.c ipv6: do not clear pinet6 field 2013-05-11 16:26:38 -07:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c xfrm: allow to avoid copying DSCP during encapsulation 2013-03-06 07:02:45 +01:00
xfrm6_output.c
xfrm6_policy.c xfrm6: release dev before returning error 2013-05-11 17:40:15 -07:00
xfrm6_state.c ipv6: use IS_ENABLED() 2012-11-01 12:41:35 -04:00
xfrm6_tunnel.c hlist: drop the node parameter from iterators 2013-02-27 19:10:24 -08:00