[conntrack-tools] filter: fix NAT detection tweak
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Tue Sep 16 21:12:04 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=587a85e0603d514656a434d44c82d1fdacd5e326
commit 587a85e0603d514656a434d44c82d1fdacd5e326
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Sep 16 21:11:37 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Sep 16 21:11:37 2008 +0200
filter: fix NAT detection tweak
With this patch, we rely on the real source and destination of the
packet to perform the filter. The current NAT detection tweak is broken
for certain situations.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 406737e5aa38f90b01aebe2f6295e7b4ef828220
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Sep 16 21:06:10 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Sep 16 21:06:10 2008 +0200
ftfw: check for malformed ack and nack messages
This patch checks that the [from, to] interval of ack and nack messages
is OK. In other words, we check that: to >= from
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 587a85e0603d514656a434d44c82d1fdacd5e326 (commit)
via 406737e5aa38f90b01aebe2f6295e7b4ef828220 (commit)
from 8baf83a1170d00dec1ff6b91ab6b66bb3eb064df (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 587a85e0603d514656a434d44c82d1fdacd5e326
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Sep 16 21:11:37 2008 +0200
filter: fix NAT detection tweak
With this patch, we rely on the real source and destination of the
packet to perform the filter. The current NAT detection tweak is broken
for certain situations.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 406737e5aa38f90b01aebe2f6295e7b4ef828220
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Sep 16 21:06:10 2008 +0200
ftfw: check for malformed ack and nack messages
This patch checks that the [from, to] interval of ack and nack messages
is OK. In other words, we check that: to >= from
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
src/filter.c | 9 +++------
src/netlink.c | 12 ------------
src/sync-ftfw.c | 8 ++++++++
3 files changed, 11 insertions(+), 18 deletions(-)
This patch checks that the [from, to] interval of ack and nack messages
is OK. In other words, we check that: to >= from
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/src/sync-ftfw.c b/src/sync-ftfw.c
index 42005c4..cc8a08c 100644
--- a/src/sync-ftfw.c
+++ b/src/sync-ftfw.c
@@ -302,6 +302,10 @@ static int digest_msg(const struct nethdr *net)
dprint("ACK(%u): from seq=%u to seq=%u\n",
h->seq, h->from, h->to);
+
+ if (before(h->to, h->from))
+ return MSG_BAD;
+
rs_list_empty(STATE_SYNC(internal), h->from, h->to);
queue_iterate(rs_queue, h, rs_queue_empty);
return MSG_CTL;
@@ -311,6 +315,10 @@ static int digest_msg(const struct nethdr *net)
dprint("NACK(%u): from seq=%u to seq=%u\n",
nack->seq, nack->from, nack->to);
+
+ if (before(nack->to, nack->from))
+ return MSG_BAD;
+
rs_list_to_tx(STATE_SYNC(internal), nack->from, nack->to);
queue_iterate(rs_queue, nack, rs_queue_to_tx);
return MSG_CTL;
More information about the netfilter-cvslog
mailing list