--- /dev/null
+From 64f509ce71b08d037998e93dd51180c19b2f464c Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Fri, 31 Aug 2012 09:55:53 +0000
+Subject: netfilter: Mark SYN/ACK packets as invalid from original direction
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 64f509ce71b08d037998e93dd51180c19b2f464c upstream.
+
+Clients should not send such packets. By accepting them, we open
+up a hole by wich ephemeral ports can be discovered in an off-path
+attack.
+
+See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
+http://arxiv.org/abs/1201.2074
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 19 ++++++++-----------
+ 1 file changed, 8 insertions(+), 11 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -158,21 +158,18 @@ static const u8 tcp_conntracks[2][6][TCP
+ * sCL -> sSS
+ */
+ /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
+-/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
++/*synack*/ { sIV, sIV, sSR, sIV, sIV, sIV, sIV, sIV, sIV, sSR },
+ /*
+ * sNO -> sIV Too late and no reason to do anything
+ * sSS -> sIV Client can't send SYN and then SYN/ACK
+ * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
+- * sSR -> sIG
+- * sES -> sIG Error: SYNs in window outside the SYN_SENT state
+- * are errors. Receiver will reply with RST
+- * and close the connection.
+- * Or we are not in sync and hold a dead connection.
+- * sFW -> sIG
+- * sCW -> sIG
+- * sLA -> sIG
+- * sTW -> sIG
+- * sCL -> sIG
++ * sSR -> sSR Late retransmitted SYN/ACK in simultaneous open
++ * sES -> sIV Invalid SYN/ACK packets sent by the client
++ * sFW -> sIV
++ * sCW -> sIV
++ * sLA -> sIV
++ * sTW -> sIV
++ * sCL -> sIV
+ */
+ /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
+ /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
--- /dev/null
+From 38fe36a248ec3228f8e6507955d7ceb0432d2000 Mon Sep 17 00:00:00 2001
+From: Ulrich Weber <ulrich.weber@sophos.com>
+Date: Thu, 25 Oct 2012 05:34:45 +0000
+Subject: netfilter: nf_nat: don't check for port change on ICMP tuples
+
+From: Ulrich Weber <ulrich.weber@sophos.com>
+
+commit 38fe36a248ec3228f8e6507955d7ceb0432d2000 upstream.
+
+ICMP tuples have id in src and type/code in dst.
+So comparing src.u.all with dst.u.all will always fail here
+and ip_xfrm_me_harder() is called for every ICMP packet,
+even if there was no NAT.
+
+Signed-off-by: Ulrich Weber <ulrich.weber@sophos.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ net/ipv4/netfilter/nf_nat_standalone.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_nat_standalone.c
++++ b/net/ipv4/netfilter/nf_nat_standalone.c
+@@ -194,7 +194,8 @@ nf_nat_out(unsigned int hooknum,
+
+ if ((ct->tuplehash[dir].tuple.src.u3.ip !=
+ ct->tuplehash[!dir].tuple.dst.u3.ip) ||
+- (ct->tuplehash[dir].tuple.src.u.all !=
++ (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++ ct->tuplehash[dir].tuple.src.u.all !=
+ ct->tuplehash[!dir].tuple.dst.u.all)
+ )
+ return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
+@@ -230,7 +231,8 @@ nf_nat_local_fn(unsigned int hooknum,
+ ret = NF_DROP;
+ }
+ #ifdef CONFIG_XFRM
+- else if (ct->tuplehash[dir].tuple.dst.u.all !=
++ else if (ct->tuplehash[dir].tuple.dst.protonum != IPPROTO_ICMP &&
++ ct->tuplehash[dir].tuple.dst.u.all !=
+ ct->tuplehash[!dir].tuple.src.u.all)
+ if (ip_xfrm_me_harder(skb))
+ ret = NF_DROP;
--- /dev/null
+From 4a70bbfaef0361d27272629d1a250a937edcafe4 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Fri, 31 Aug 2012 09:55:54 +0000
+Subject: netfilter: Validate the sequence number of dataless ACK packets as well
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 4a70bbfaef0361d27272629d1a250a937edcafe4 upstream.
+
+We spare nothing by not validating the sequence number of dataless
+ACK packets and enabling it makes harder off-path attacks.
