Skip to content

L
linux
Commit b83329fb authored by Fernando Fernandez Mancera's avatar Fernando Fernandez Mancera Committed by Pablo Neira Ayuso
Browse files
Options

netfilter: synproxy: fix erroneous tcp mss option 

Now synproxy sends the mss value set by the user on client syn-ack packet
instead of the mss value that client announced.

Fixes: 48b1de4c ("netfilter: add SYNPROXY core/target")
Signed-off-by: default avatarFernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f41828ee
Hide whitespace changes
Inline Side-by-side
Showing with 9 additions and 2 deletions
include/net/netfilter/nf_conntrack_synproxy.h
View file @ b83329fb
...@@ -68,6 +68,7 @@ struct synproxy_options { ...@@ -68,6 +68,7 @@ struct synproxy_options {
u8 options; u8 options;
u8 wscale; u8 wscale;
u16 mss; u16 mss;
u16 mss_encode;
u32 tsval; u32 tsval;
u32 tsecr; u32 tsecr;
}; };
......
net/ipv4/netfilter/ipt_SYNPROXY.c
View file @ b83329fb
...@@ -36,6 +36,8 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -36,6 +36,8 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
opts.options |= XT_SYNPROXY_OPT_ECN; opts.options |= XT_SYNPROXY_OPT_ECN;
opts.options &= info->options; opts.options &= info->options;
opts.mss_encode = opts.mss;
opts.mss = info->mss;
if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP) if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
synproxy_init_timestamp_cookie(info, &opts); synproxy_init_timestamp_cookie(info, &opts);
else else
......
net/ipv6/netfilter/ip6t_SYNPROXY.c
View file @ b83329fb
...@@ -36,6 +36,8 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -36,6 +36,8 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
opts.options |= XT_SYNPROXY_OPT_ECN; opts.options |= XT_SYNPROXY_OPT_ECN;
opts.options &= info->options; opts.options &= info->options;
opts.mss_encode = opts.mss;
opts.mss = info->mss;
if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP) if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
synproxy_init_timestamp_cookie(info, &opts); synproxy_init_timestamp_cookie(info, &opts);
else else
......
net/netfilter/nf_synproxy_core.c
View file @ b83329fb
...@@ -470,7 +470,7 @@ synproxy_send_client_synack(struct net *net, ...@@ -470,7 +470,7 @@ synproxy_send_client_synack(struct net *net,
struct iphdr *iph, *niph; struct iphdr *iph, *niph;
struct tcphdr *nth; struct tcphdr *nth;
unsigned int tcp_hdr_size; unsigned int tcp_hdr_size;
u16 mss = opts->mss; u16 mss = opts->mss_encode;
iph = ip_hdr(skb); iph = ip_hdr(skb);
...@@ -884,7 +884,7 @@ synproxy_send_client_synack_ipv6(struct net *net, ...@@ -884,7 +884,7 @@ synproxy_send_client_synack_ipv6(struct net *net,
struct ipv6hdr *iph, *niph; struct ipv6hdr *iph, *niph;
struct tcphdr *nth; struct tcphdr *nth;
unsigned int tcp_hdr_size; unsigned int tcp_hdr_size;
u16 mss = opts->mss; u16 mss = opts->mss_encode;
iph = ipv6_hdr(skb); iph = ipv6_hdr(skb);
......
net/netfilter/nft_synproxy.c
View file @ b83329fb
...@@ -31,6 +31,8 @@ static void nft_synproxy_tcp_options(struct synproxy_options *opts, ...@@ -31,6 +31,8 @@ static void nft_synproxy_tcp_options(struct synproxy_options *opts,
opts->options |= NF_SYNPROXY_OPT_ECN; opts->options |= NF_SYNPROXY_OPT_ECN;
opts->options &= priv->info.options; opts->options &= priv->info.options;
opts->mss_encode = opts->mss;
opts->mss = info->mss;
if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP) if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP)
synproxy_init_timestamp_cookie(info, opts); synproxy_init_timestamp_cookie(info, opts);
else else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7