technical tests on netfiler under 2.4.0-test2

[Denis Ducamp]

Hello,

I tested netfilter under linux-2.4.0-test2 with iptables from the latest cvs
on last week-end.

I had both side of the test machine a linux system with hping to generate
paquets as I wanted, and filter on those two systems to generate no response
to thoses requests. 

Here are some bugs that I think should be corrected :

. the conntrack don't follow corrrectly the 3 hand shack which is a
  vulnerability : attacker send a SYN, victim reply by a SYN-ACK  and the
  connexion is in the table during 5 days !!!

  Aparently, there is 2 states between NONE and ESTABLISHED (SYN_SENT and
  SYN_RECV) but only one is used and I can't see how the tcp_conntracks
  table in ip_conntrack_proto_tcp.c works.

. that constant of 5 days, as other constants in ip_conntrack_proto_tcp.cj,
  can't be dynamically changed via /proc/sys :-(

. there isn't an option in iptables that permits to flush that table :-(

. iptables doesn't compile under libc5. Is some one is porting it or not ? 
  My firewall is a libc5 (slackware 4), I don't want to upgrade the system
  but I want to use netfilter (as soon as linux-2.4.0 is stable).

. under glibc2.1.2 (x86) : I had to unapply last patches on
  netfilter/userspace/libiptc/libiptc.c (diff -u -r1.17 -r1.18) and
  netfilter/userspace/libiptc/libip4tc.c (diff -u -r1.3 -r1.4) to have
  iptable to compile.
  and put some undefined constant at struct ipt_reject_with in
  /usr/src/linux/include/linux/netfilter_ipv4/ipt_REJECT.h

. when everythink is compiled as modules, a "modprobe ip_conntrack_ftp"
  loads ipfwadm.o which doesn't permit other modules to load. I had to
  "manually" load another module before.

Even without verifying ack numbers (a lot of commercial products don't),
netfilter is a big step forward (once bug #1 will be corrected). Thanks to
all those who write and test it.

I will make other tests when 2.4.0 will be more stable

Denis Ducamp.

-- 
Denis.Ducamp@hsc.fr -- Hervé Schauer Consultants -- http://www.hsc.fr/