+
+See: "Reflection scan: an Off-Path Attack on TCP" by Jan Wrobel,
+http://arxiv.org/abs/1201.2074
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c | 10 ++--------
+ 1 file changed, 2 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -627,15 +627,9 @@ static bool tcp_in_window(const struct n
+ ack = sack = receiver->td_end;
+ }
+
+- if (seq == end
+- && (!tcph->rst
+- || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
++ if (tcph->rst && seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)
+ /*
+- * Packets contains no data: we assume it is valid
+- * and check the ack value only.
+- * However RST segments are always validated by their
+- * SEQ number, except when seq == 0 (reset sent answering
+- * SYN.
++ * RST sent answering SYN.
+ */
+ seq = end = sender->td_end;
+
--- /dev/null
+From 0481776b7a70f09acf7d9d97c288c3a8403fbfe4 Mon Sep 17 00:00:00 2001
+From: Nathan Walp <faceprint@faceprint.com>
+Date: Thu, 1 Nov 2012 12:08:47 +0000
+Subject: r8169: allow multicast packets on sub-8168f chipset.
+
+From: Nathan Walp <faceprint@faceprint.com>
+
+commit 0481776b7a70f09acf7d9d97c288c3a8403fbfe4 upstream.
+
+RTL_GIGA_MAC_VER_35 includes no multicast hardware filter.
+
+Signed-off-by: Nathan Walp <faceprint@faceprint.com>
+Suggested-by: Hayes Wang <hayeswang@realtek.com>
+Acked-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/realtek/r8169.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -4131,6 +4131,9 @@ static void rtl_set_rx_mode(struct net_d
+ mc_filter[1] = swab32(data);
+ }
+
++ if (tp->mac_version == RTL_GIGA_MAC_VER_35)
++ mc_filter[1] = mc_filter[0] = 0xffffffff;
++
+ RTL_W32(MAR0 + 4, mc_filter[1]);
+ RTL_W32(MAR0 + 0, mc_filter[0]);
+
--- /dev/null
+From b00e69dee4ccbb3a19989e3d4f1385bc2e3406cd Mon Sep 17 00:00:00 2001
+From: Cyril Brulebois <kibi@debian.org>
+Date: Wed, 31 Oct 2012 14:00:46 +0000
+Subject: r8169: Fix WoL on RTL8168d/8111d.
+
+From: Cyril Brulebois <kibi@debian.org>
+
+commit b00e69dee4ccbb3a19989e3d4f1385bc2e3406cd upstream.
+
+This regression was spotted between Debian squeeze and Debian wheezy
+kernels (respectively based on 2.6.32 and 3.2). More info about
+Wake-on-LAN issues with Realtek's 816x chipsets can be found in the
+following thread: http://marc.info/?t=132079219400004
+
+Probable regression from d4ed95d796e5126bba51466dc07e287cebc8bd19;
+more chipsets are likely affected.
+
+Tested on top of a 3.2.23 kernel.
+
+Reported-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
+Tested-by: Florent Fourcot <florent.fourcot@enst-bretagne.fr>
+Hinted-by: Francois Romieu <romieu@fr.zoreil.com>
+Signed-off-by: Cyril Brulebois <kibi@debian.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/realtek/r8169.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/ethernet/realtek/r8169.c
++++ b/drivers/net/ethernet/realtek/r8169.c
+@@ -3488,6 +3488,8 @@ static void rtl_wol_suspend_quirk(struct
+ void __iomem *ioaddr = tp->mmio_addr;
+
+ switch (tp->mac_version) {
++ case RTL_GIGA_MAC_VER_25:
++ case RTL_GIGA_MAC_VER_26:
+ case RTL_GIGA_MAC_VER_29:
+ case RTL_GIGA_MAC_VER_30:
+ case RTL_GIGA_MAC_VER_32:
tmpfs-change-final-i_blocks-bug-to-warning.patch
r8169-use-unlimited-dma-burst-for-tx.patch
xen-events-fix-rcu-warning-or-call-idle-notifier-after-irq_enter.patch
+r8169-fix-wol-on-rtl8168d-8111d.patch
+r8169-allow-multicast-packets-on-sub-8168f-chipset.patch
+netfilter-validate-the-sequence-number-of-dataless-ack-packets-as-well.patch
+netfilter-mark-syn-ack-packets-as-invalid-from-original-direction.patch
+netfilter-nf_nat-don-t-check-for-port-change-on-icmp-tuples.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
