Re: Is this possible SYN Proxy bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 18, 2019 at 3:40 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Does this patch fix the problem for you?
>
> diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
> --- a/net/ipv4/netfilter/ipt_SYNPROXY.c
> +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
> @@ -286,6 +286,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
>                         opts.options |= XT_SYNPROXY_OPT_ECN;
>
>                 opts.options &= info->options;
> +               opts.mss = info->mss;
>                 if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
>                         synproxy_init_timestamp_cookie(info, &opts);
>                 else
> diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
> --- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
> +++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
> @@ -300,6 +300,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
>                         opts.options |= XT_SYNPROXY_OPT_ECN;
>
>                 opts.options &= info->options;
> +               opts.mss = info->mss;
>                 if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
>                         synproxy_init_timestamp_cookie(info, &opts);
>                 else

I applied this patch and did same test with same setup.
On External interface mss value seems correct. But This time on
internal interface firewall set mss value to 1460 on syn packet rather
than 536.
Here is samples.

External
10.0.0.215.60812 > 10.0.1.213.80: Flags [S], seq 1275328749, win
25200, options [mss 1260,sackOK,TS val 183998290 ecr 0,nop,wscale 7],
length 0
10.0.1.213.80 > 10.0.0.215.60812: Flags [S.], seq 584730658, ack
1275328750, win 0, options [mss 1460,sackOK,TS val 193047 ecr
183998290,nop,wscale 2], length 0

Internal
10.0.0.215.60812 > 10.0.1.213.80: Flags [S], seq 1275328749, win 197,
options [mss 1460,sackOK,TS val 183998290 ecr 193047,nop,wscale 7],
length 0
10.0.1.213.80 > 10.0.0.215.60812: Flags [S.], seq 3022386930, ack
1275328750, win 14480, options [mss 1460,sackOK,TS val 101024266 ecr
183998290,nop,wscale 2], length 0



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux