[PATCH 00/21] secnet: MTU and security fixes, fragmentation, etc.
Ian Jackson
ijackson at chiark.greenend.org.uk
Thu Apr 24 02:37:19 BST 2014
This series:
Fixes some (not catastrophic) packet size & ICMP vulnerabilities
06/21 slip: Drop packets >mtu (SECURITY)
08/21 netlink: Set "unused" in ICMP header (SECURITY)
18/21 netlink: fix IP length check (SECURITY)
Implements IP fragmentation (and the sending of ICMP Frag Needed)
16/21 fragmentation: Fragment packets as required
Negotiates inter-site link MTU with peer secnets
19/21 netlink: Advise netlink clients of the local link MTU
21/21 site: Negotiate (configurable) MTU
Fixes a few other bugs I came across
02/21 netlink: Avoid crash with clientless netlink
03/21 netlink: Remove a newline from p-t-p startup message
05/21 test-example: USE mtu of 1400 not 500 (!)
07/21 fragmentation: Fix fragmentation field check
09/21 netlink: Be more conservative about ICMP errors
17/21 netlink: Only complain about initial frags for us
Makes some code cleanups which are necessary to enable the above
01/21 netlink: Break out netlink_client_deliver
04/21 test-example: Provide test which uses unshare(8)
10/21 netlink: Make ip_csum and ip_fast_csum const-correct
11/21 fragmentation: Rename "frag_off" field to "frag"
12/21 netlink: Abolish client param to netlink_icmp_simple
13/21 netlink: Break out netlink_host_deliver
14/21 netlink: Provide MDEBUG macro
15/21 util.h: Provide MIN and MAX macros
20/21 site: Remove clone-and-hack of signature verification
I have bench-tested it but not yet deployed it anywhere.
It can be found as a git branch here:
http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=secnet.git;a=log;h=refs/tags/wip.frag.v1
aka
git://git.chiark.greenend.org.uk/~ian/secnet.git tag wip.frag.v1
Comments welcome.
More information about the sgo-software-discuss
mailing list