Re: [ovs-dev] [PATCH 1/6] conntrack: fix multiple tcp seq adjustments

Wed, 19 Dec 2018 00:16:54 -0800 

Thanks for working on this.

1/
What is the use case for multiple adjustments?
This code has been tested externally to Vmware as well.
Also multiple adjustments may be indicative of an exploit attempt or other
problem, so lets delineate
the use case first; please add a 'real' test case for this.

2/
IF we end up supporting multiple adjustments, as it stands now the patch
fails these tests
conntrack - NAT

 96: conntrack - FTP NAT postrecirc seqadj           FAILED (
system-traffic.at:4391)
 98: conntrack - FTP NAT orig tuple seqadj           FAILED (
system-traffic.at:4515)

The following alternative patch would correctly and succinctly implement
multiple adjustments.

diff --git a/lib/conntrack.c b/lib/conntrack.c
index 6f6021a..f283db2 100644
--- a/lib/conntrack.c
+++ b/lib/conntrack.c
@@ -3225,7 +3225,8 @@ handle_ftp_ctl(struct conntrack *ct, const struct
conn_lookup_ctx *ctx,
                     ip_len += seq_skew;
                     nh6->ip6_ctlun.ip6_un1.ip6_un1_plen = htons(ip_len);
                     conn_seq_skew_set(ct, &conn_for_expectation->key, now,
-                                      seq_skew, ctx->reply);
+                                      seq_skew +
+                                      conn_for_expectation->seq_skew,
ctx->reply);
                 }
             } else {
                 seq_skew = repl_ftp_v4_addr(pkt, v4_addr_rep,
ftp_data_start,
@@ -3237,7 +3238,8 @@ handle_ftp_ctl(struct conntrack *ct, const struct
conn_lookup_ctx *ctx,
                                           l3_hdr->ip_tot_len,
htons(ip_len));
                     l3_hdr->ip_tot_len = htons(ip_len);
                     conn_seq_skew_set(ct, &conn_for_expectation->key, now,
-                                      seq_skew, ctx->reply);
+                                      seq_skew +
+                                      conn_for_expectation->seq_skew,
ctx->reply);
                 }
             }
         } else {





On Sat, Dec 15, 2018 at 9:38 AM David Marchand <david.march...@redhat.com>
wrote:

> The ftp alg deals with packets in two ways for the command connection:
> either they are inspected (CT_FTP_CTL_INTEREST) or they just go through
> without being modified (CT_FTP_CTL_OTHER).
>
> In both cases, the tcp seq/ack must be adjusted by the current offset
> that has been introduced in previous mangle operations and prepare for
> the next packets by setting an accumulated offset.
>
> Signed-off-by: David Marchand <david.march...@redhat.com>
> ---
>  lib/conntrack.c | 25 ++++++++++++-------------
>  1 file changed, 12 insertions(+), 13 deletions(-)
>
> diff --git a/lib/conntrack.c b/lib/conntrack.c
> index 974f985..d08d0ea 100644
> --- a/lib/conntrack.c
> +++ b/lib/conntrack.c
> @@ -3185,11 +3185,9 @@ handle_ftp_ctl(struct conntrack *ct, const struct
> conn_lookup_ctx *ctx,
>      }
>
>      struct ovs_16aligned_ip6_hdr *nh6 = dp_packet_l3(pkt);
> -    int64_t seq_skew = 0;
> +    int64_t seq_skew = conn_for_expectation->seq_skew;
>
> -    if (ftp_ctl == CT_FTP_CTL_OTHER) {
> -        seq_skew = conn_for_expectation->seq_skew;
> -    } else if (ftp_ctl == CT_FTP_CTL_INTEREST) {
> +    if (ftp_ctl == CT_FTP_CTL_INTEREST) {
>          enum ftp_ctl_pkt rc;
>          if (ctx->key.dl_type == htons(ETH_TYPE_IPV6)) {
>              rc = process_ftp_ctl_v6(ct, pkt, conn_for_expectation,
> @@ -3208,35 +3206,36 @@ handle_ftp_ctl(struct conntrack *ct, const struct
> conn_lookup_ctx *ctx,
>              return;
>          } else if (rc == CT_FTP_CTL_INTEREST) {
>              uint16_t ip_len;
> +            int64_t new_skew;
>
>              if (ctx->key.dl_type == htons(ETH_TYPE_IPV6)) {
> -                seq_skew = repl_ftp_v6_addr(pkt, v6_addr_rep,
> ftp_data_start,
> +                new_skew = repl_ftp_v6_addr(pkt, v6_addr_rep,
> ftp_data_start,
>
>  addr_offset_from_ftp_data_start,
>                                              addr_size, mode);
> -                if (seq_skew) {
> +                if (new_skew) {
>                      ip_len = ntohs(nh6->ip6_ctlun.ip6_un1.ip6_un1_plen);
> -                    ip_len += seq_skew;
> +                    ip_len += new_skew;
>                      nh6->ip6_ctlun.ip6_un1.ip6_un1_plen = htons(ip_len);
>                      conn_seq_skew_set(ct, &conn_for_expectation->key, now,
> -                                      seq_skew, ctx->reply);
> +                                      new_skew + seq_skew, ctx->reply);
>                  }
>              } else {
> -                seq_skew = repl_ftp_v4_addr(pkt, v4_addr_rep,
> ftp_data_start,
> +                new_skew = repl_ftp_v4_addr(pkt, v4_addr_rep,
> ftp_data_start,
>
>  addr_offset_from_ftp_data_start);
>                  ip_len = ntohs(l3_hdr->ip_tot_len);
> -                if (seq_skew) {
> -                    ip_len += seq_skew;
> +                if (new_skew) {
> +                    ip_len += new_skew;
>                      l3_hdr->ip_csum = recalc_csum16(l3_hdr->ip_csum,
>                                            l3_hdr->ip_tot_len,
> htons(ip_len));
>                      l3_hdr->ip_tot_len = htons(ip_len);
>                      conn_seq_skew_set(ct, &conn_for_expectation->key, now,
> -                                      seq_skew, ctx->reply);
> +                                      new_skew + seq_skew, ctx->reply);
>                  }
>              }
>          } else {
>              OVS_NOT_REACHED();
>          }
> -    } else {
> +    } else if (ftp_ctl == CT_FTP_CTL_INVALID) {
>          OVS_NOT_REACHED();
>      }
>
> --
> 1.8.3.1
>
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to