[Bug 1087] Window Tracking not disabled

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Tue Oct 18 11:43:00 CEST 2016


https://bugzilla.netfilter.org/show_bug.cgi?id=1087

--- Comment #5 from Mathew <mat999 at gmail.com> ---
Hi,

>> As I said, to properly deal with this situation, you need "TCPWindowTracking On".

You are confused, "TCPWindowTracking Off" (default) sets the
IP_CT_TCP_FLAG_BE_LIBERAL on the resulting installed connection which disabled
TCP window tracking

/proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal does the same thing
globally.

--

I can confirm my diagnosis was correct. We patched the kernel to correctly
propagate the IP_CT_TCP_FLAG_BE_LIBERAL flag (which *IS* the flag set by
"TCPWindowTracking") to both sides of the connection. This showed the correct
behaviour.

I have not at this time done extensive testing of the patch or taken it any
further as of yet (plans are to formalise the patch for staging testing within
the fortnight).

The patch is just adding: 
if (seen.flags & IP_CT_TCP_FLAG_BE_LIBERAL ) {
ct->proto.tcp.last_flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
}

to the line linked. This correctly propagates the flag to the last_flags
variable which goes on to form the reply side of the connection.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161018/c2e5e5e4/attachment.html>


More information about the netfilter-buglog mailing list