Re: [RFC PATCH v4 03/15] landlock: landlock_find/insert_rule refactoring (TCP port 0)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 23/03/2022 09:41, Konstantin Meskhidze wrote:


3/22/2022 4:24 PM, Mickaël Salaün пишет:


[...]
The remaining question is: should we need to accept 0 as a valid TCP port? Can it be used? How does the kernel handle it?

 I agree that must be a check for port 0 in add_rule_net_service(), cause unlike most port numbers, port 0 is a reserved port in TCP/IP networking, meaning that it should not be used in TCP or UDP messages. Also network traffic sent across the internet to hosts listening on port 0 might be generated from network attackers or accidentally by applications programmed incorrectly.
Source: https://www.lifewire.com/port-0-in-tcp-and-udp-818145

OK, so denying this port by default without a way to allow it should not be an issue. I guess an -EINVAL error would make sense when trying to allow this port. This should be documented in a comment (with a link to the RFC/section) and a dedicated test should check that behavior.

What is the behavior of firewalls (e.g. Netfiler) when trying to filter port 0?

This doesn't seem to be settle though: https://www.austingroupbugs.net/view.php?id=1068

Interesting article: https://z3r0trust.medium.com/socket-programming-the-bizarre-tcp-ip-port-0-saga-fcfbc0e0a276



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux