netfilter: more strict TCP flag matching in SYNPROXY

Its seems Patrick missed to incoorporate some of my requested changes during review v2 of SYNPROXY netfilter module. Which were, to avoid SYN+ACK packets to enter the path, meant for the ACK packet from the client (from the 3WHS). Further there were a bug in ip6t_SYNPROXY.c, for matching SYN packets that didn't exclude the ACK flag. Go a step further with SYN packet/flag matching by excluding flags ACK+FIN+RST, in both IPv4 and IPv6 modules. The intented usage of SYNPROXY is as follows: (gracefully describing usage in commit) iptables -t raw -A PREROUTING -i eth0 -p tcp --dport 80 --syn -j NOTRACK iptables -A INPUT -i eth0 -p tcp --dport 80 -m state UNTRACKED,INVALID \ -j SYNPROXY --sack-perm --timestamp --mss 1480 --wscale 7 --ecn echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose This does filter SYN flags early, for packets in the UNTRACKED state, but packets in the INVALID state with other TCP flags could still reach the module, thus this stricter flag matching is still needed. Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Jesper Dangaard Brouer <brouer@redhat.com> 2013-08-28 09:14:38 -0400
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-09-04 05:43:11 -0400
commit: 775ada6d9f4c9dc440f5aeca00354eb87f6e0696 (patch)
tree: 2cd93057c6b969d68598e6a4d93b27c69c23c71c /net
parent: 5a17a390de7bdbcfff9b8f344273a886ca4cf8bf (diff)
2 files changed, 4 insertions, 4 deletions
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 94371db6aecc..90e489eb1c0a 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -269,7 +269,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
        synproxy_parse_options(skb, par->thoff, th, &opts);
-        if (th->syn && !th->ack) {
+        if (th->syn && !(th->ack || th->fin || th->rst)) {
                /* Initial SYN from client */
                this_cpu_inc(snet->stats->syn_received);
@@ -285,7 +285,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
                                          XT_SYNPROXY_OPT_ECN);
                synproxy_send_client_synack(skb, th, &opts);
-        } else if (th->ack && !(th->fin || th->rst))
+        } else if (th->ack && !(th->fin || th->rst || th->syn))
                /* ACK from client */
                synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index 4270a9b145e5..a5af0bfef126 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -284,7 +284,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
        synproxy_parse_options(skb, par->thoff, th, &opts);
-        if (th->syn) {
+        if (th->syn && !(th->ack || th->fin || th->rst)) {
                /* Initial SYN from client */
                this_cpu_inc(snet->stats->syn_received);
@@ -300,7 +300,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
                                          XT_SYNPROXY_OPT_ECN);
                synproxy_send_client_synack(skb, th, &opts);
-        } else if (th->ack && !(th->fin || th->rst))
+        } else if (th->ack && !(th->fin || th->rst || th->syn))
                /* ACK from client */
                synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
author	Jesper Dangaard Brouer <brouer@redhat.com>	2013-08-28 09:14:38 -0400
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-09-04 05:43:11 -0400
commit	775ada6d9f4c9dc440f5aeca00354eb87f6e0696 (patch)
tree	2cd93057c6b969d68598e6a4d93b27c69c23c71c /net
parent	5a17a390de7bdbcfff9b8f344273a886ca4cf8bf (diff)

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c index 94371db6aecc..90e489eb1c0a 100644 --- a/net/ipv4/netfilter/ipt_SYNPROXY.c +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -269,7 +269,7 @@ synproxy_tg4(struct sk_buff skb, const struct xt_action_param par)
269		269
270	synproxy_parse_options(skb, par->thoff, th, &opts);	270	synproxy_parse_options(skb, par->thoff, th, &opts);
271		271
272	if (th->syn && !th->ack) {	272	if (th->syn && !(th->ack \|\| th->fin \|\| th->rst)) {
273	/* Initial SYN from client */	273	/* Initial SYN from client */
274	this_cpu_inc(snet->stats->syn_received);	274	this_cpu_inc(snet->stats->syn_received);
275		275
@@ -285,7 +285,7 @@ synproxy_tg4(struct sk_buff skb, const struct xt_action_param par)
285	XT_SYNPROXY_OPT_ECN);	285	XT_SYNPROXY_OPT_ECN);
286		286
287	synproxy_send_client_synack(skb, th, &opts);	287	synproxy_send_client_synack(skb, th, &opts);
288	} else if (th->ack && !(th->fin \|\| th->rst))	288	} else if (th->ack && !(th->fin \|\| th->rst \|\| th->syn))
289	/* ACK from client */	289	/* ACK from client */
290	synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));	290	synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
291		291


diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c index 4270a9b145e5..a5af0bfef126 100644 --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -284,7 +284,7 @@ synproxy_tg6(struct sk_buff skb, const struct xt_action_param par)
284		284
285	synproxy_parse_options(skb, par->thoff, th, &opts);	285	synproxy_parse_options(skb, par->thoff, th, &opts);
286		286
287	if (th->syn) {	287	if (th->syn && !(th->ack \|\| th->fin \|\| th->rst)) {
288	/* Initial SYN from client */	288	/* Initial SYN from client */
289	this_cpu_inc(snet->stats->syn_received);	289	this_cpu_inc(snet->stats->syn_received);
290		290
@@ -300,7 +300,7 @@ synproxy_tg6(struct sk_buff skb, const struct xt_action_param par)
300	XT_SYNPROXY_OPT_ECN);	300	XT_SYNPROXY_OPT_ECN);
301		301
302	synproxy_send_client_synack(skb, th, &opts);	302	synproxy_send_client_synack(skb, th, &opts);
303	} else if (th->ack && !(th->fin \|\| th->rst))	303	} else if (th->ack && !(th->fin \|\| th->rst \|\| th->syn))
304	/* ACK from client */	304	/* ACK from client */
305	synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));	305	synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq));
306		306