similar to: [Bug 495] New: Netfilter Connection Tracking Race Condition in Kernel 2.4.x

--mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Netfilter Core Team Security Advisory =20 CVE: CAN-2003-0187 Subject: Netfilter / Connection Tracking Remote DoS Released: 01 Aug 2003 Effects: Any remote user may be able to DoS a machine

Here is a message from Hareld Welte, the current Netfilter lead developer about these messages. Sounds like he is interested in finding out more information about occurences of these messages (or he was a month and a half ago). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net ---------- Forwarded message

--AkbCVLjbJ9qUtAXD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all! On behalf of the netfilter core team I have the following announcement: The following kernel versions habe a bug in include/linux/list.h, which causes netfilter's connection tracking code to misbehave: 2.4.10-pre10 2.4.10-pre11 2.4.10-pre12 2.4.10

Hi, This is a second try to fix the long chain call lengths in netfilter. The difference with the previous patch is that I got rid of the extra argument. I somehow didn't see it could be done without using the 'int *ret2' argument. A comment on the number of arguments to nf_hook_slow: I don't think the number of arguments should be decreased. For the bridge-nf code, f.e., the

Hi, I am trying to impliment OpenSSH v2.9p1 with the Krb5/GSSAPI patches at: http://www.sxw.org.uk/computing/patches/openssh-2.9p1-gssapi.patch On a FreeBSD 4.3-STABLE system (with both the integrated Heimdal libs and the MIT Krb5 package from ports intstalled). I patched the src tree, reconfigured, recompiled, installed, and it works - except for Krb5 passwords or Krb5 tickets. And I really

http://bugzilla.mindrot.org/show_bug.cgi?id=290 Summary: auth_method set incorrectly in mm_answer_keyverify() Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org

The free DHCP solution, ISC, seems to be having scaling issues (i.e. handling only about 200 DHCPDISCOVER and 20 DHCPRENEW requests), and I was wondering if anyone had any open source suggestions of solutions that could scale much better? (Ideally, I could find a free version of a solution like Nominum, but I know that's asking for much.) Anyone have any suggestions? -- Also on LinkedIn??

This question is not about linux usage. But still i think user list is a good crowd for linux programmer. So here it goes. I have this libnetfilter_queue application which receives packets from kernel based on some iptables rule. Before going straight to my problem, i'm giving a sample workable code and other tools to set up a test environment so that We problem definition and possible

Hi there, I am new to ebtables code and looking for some help related to locking and atomicity. I am using Xen 3.0.4 in bridge mode and interested in looking into the packets intercepted by dom0 ebtables code, extract some information, pass this information to userspace, wait for userspace response and then pass the result back to ebtable code. Everything seemed to be working fine until i

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=530 Summary: loading nf_nat verision of the iptable_nat module kills existing connections Product: netfilter/iptables Version: linux-2.6.x Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component:

Hello, Due to a recent change in the bridge code, we now need a way of knowing if a packet has been defragmented. The bridge code now checks on the packet size and drops packets that are too big for the output port. Defragmented packets will get refragmented later, so they shouldn't be dropped. I've been reading the defragmentation code and can't find an easy way of knowing if a

For those who are unaware... [mod: This whole bind affair has gone a bit out of hand. Elias from Bugtraq found "public" info indicating the problem. ISC/CERT were working on releasing the bugfix together with the fix. Now everybody is scurrying to get fixes out now that "the public" knows about this. As far as I know, Red Hat (& Caldera) made a new RPM, based on the most

On Fri, 07 Jan 2005 17:05:59 +0000 David Woodhouse <dwmw2@infradead.org> wrote: > On Sat, 2004-12-18 at 08:50 +0100, Andi Kleen wrote: > > It's not really an oops, just a warning that stack space got quiet > > tight. > > > > The problem seems to be that the br netfilter code is nesting far too > > deeply and recursing several times. Looks like a design

https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=59 Summary: sparc64 conntrack issue with expecting related connections, FTP Product: netfilter/iptables Version: linux-2.4.x Platform: sparc64 OS/Version: other Status: NEW Severity: normal Priority: P2 Component:

Does anyone know of any FOSS tools that can assist in benchmarking ISC DNS and DHCP services? I would like to simulate X number of users attempting to pull an IP, resolve DNS names, etc. I would also like to test TCP connections into a CentOS server. We have some software that communicates with equipment via a TCP connection and I want to simulate thousands of TCP connections coming into one

Hi all, The patch below does four trivial changes and one big change Trivial changes, these are all in br_netfilter.c: - check ar_pln==4 when giving bridged ARP packets to arptables - delete unnecessary if in br_nf_local_in - add more logging for the "Argh" message - add some brag-comments in the file head comment Big change: let {ip,arp}tables see VLAN tagged {I,AR}P packets. This

We're setting up a server with qmail/vpopmail and dovecot. In addition to vpopmail users we want non-virtual, local users to be able to authenticate and have them read the Maildir in their real $HOME. vpopmail userdb/passwd works fine. Now how do I tell dovecot to use passwd (or PAM) userdb/passdb authentication too? /etc/dovecot.conf: [...] auth = default auth_mechanisms = plain

Hi, I have just configured a Linux box with kernel 2.6.16.7 and configured two ethernet interfaces (with MTU 1500) in bridge mode. CONFIG_BRIDGE_NETFILTER is enabled. The problem is that ping -s 1500 192.168.0.2 doesn't work from 192.168.0.1 if the systems are separated by the bridge. Normal ping with smaller packet size works ok. What is wrong? Best Regards Fulvio Ricciardi

http://bugzilla.mindrot.org/show_bug.cgi?id=284 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-06-23 09:11

Hello, I need to understand how conntrack_core.c handles the termination of ''expected'' connection; handling in the case when ''expected'' connection arrived, then terminates (In my conntrack module, I need to specially handle the event of termination termination of ''expected'' connection.) In ip_conntrack_core.c, I can''t find the