Le 08/03/2018 à 13:01, Joerg Sonnenberger a écrit :
On Thu, Mar 08, 2018 at 09:15:40AM +0100, Maxime Villard wrote:
In NPF we don't check the length of the TCPOPT_MAXSEG and TCPOPT_WINDOW
options. That's a problem, if the length is bogus we should ignore these
options, just like the kernel does in tcp_dooptions().
I don't think so. A firewall should drop bogus stuff.
In fact, it _may_ not be correct to drop here. I did give a look at the RFCs
about this (~two weeks ago), and I also looked at FreeBSD, OpenBSD and Linux;
the RFC does not specify the behavior here, and everybody ignores options
with "bogus" lengths without dropping the packet. That's what we've been doing
for a long time too, not sure it is correct to divert from this behavior.
(I say "bogus", but it's not inherently buggy, it's just an unusual size.)
Maxime