From: "İbrahim Ercan" <ibrahim.metu@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH] netfilter: synproxy: erroneous TCP mss option fixed.
Date: Mon, 24 Jun 2019 15:28:07 +0300 [thread overview]
Message-ID: <CAK6Qs9k_bdU9ZL4WRXBGYdtfnP_qhot0hzC=uMQG6C_pkz3+2w@mail.gmail.com> (raw)
Syn proxy isn't setting mss value correctly on client syn-ack packet.
It was sending same mss value with client send instead of the value
user set in iptables rule.
This patch fix that wrong behavior by passing client mss information
to synproxy_send_client_synack correctly.
Signed-off-by: Ibrahim Ercan <ibrahim.metu@gmail.com>
diff --git a/net/ipv4/netfilter/ipt_SYNPROXY.c
b/net/ipv4/netfilter/ipt_SYNPROXY.c
index 64d9563..e0bd504 100644
--- a/net/ipv4/netfilter/ipt_SYNPROXY.c
+++ b/net/ipv4/netfilter/ipt_SYNPROXY.c
@@ -69,13 +69,13 @@ synproxy_send_tcp(struct net *net,
static void
synproxy_send_client_synack(struct net *net,
const struct sk_buff *skb, const struct tcphdr *th,
- const struct synproxy_options *opts)
+ const struct synproxy_options *opts, const
u16 client_mssinfo)
{
struct sk_buff *nskb;
struct iphdr *iph, *niph;
struct tcphdr *nth;
unsigned int tcp_hdr_size;
- u16 mss = opts->mss;
+ u16 mss = client_mssinfo;
iph = ip_hdr(skb);
@@ -264,6 +264,7 @@ synproxy_tg4(struct sk_buff *skb, const struct
xt_action_param *par)
struct synproxy_net *snet = synproxy_pernet(net);
struct synproxy_options opts = {};
struct tcphdr *th, _th;
+ u16 client_mssinfo;
if (nf_ip_checksum(skb, xt_hooknum(par), par->thoff, IPPROTO_TCP))
return NF_DROP;
@@ -283,6 +284,8 @@ synproxy_tg4(struct sk_buff *skb, const struct
xt_action_param *par)
opts.options |= XT_SYNPROXY_OPT_ECN;
opts.options &= info->options;
+ client_mssinfo = opts.mss;
+ opts.mss = info->mss;
if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
synproxy_init_timestamp_cookie(info, &opts);
else
@@ -290,7 +293,7 @@ synproxy_tg4(struct sk_buff *skb, const struct
xt_action_param *par)
XT_SYNPROXY_OPT_SACK_PERM |
XT_SYNPROXY_OPT_ECN);
- synproxy_send_client_synack(net, skb, th, &opts);
+ synproxy_send_client_synack(net, skb, th, &opts,
client_mssinfo);
consume_skb(skb);
return NF_STOLEN;
} else if (th->ack && !(th->fin || th->rst || th->syn)) {
diff --git a/net/ipv6/netfilter/ip6t_SYNPROXY.c
b/net/ipv6/netfilter/ip6t_SYNPROXY.c
index 41325d5..676de53 100644
--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
+++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
@@ -83,13 +83,13 @@ synproxy_send_tcp(struct net *net,
static void
synproxy_send_client_synack(struct net *net,
const struct sk_buff *skb, const struct tcphdr *th,
- const struct synproxy_options *opts)
+ const struct synproxy_options *opts, const
u16 client_mssinfo)
{
struct sk_buff *nskb;
struct ipv6hdr *iph, *niph;
struct tcphdr *nth;
unsigned int tcp_hdr_size;
- u16 mss = opts->mss;
+ u16 mss = client_mssinfo;
iph = ipv6_hdr(skb);
@@ -278,6 +278,7 @@ synproxy_tg6(struct sk_buff *skb, const struct
xt_action_param *par)
struct synproxy_net *snet = synproxy_pernet(net);
struct synproxy_options opts = {};
struct tcphdr *th, _th;
+ u16 client_mssinfo;
if (nf_ip6_checksum(skb, xt_hooknum(par), par->thoff, IPPROTO_TCP))
return NF_DROP;
@@ -297,6 +298,8 @@ synproxy_tg6(struct sk_buff *skb, const struct
xt_action_param *par)
opts.options |= XT_SYNPROXY_OPT_ECN;
opts.options &= info->options;
+ client_mssinfo = opts.mss;
+ opts.mss = info->mss;
if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
synproxy_init_timestamp_cookie(info, &opts);
else
@@ -304,7 +307,7 @@ synproxy_tg6(struct sk_buff *skb, const struct
xt_action_param *par)
XT_SYNPROXY_OPT_SACK_PERM |
XT_SYNPROXY_OPT_ECN);
- synproxy_send_client_synack(net, skb, th, &opts);
+ synproxy_send_client_synack(net, skb, th, &opts,
client_mssinfo);
consume_skb(skb);
return NF_STOLEN;
next reply other threads:[~2019-06-24 12:28 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-24 12:28 İbrahim Ercan [this message]
2019-06-24 12:29 ` [PATCH] netfilter: synproxy: erroneous TCP mss option fixed Florian Westphal
2019-06-25 0:19 ` Pablo Neira Ayuso
2019-06-25 5:42 ` [PATCH v2] " Ibrahim Ercan
2019-06-27 18:57 ` Pablo Neira Ayuso
2019-06-27 19:00 ` Florian Westphal
2019-06-27 19:08 ` Pablo Neira Ayuso
2019-06-27 19:21 ` Florian Westphal
2019-06-27 19:27 ` Pablo Neira Ayuso
2019-07-01 18:58 ` Pablo Neira Ayuso
2019-07-22 8:31 ` İbrahim Ercan
2019-07-22 8:45 ` Pablo Neira Ayuso
2019-07-22 12:06 ` [PATCH v3] " Ibrahim Ercan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAK6Qs9k_bdU9ZL4WRXBGYdtfnP_qhot0hzC=uMQG6C_pkz3+2w@mail.gmail.com' \
--to=ibrahim.metu@gmail.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.