Re: Is this possible SYN Proxy bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



İbrahim Ercan <ibrahim.metu@xxxxxxxxx> wrote:
> On Tue, Jun 18, 2019 at 2:59 PM Florian Westphal <fw@xxxxxxxxx> wrote:
> 
> > >
> > > I am confused. So this statement from manual page is just a illusion?
> > > --mss maximum segment size
> > >               Maximum segment size announced to clients. This must
> > > match the backend.
> >
> > ?
> >
> > Your question was about MSS sent to server.
> >
> > Flow is this:
> > Client          Synproxy         Server
> > -> Syn, mss X
> >     <-Synack,mss M
> > -> ACK
> >                      -> Syn, mss Y
> >
> > M is what you need to configure via --mss switch.
> >
> > Because Synproxy keeps no state, it can only send
> > to real server the MSS that was encoded in syncookie (in synack)
> > packet.  Therefore, X == Y only if the Value from client matches
> > exactly one for the four values of the mss table, in all other
> > cases Y is the next lowest available one.  In your case thats 536.
> >
> > > I don't understand why these restriction exist. Why can't we set mss
> > > value same as what client send to us?
> >
> > We only have 2 bits out of the 32Bit Sequence number for MSS. Increasing
> > mss state table reduces security margin of the cookie.
> 
> My question about both way actually. If you check out my tests, M is
> also not correct. Client sends mss 1260 and syn proxy responds 1260
> too although I set mss 1460 in iptables.

Does this patch fix the problem for you?

diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c b/net/ipv4/netfilter/ipt_SYNPROXY.c
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -286,6 +286,7 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
 			opts.options |= XT_SYNPROXY_OPT_ECN;
 
 		opts.options &= info->options;
+		opts.mss = info->mss;
 		if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
 			synproxy_init_timestamp_cookie(info, &opts);
 		else
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c b/net/ipv6/netfilter/ip6t_SYNPROXY.c
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -300,6 +300,7 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
 			opts.options |= XT_SYNPROXY_OPT_ECN;
 
 		opts.options &= info->options;
+		opts.mss = info->mss;
 		if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
 			synproxy_init_timestamp_cookie(info, &opts);
 		else



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux