[PATCH 00/21] secnet: MTU and security fixes, fragmentation, etc.

Ian Jackson ijackson at chiark.greenend.org.uk
Thu Apr 24 02:37:19 BST 2014

This series:

 Fixes some (not catastrophic) packet size & ICMP vulnerabilities
  06/21 slip: Drop packets >mtu (SECURITY)
  08/21 netlink: Set "unused" in ICMP header (SECURITY)
  18/21 netlink: fix IP length check (SECURITY)

 Implements IP fragmentation (and the sending of ICMP Frag Needed)
  16/21 fragmentation: Fragment packets as required

 Negotiates inter-site link MTU with peer secnets
  19/21 netlink: Advise netlink clients of the local link MTU
  21/21 site: Negotiate (configurable) MTU

 Fixes a few other bugs I came across
  02/21 netlink: Avoid crash with clientless netlink
  03/21 netlink: Remove a newline from p-t-p startup message
  05/21 test-example: USE mtu of 1400 not 500 (!)
  07/21 fragmentation: Fix fragmentation field check
  09/21 netlink: Be more conservative about ICMP errors
  17/21 netlink: Only complain about initial frags for us

 Makes some code cleanups which are necessary to enable the above
  01/21 netlink: Break out netlink_client_deliver
  04/21 test-example: Provide test which uses unshare(8)
  10/21 netlink: Make ip_csum and ip_fast_csum const-correct
  11/21 fragmentation: Rename "frag_off" field to "frag"
  12/21 netlink: Abolish client param to netlink_icmp_simple
  13/21 netlink: Break out netlink_host_deliver
  14/21 netlink: Provide MDEBUG macro
  15/21 util.h: Provide MIN and MAX macros
  20/21 site: Remove clone-and-hack of signature verification

I have bench-tested it but not yet deployed it anywhere.

It can be found as a git branch here:
  git://git.chiark.greenend.org.uk/~ian/secnet.git tag wip.frag.v1

Comments welcome.

More information about the sgo-software-discuss mailing list