On Fri, Nov 16, 2012 at 03:00:11PM +0100, pablo@xxxxxxxxxxxxx wrote: > From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > > Hi! > > Please, consider the following Netfilter patches for stable 3.0 and > onwards inclusion. > > The selected three patches are: > > 4a70bbf netfilter: Validate the sequence number of dataless ACK packets as well > 64f509c netfilter: Mark SYN/ACK packets as invalid from original direction > [BACKPORT] 38fe36a netfilter: nf_nat: don't check for port change on ICMP tuples > > The first two patches can be considered security fixes in the TCP connection > tracking to make harder off-path attacks. For more information you can read: > "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel. > > The latter fixes the re-routing of every ICMP packet going through NAT even > if it is not required, which is an expensive operation. That one has been > backported to 3.0. > > Please, cherry-pick them. Thanks! All applied, thanks. greg k-h -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
