Re: [PATCH 1/1] netfilter: conntrack: make call to nf_log_packet due to helper rejection conditional on LOG_INVALID

Pete Holland <pholland27@xxxxxxxxx> · Wed, 30 Nov 2011 10:33:00 -0800

it occurred to me that I should be able to extract the protocol number
from the the tuplehash in struct nf_conn.  the original
direction tuple should always be there, and I could get it from there.

so instead of using IPPROTO_RAW, I could use
ct->tuplehash[IP_CT_ORIGINAL].src.l3num

i'm still pretty new in the netfilter code, so any thoughts are
greatly appreciated

On Tue, Nov 29, 2011 at 12:08 PM, Pete Holland <pholland27@xxxxxxxxx> wrote:
> From: Peter Holland <pholland27@xxxxxxxxx>
>
> Make the logging of dropped packets due to ct helper rejection
> conditional on LOG_INVALID.
> This is consistent with the other uses of nf_log_packet.
> Use the IPPROTO_RAW filter since it is unclear based on the caller
> what protocol it actually is.
> Without this check, there is a possible DoS based on traffic induced
> log generation.
> (specifically this was noted in the wild by an attacker against the SIP helper)
>
> Signed-off-by: Peter Holland <pholland27@xxxxxxxxx>
>
> ---
>
> --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c.orig 2011-11-29
> 11:34:36.683717278 -0800
> +++ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c      2011-11-29
> 11:41:55.031121908 -0800
> @@ -116,8 +116,9 @@ static unsigned int ipv4_confirm(unsigne
>        ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
>                           ct, ctinfo);
>        if (ret != NF_ACCEPT) {
> -               nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
> -                             "nf_ct_%s: dropping packet", helper->name);
> +               if (LOG_INVALID(nf_ct_net(ct, IPPROTO_RAW))
> +                       nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
> +                                     "nf_ct_%s: dropping packet", helper->name);
>                return ret;
>        }
>
> --- net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c.orig 2011-11-29
> 11:35:00.221028814 -0800
> +++ net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c      2011-11-29
> 11:38:49.541033773 -0800
> @@ -180,8 +180,9 @@ static unsigned int ipv6_confirm(unsigne
>
>        ret = helper->help(skb, protoff, ct, ctinfo);
>        if (ret != NF_ACCEPT) {
> -               nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
> -                             "nf_ct_%s: dropping packet", helper->name);
> +               if (LOG_INVALID(nf_ct_net(ct), IPPROTO_RAW))
> +                       nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
> +                                     "nf_ct_%s: dropping packet", helper->name);
>                return ret;
>        }
>  out:
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html