Commit b83329fb authored by Fernando Fernandez Mancera's avatar Fernando Fernandez Mancera Committed by Pablo Neira Ayuso
Browse files

netfilter: synproxy: fix erroneous tcp mss option 



Now synproxy sends the mss value set by the user on client syn-ack packet
instead of the mss value that client announced.

Fixes: 48b1de4c ("netfilter: add SYNPROXY core/target")
Signed-off-by: default avatarFernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f41828ee

include/net/netfilter/nf_conntrack_synproxy.h

+1 −0
Original line number Diff line number Diff line
@@ -68,6 +68,7 @@ struct synproxy_options { 
	u8				options;

	u8				wscale;

	u16				mss;

	u16				mss_encode;

	u32				tsval;

	u32				tsecr;

};

net/ipv4/netfilter/ipt_SYNPROXY.c

+2 −0
Original line number Diff line number Diff line
@@ -36,6 +36,8 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par) 
			opts.options |= XT_SYNPROXY_OPT_ECN;



		opts.options &= info->options;

		opts.mss_encode = opts.mss;

		opts.mss = info->mss;

		if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)

			synproxy_init_timestamp_cookie(info, &opts);

		else

net/ipv6/netfilter/ip6t_SYNPROXY.c

+2 −0
Original line number Diff line number Diff line
@@ -36,6 +36,8 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) 
			opts.options |= XT_SYNPROXY_OPT_ECN;



		opts.options &= info->options;

		opts.mss_encode = opts.mss;

		opts.mss = info->mss;

		if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)

			synproxy_init_timestamp_cookie(info, &opts);

		else

net/netfilter/nf_synproxy_core.c

+2 −2
Original line number Diff line number Diff line
@@ -470,7 +470,7 @@ synproxy_send_client_synack(struct net *net, 
	struct iphdr *iph, *niph;

	struct tcphdr *nth;

	unsigned int tcp_hdr_size;

	u16 mss = opts->mss;

	u16 mss = opts->mss_encode;



	iph = ip_hdr(skb);
@@ -884,7 +884,7 @@ synproxy_send_client_synack_ipv6(struct net *net, 
	struct ipv6hdr *iph, *niph;

	struct tcphdr *nth;

	unsigned int tcp_hdr_size;

	u16 mss = opts->mss;

	u16 mss = opts->mss_encode;



	iph = ipv6_hdr(skb);

net/netfilter/nft_synproxy.c

+2 −0
Original line number Diff line number Diff line
@@ -31,6 +31,8 @@ static void nft_synproxy_tcp_options(struct synproxy_options *opts, 
		opts->options |= NF_SYNPROXY_OPT_ECN;



	opts->options &= priv->info.options;

	opts->mss_encode = opts->mss;

	opts->mss = info->mss;

	if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP)

		synproxy_init_timestamp_cookie(info, opts);

	else