aha/net
Jozsef Kadlecsik bfcaa50270 netfilter: nf_ct_tcp: fix accepting invalid RST segments
Robert L Mathews discovered that some clients send evil TCP RST segments,
which are accepted by netfilter conntrack but discarded by the
destination. Thus the conntrack entry is destroyed but the destination
retransmits data until timeout.

The same technique, i.e. sending properly crafted RST segments, can easily
be used to bypass connlimit/connbytes based restrictions (the sample
script written by Robert can be found in the netfilter mailing list
archives).

The patch below adds a new flag and new field to struct ip_ct_tcp_state so
that checking RST segments can be made more strict and thus TCP conntrack
can catch the invalid ones: the RST segment is accepted only if its
sequence number higher than or equal to the highest ack we seen from the
other direction. (The last_ack field cannot be reused because it is used
to catch resent packets.)

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-05-25 17:23:15 +02:00
..
9p 9p: fix sparse warning: cast adds address space 2009-02-26 23:13:32 -08:00
802 snap: use const for descriptor 2009-03-21 19:06:50 -07:00
8021q gro: Fix vlan/netpoll check again 2009-03-17 13:10:52 -07:00
appletalk proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
atm proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
ax25 Revert "ax25: zero length frame filtering in AX25" 2009-03-27 17:23:42 -07:00
bluetooth proc tty: remove struct tty_operations::read_proc 2009-04-01 08:59:10 -07:00
bridge netfilter: bridge: allow fragmentation of VLAN packets traversing a bridge 2009-04-20 17:12:35 +02:00
can proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
core Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2009-04-02 21:05:30 -07:00
dcb DCB: fix kfree(skb) 2009-01-04 17:29:21 -08:00
dccp dccp: Do not let initial option overhead shrink the MPS 2009-03-02 03:07:23 -08:00
decnet net/*: use linux/kernel.h swap() 2009-03-21 13:36:17 -07:00
dsa dsa: add switch chip cascading support 2009-03-21 19:06:54 -07:00
econet net: convert usage of packet_type to read_mostly 2009-03-10 05:22:43 -07:00
ethernet eth: Declare an optimized compare_ether_addr_64bits() function 2008-11-23 23:24:32 -08:00
ipv4 netfilter: nf_nat: add support for persistent mappings 2009-04-16 18:33:01 +02:00
ipv6 netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE 2009-05-05 15:32:16 +02:00
ipx ipx: use constant for strings and desciptor 2009-03-21 19:06:51 -07:00
irda proc tty: switch ircomm to ->proc_fops 2009-04-01 08:59:10 -07:00
iucv iucv: remove some pointless conditionals before kfree_skb() 2009-02-26 23:07:37 -08:00
key af_key: remove some pointless conditionals before kfree_skb() 2009-02-26 23:07:32 -08:00
lapb
llc proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
mac80211 trivial: fix typos/grammar errors in Kconfig texts 2009-03-30 15:22:01 +02:00
netfilter netfilter: nf_ct_tcp: fix accepting invalid RST segments 2009-05-25 17:23:15 +02:00
netlabel netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections 2009-03-28 15:01:37 +11:00
netlink Merge branch 'master' of /home/davem/src/GIT/linux-2.6/ 2009-03-26 15:23:24 -07:00
netrom Revert "netrom: zero length frame filtering in NetRom" 2009-03-27 17:22:55 -07:00
packet Network Drop Monitor: Adding kfree_skb_clean for non-drops and modifying end-of-line points for skbs 2009-03-13 12:09:28 -07:00
phonet trivial: fix typos/grammar errors in Kconfig texts 2009-03-30 15:22:01 +02:00
rds RDS: Use spinlock to protect 64b value update on 32b archs 2009-04-02 00:52:22 -07:00
rfkill net/rfkill/rfkill.c: fix unused rfkill_led_trigger() warning 2009-01-04 17:11:24 -08:00
rose af_rose/x25: Sanity check the maximum user frame size 2009-03-27 00:28:21 -07:00
rxrpc RxRPC: Fix a potential NULL dereference 2009-02-06 21:50:52 -08:00
sched net/*: use linux/kernel.h swap() 2009-03-21 13:36:17 -07:00
sctp proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
sunrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-cpumask 2009-04-05 10:33:07 -07:00
tipc tipc: fix non-const printf format arguments 2009-03-18 19:11:29 -07:00
unix New helper - current_umask() 2009-03-31 23:00:26 -04:00
wanrouter wanrouter: fix sparse warnings: context imbalance 2009-02-26 23:13:36 -08:00
wimax trivial: fix typos/grammar errors in Kconfig texts 2009-03-30 15:22:01 +02:00
wireless cfg80211: default CONFIG_WIRELESS_OLD_REGULATORY to n 2009-03-27 20:13:23 -04:00
x25 af_rose/x25: Sanity check the maximum user frame size 2009-03-27 00:28:21 -07:00
xfrm xfrm: spin_lock() should be spin_unlock() in xfrm_state.c 2009-03-27 00:23:04 -07:00
compat.c net: socket infrastructure for SO_TIMESTAMPING 2009-02-15 22:43:35 -08:00
Kconfig trivial: fix typos/grammar errors in Kconfig texts 2009-03-30 15:22:01 +02:00
Makefile RDS: Kconfig and Makefile 2009-02-26 23:43:35 -08:00
nonet.c
socket.c lsm: Remove the socket_post_accept() hook 2009-03-28 15:01:37 +11:00
sysctl_net.c net: sysctl_net - use net_eq to compare nets 2009-03-16 16:23:30 +01:00
TUNABLE