On Fri, 2015-05-15 at 10:05 +0200, Willy Tarreau wrote: > 2.6.32-longterm review patch. If anyone has any objections, please let me > know. > > ------------------ > > From: Florian Westphal <[email protected]> > > commit db29a9508a9246e77087c5531e45b2c88ec6988b upstream > > Given following iptables ruleset: > > -P FORWARD DROP > -A FORWARD -m sctp --dport 9 -j ACCEPT > -A FORWARD -p tcp --dport 80 -j ACCEPT > -A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT > > One would assume that this allows SCTP on port 9 and TCP on port 80. > Unfortunately, if the SCTP conntrack module is not loaded, this allows > *all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT, > which we think is a security issue. > > This is because on the first SCTP packet on port 9, we create a dummy > "generic l4" conntrack entry without any port information (since > conntrack doesn't know how to extract this information). > > All subsequent packets that are unknown will then be in established > state since they will fallback to proto_generic and will match the > 'generic' entry. > > Our originally proposed version [1] completely disabled generic protocol > tracking, but Jozsef suggests to not track protocols for which a more > suitable helper is available, hence we now mitigate the issue for in > tree known ct protocol helpers only, so that at least NAT and direction > information will still be preserved for others. > > [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html > > Joint work with Daniel Borkmann. > > Signed-off-by: Florian Westphal <[email protected]> > Signed-off-by: Daniel Borkmann <[email protected]> > Acked-by: Jozsef Kadlecsik <[email protected]> > Signed-off-by: Pablo Neira Ayuso <[email protected]> > [bwh: Backported to 2.6.32: adjust context]
Signed-off-by: Ben Hutchings <[email protected]> > Signed-off-by: Willy Tarreau <[email protected]> [...] -- Ben Hutchings It is impossible to make anything foolproof because fools are so ingenious.
signature.asc
Description: This is a digitally signed message part
