|
|
|
|
|
|
by eps
2058 days ago
|
|
|
> arbitrary tcp and udp packets ... except these arbitrary tcp/udp packets will be in IP fragments and therefore invalid. The whole thing hinges on the NAT code NOT reassembling IP packets before passing them to ALG and the ALG also not observing IP fragmentation. These are bugs, and pretty severe at that, so the mitigation is just to patch the code. |
|
|
But, as gnfargbl points out, the TCP case can be caught by looking at the sequence number, or perhaps some conntrack state.