newnat patch for 2.4.17 is in cvs

Harald Welte laforge@gnumonks.org
Fri, 25 Jan 2002 22:13:59 +0100 

On Fri, Jan 25, 2002 at 12:11:08AM -0800, Bob Hockney wrote:

> Since in the normal course of things several DCC sends could be refused
> in a single session, it is quite possible that there could be 
> max_exected expect_relateds FROM ANY HOST ON THE INTERNET for *each*
> active IRC master being tracked by conntrack, and they remain expected
> until either they are replaced by a new expect_related, or until the
> master dies, which could be quite some time after the last refused DCC
> Send occurs.

Yes, I'm completely aware of that.  That's the brokenness of the DCC
extension to IRC.  There's no way to deal with this problem correctly.

What would happen on a machine which didn't have a firewall in front?
It would open exactly the same amount of ports.  IRC connection tracking
opens ugly holes. But there's no way to avoid it.

It's like the problem with half-opened tcp connections.  They can stay 
in this state for an indefinite amount of time.  So what do we do?

If somebody wants timeouts for his expectations, he could implement
them inside the conntrack helper itself. It could have a periodic timer
to clean up old expectations.  Or allocate some small private data structure
with each expectation, containing a timer.  When the timer goes of,
it looks if the expectation is still there.  If yes, delete it.

Yes, it's ugly.  Having timeouts in the core would be more flexible.
But it's an additional 20 bytes per expectation.  Do we really need
that? (struct timer_list should be about 20 bytes on 32bit platforms). 

> Color me purple, but there is a real security issue here.  There could
> potentially be MANY open expected_relateds from 0.0.0.0:xxxx at any 
> given time, and they really shouldn't have to wait until the master
> connection dies (here with an IRC server) to be removed.

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)