Hi Pablo, Jan Wrobel wrote a nice article on off-path TCP attacks (see http://arxiv.org/abs/1201.2074). He discovered two weaknesses in netfilter TCP conntrack, which make such attacks easier. The next two patches fixes the issues. Please review them and consider applying them. Best regards, Jozsef Jozsef Kadlecsik (2): netfilter: Mark SYN/ACK packets as invalid from original direction netfilter: Validate the sequence number of dataless ACK packets as well net/netfilter/nf_conntrack_proto_tcp.c | 29 ++++++++++------------------- 1 files changed, 10 insertions(+), 19 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
