Re: conntrack and RSTs received during CLOSE_WAIT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 22 May 2009, Anatoly Muliarski wrote:

> The problem consists in that RST-packet with wrong sequence number
> must be treated as INVALID.
> IMHO, the conntrack code should be changed in this way.
> 
> I wrote a fix( sorry, I don't experienced in kernel tcp stack  -
> correct me if I somewhere wrong).
> 
> *** nf_conntrack_proto_tcp.c    2009-05-22 07:22:43.000000000 +0300
> --- /usr/src/linux/1/nf_conntrack_proto_tcp.c   2008-09-08
> 13:20:51.000000000 +0300
> *************** static int tcp_packet(struct nf_conn *ct
> *** 969,979 ****
>                    problem case, so we can delete the conntrack
>                    immediately.  --RR */
>                 if (th->rst) {
> !                 if (ntohl(th->seq) < ct->proto.tcp.last_seq) {
> !                   ct->proto.tcp.state = old_state;
> !                   return -NF_DROP;
> !                 }
> !                       else if (del_timer(&ct->timeout))
>                                 ct->timeout.function((unsigned long)ct);
>                         return NF_ACCEPT;
>                 }
> --- 969,975 ----
>                    problem case, so we can delete the conntrack
>                    immediately.  --RR */
>                 if (th->rst) {
> !                       if (del_timer(&ct->timeout))
>                                 ct->timeout.function((unsigned long)ct);
>                         return NF_ACCEPT;
>                 }

That won't work: the packet which sequence number was recorded in last_seq 
may get lost in transit to the destination and we may receive a *valid* 
RST with a sequence number less than the one in last_seq.

This is the main problem: we can never be sure the packets which are seen 
by firewall do really reach the destination or they order is preserved.

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux