Re: [PATCH v2] netfilter: synproxy: erroneous TCP mss option fixed.

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Thu, 27 Jun 2019 20:57:44 +0200

On Tue, Jun 25, 2019 at 08:42:04AM +0300, Ibrahim Ercan wrote:
> Syn proxy isn't setting mss value correctly on client syn-ack packet.
> It was sending same mss value with client send instead of the value user set in iptables rule. This patch fix that wrong behavior by passing client mss information to synproxy_send_client_synack correctly.
> 
> Signed-off-by: Ibrahim Ercan <ibrahim.ercan@xxxxxxxxxxxxxxxxxxx>
> ---
>  net/ipv4/netfilter/ipt_SYNPROXY.c  | 9 ++++++---
>  net/ipv6/netfilter/ip6t_SYNPROXY.c | 9 ++++++---
>  2 files changed, 12 insertions(+), 6 deletions(-)
> 
> diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
> index 64d9563..e0bd504 100644
> --- a/net/ipv4/netfilter/ipt_SYNPROXY.c
> +++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
> @@ -69,13 +69,13 @@ synproxy_send_tcp(struct net *net,
>  static void
>  synproxy_send_client_synack(struct net *net,
>  			    const struct sk_buff *skb, const struct tcphdr *th,
> -			    const struct synproxy_options *opts)
> +			    const struct synproxy_options *opts, const u16 client_mssinfo)
>  {
>  	struct sk_buff *nskb;
>  	struct iphdr *iph, *niph;
>  	struct tcphdr *nth;
>  	unsigned int tcp_hdr_size;
> -	u16 mss = opts->mss;
> +	u16 mss = client_mssinfo;
>  
>  	iph = ip_hdr(skb);
>  
> @@ -264,6 +264,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
>  	struct synproxy_net *snet = synproxy_pernet(net);
>  	struct synproxy_options opts = {};
>  	struct tcphdr *th, _th;
> +	u16 client_mssinfo;
>  
>  	if (nf_ip_checksum(skb, xt_hooknum(par), par->thoff, IPPROTO_TCP))
>  		return NF_DROP;
> @@ -283,6 +284,8 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
>  			opts.options |= XT_SYNPROXY_OPT_ECN;
>  
>  		opts.options &= info->options;
> +		client_mssinfo = opts.mss;
> +		opts.mss = info->mss;

No need for this new client_mssinfo variable, right? I mean, you can
just set:

        opts.mss = info->mss;

and use it from synproxy_send_client_synack().

This patch will be smaller.

>  		if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
>  			synproxy_init_timestamp_cookie(info, &opts);
>  		else
> @@ -290,7 +293,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
>  					  XT_SYNPROXY_OPT_SACK_PERM |
>  					  XT_SYNPROXY_OPT_ECN);
>  
> -		synproxy_send_client_synack(net, skb, th, &opts);
> +		synproxy_send_client_synack(net, skb, th, &opts, client_mssinfo);
>  		consume_skb(skb);
>  		return NF_STOLEN;
>  	} else if (th->ack && !(th->fin || th->rst || th->syn)) {