netfilter: Mark SYN/ACK packets as invalid from original direction

Clients should not send such packets. By accepting them, we open
up a hole by wich ephemeral ports can be discovered in an off-path
attack.

See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
http://arxiv.org/abs/1201.2074

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 8 insertions, 11 deletions

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index a5ac11ebef3..aba98f94297 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
  *      sCL -> sSS
  */
 /*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
-/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
+/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
 /*
  *      sNO -> sIV      Too late and no reason to do anything
  *      sSS -> sIV      Client can't send SYN and then SYN/ACK
  *      sS2 -> sSR      SYN/ACK sent to SYN2 in simultaneous open
- *      sSR -> sIG
- *      sES -> sIG      Error: SYNs in window outside the SYN_SENT state
- *                      are errors. Receiver will reply with RST
- *                      and close the connection.
- *                      Or we are not in sync and hold a dead connection.
- *      sFW -> sIG
- *      sCW -> sIG
- *      sLA -> sIG
- *      sTW -> sIG
- *      sCL -> sIG
+ *      sSR -> sSR      Late retransmitted SYN/ACK in simultaneous open
+ *      sES -> sIV      Invalid SYN/ACK packets sent by the client
+ *      sFW -> sIV
+ *      sCW -> sIV
+ *      sLA -> sIV
+ *      sTW -> sIV
+ *      sCL -> sIV
  */
 /*           sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2   */
 /*fin*/    { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },