bugzilla-daemon at netfilter.org
2013-Nov-23 12:44 UTC
[Bug 874] New: Any conntrack conditions specified with --ctstate INVALID are not checked
https://bugzilla.netfilter.org/show_bug.cgi?id=874
Summary: Any conntrack conditions specified with --ctstate
INVALID are not checked
Product: iptables
Version: 1.4.x
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: quentin at armitage.org.uk
Estimated Hours: 0.0
Created attachment 427
--> https://bugzilla.netfilter.org/attachment.cgi?id=427
Patch to not allow any other conntrack matches with ctstate INVALID
In the kernel net/netfilter/xt_conntrack.c function conntrack_mt, if there is
no conntrack entry, the state is considered invalid. Then, a further check for
no conntrack entry causes a return, before any other checks are made.
An example is:
iptables -A CHAIN -m conntrack --ctstate INVALID --ctproto tcp
which would match a udp packet (or any other protocol), and could cause
considerable confusion.
To circumvent the problem of matches being specified, but that are not checked,
if the state match is a positive match of INVALID, do not allow any other
conntrack tests.
The attached patch adds the test suggested.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Nov-30 21:38 UTC
[Bug 874] Any conntrack conditions specified with --ctstate INVALID are not checked
https://bugzilla.netfilter.org/show_bug.cgi?id=874
Phil Oester <netfilter at linuxace.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |netfilter at linuxace.com
--- Comment #1 from Phil Oester <netfilter at linuxace.com> 2013-11-30
22:38:06 CET ---
Please submit your patch to netfilter-devel at vger.kernel.org with your
signed-off-by, thanks.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Reasonably Related Threads
- [Bug 873] New: iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually)
- [Bug 875] New: iptables -m conntrack --ctstatus NONE, EXPECTED is not consistent with --ctstatus SEEN_REPLY,EXPECTED
- [Bug 874] Any conntrack conditions specified with --ctstate INVALID are not checked
- [Bug 874] Any conntrack conditions specified with --ctstate INVALID are not checked
- [Bug 882] New: The conntrack-tools archive contains some leftovers from a patch run