tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NPF: TCP options



Le 13/03/2018 à 21:22, Mindaugas Rasiukevicius a écrit :
Maxime Villard <max%m00nbsd.net@localhost> wrote:
Answering in this thread now, to prevent further confusions.

Le 13/03/2018 à 00:23, Mindaugas Rasiukevicius a écrit :
So NPF's behavior should be aligned to that of the kernel; that is to
say, NPF should ignore TCP options with uncommon lengths - which does
not mean dropping the packet. (We can discuss about changing the
kernel's behavior to be that of NPF, but as I said in my answer to
Joerg, the kernel's behavior is the one that is the most "common".)

Not exactly, no.  NPF is not a host/kernel.  It is a man in the middle,
concerning packets sent by different hosts (which might have different
TCP/IP implementations and applications).  It operates based on its own
set of rules.

It sounds like you didn't understand my point.

I'm saying that the TCP-options behavior in the NetBSD kernel and NPF is
not the same. There is a divergence. Since there is a divergence, it is
possible to bypass the normalization procedures on TCP options (and along
with that, to lead to possibly unexpected behavior).

So what?  You talk about differences in behaviour, but you fail to explain
the reasons why any of this matters.

Read the very first email of this thread, I said what was wrong about not
looking at the length of the TCP options.

It matters because of bypasses, as I said only an hour ago in the mail you
just quoted.

Let me repeat again: it is the NPF *rules* (well, overall configuration)
[...]

This paragraph has nothing to do here, you are mixing with the other thread.


Home | Main Index | Thread Index | Old Index