On Sun, Feb 25, 2018 at 06:18:51PM +0100, Felix Fietkau wrote:
> Allow the slow path to handle the shutdown of the connection with proper
> timeouts
>
> Signed-off-by: Felix Fietkau <nbd@xxxxxxxx>
> ---
> net/netfilter/nf_flow_table_ip.c | 30 +++++++++++++++++++++++++++---
> 1 file changed, 27 insertions(+), 3 deletions(-)
>
> diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
> index fc6f00c42d48..df58ed8be330 100644
> --- a/net/netfilter/nf_flow_table_ip.c
> +++ b/net/netfilter/nf_flow_table_ip.c
> @@ -15,6 +15,23 @@
> #include <linux/tcp.h>
> #include <linux/udp.h>
>
> +static int nf_flow_tcp_state_check(struct flow_offload *flow,
> + struct sk_buff *skb, unsigned int thoff)
> +{
> + struct tcphdr *tcph;
> +
> + if (!pskb_may_pull(skb, thoff + sizeof(*tcph)))
> + return -1;
> +
> + tcph = (void *)(skb_network_header(skb) + thoff);
> + if (unlikely(tcph->fin || tcph->rst)) {
> + flow_offload_teardown(flow);
This opens up for denial of service attacks.
Anyone sending us fin or reset packets will immediately result in
tearing down the flow.
> + return -1;
> + }
> +
> + return 0;
> +}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
