On Fri, 22 May 2009, Anatoly Muliarski wrote: > The problem consists in that RST-packet with wrong sequence number > must be treated as INVALID. > IMHO, the conntrack code should be changed in this way. > > I wrote a fix( sorry, I don't experienced in kernel tcp stack - > correct me if I somewhere wrong). > > *** nf_conntrack_proto_tcp.c 2009-05-22 07:22:43.000000000 +0300 > --- /usr/src/linux/1/nf_conntrack_proto_tcp.c 2008-09-08 > 13:20:51.000000000 +0300 > *************** static int tcp_packet(struct nf_conn *ct > *** 969,979 **** > problem case, so we can delete the conntrack > immediately. --RR */ > if (th->rst) { > ! if (ntohl(th->seq) < ct->proto.tcp.last_seq) { > ! ct->proto.tcp.state = old_state; > ! return -NF_DROP; > ! } > ! else if (del_timer(&ct->timeout)) > ct->timeout.function((unsigned long)ct); > return NF_ACCEPT; > } > --- 969,975 ---- > problem case, so we can delete the conntrack > immediately. --RR */ > if (th->rst) { > ! if (del_timer(&ct->timeout)) > ct->timeout.function((unsigned long)ct); > return NF_ACCEPT; > } That won't work: the packet which sequence number was recorded in last_seq may get lost in transit to the destination and we may receive a *valid* RST with a sequence number less than the one in last_seq. This is the main problem: we can never be sure the packets which are seen by firewall do really reach the destination or they order is preserved. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html