[netfilter-cvslog] r3718 - in trunk/patch-o-matic-ng/nf_conntrack/linux-2.6: include/linux/netfilter net/netfilter

yasuyuki at netfilter.org yasuyuki at netfilter.org
Thu Feb 17 09:12:29 CET 2005 

Author: yasuyuki at netfilter.org
Date: 2005-02-17 09:12:29 +0100 (Thu, 17 Feb 2005)
New Revision: 3718

Modified:
   trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tcp.h
   trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c
Log:
applied patches Michal Rokos for re-sync with resent ip_conntrack_tcp.



Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tcp.h
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tcp.h	2005-02-16 22:40:26 UTC (rev 3717)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tcp.h	2005-02-17 08:12:29 UTC (rev 3718)
@@ -23,7 +23,7 @@
 };
 
 /* Window scaling is advertised by the sender */
-#define NF_CT_TCP_STATE_FLAG_WINDOW_SCALE      0x01
+#define NF_CT_TCP_FLAG_WINDOW_SCALE            0x01
 
 /* SACK is permitted by the sender */
 #define NF_CT_TCP_FLAG_SACK_PERM               0x02

Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c	2005-02-16 22:40:26 UTC (rev 3717)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c	2005-02-17 08:12:29 UTC (rev 3718)
@@ -280,9 +280,9 @@
  *	sCL -> sCL
  */
 /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI	*/
-/*ack*/	   { sIV, sIV, sIV, sES, sCW, sCW, sTW, sTW, sCL, sIV },
+/*ack*/	   { sIV, sIG, sIV, sES, sCW, sCW, sTW, sTW, sCL, sIV },
 /*
- *	sSS -> sIV	ACK is invalid: we haven't seen a SYN/ACK yet.
+ *	sSS -> sIG	Might be a half-open connection.
  *	sSR -> sIV	Simultaneous open.
  *	sES -> sES	:-)
  *	sFW -> sCW	Normal close request answered by ACK.
@@ -444,7 +444,7 @@
 					state->td_scale = 14;
 				}
 				state->flags |=
-					NF_CT_TCP_STATE_FLAG_WINDOW_SCALE;
+					NF_CT_TCP_FLAG_WINDOW_SCALE;
 			}
 			ptr += opsize - 2;
 			length -= opsize;
@@ -566,8 +566,8 @@
 			 * Both sides must send the Window Scale option
 			 * to enable window scaling in either direction.
 			 */
-			if (!(sender->flags & NF_CT_TCP_STATE_FLAG_WINDOW_SCALE
-			      && receiver->flags & NF_CT_TCP_STATE_FLAG_WINDOW_SCALE))
+			if (!(sender->flags & NF_CT_TCP_FLAG_WINDOW_SCALE
+			      && receiver->flags & NF_CT_TCP_FLAG_WINDOW_SCALE))
 				sender->td_scale = 
 				receiver->td_scale = 0;
 		} else {
@@ -580,8 +580,10 @@
 			sender->td_maxwin = (win == 0 ? 1 : win);
 			sender->td_maxend = end + sender->td_maxwin;
 		}
-	} else if (state->state == TCP_CONNTRACK_SYN_SENT
-		   && dir == NF_CT_DIR_ORIGINAL
+	} else if (((state->state == TCP_CONNTRACK_SYN_SENT
+		     && dir == NF_CT_DIR_ORIGINAL)
+		   || (state->state == TCP_CONNTRACK_SYN_RECV
+		     && dir == NF_CT_DIR_REPLY))
 		   && after(end, sender->td_end)) {
 		/*
 		 * RFC 793: "if a TCP is reinitialized ... then it need
@@ -699,7 +701,7 @@
 			"nf_ct_tcp: %s ",
 			before(end, sender->td_maxend + 1) ?
 			after(seq, sender->td_end - receiver->td_maxwin - 1) ?
-			before(ack, receiver->td_end + 1) ?
+			before(sack, receiver->td_end + 1) ?
 			after(ack, receiver->td_end - MAXACKWINDOW(sender)) ? "BUG"
 			: "ACK is under the lower bound (possibly overly delayed ACK)"
 			: "ACK is over the upper bound (ACKed data has never seen yet)"
@@ -896,7 +898,9 @@
 
 	switch (new_state) {
 	case TCP_CONNTRACK_IGNORE:
-		/* Either SYN in ORIGINAL, or SYN/ACK in REPLY direction. */
+		/* Either SYN in ORIGINAL
+		 * or SYN/ACK in REPLY
+		 * or ACK in REPLY direction (half-open connection). */
 		if (index == TCP_SYNACK_SET
 		    && conntrack->proto.tcp.last_index == TCP_SYN_SET
 		    && conntrack->proto.tcp.last_dir != dir
@@ -925,7 +929,7 @@
 		WRITE_UNLOCK(&tcp_lock);
 		if (LOG_INVALID(IPPROTO_TCP))
 			nf_log_packet(pf, 0, skb, NULL, NULL, 
-				  "nf_ct_tcp: invalid SYN (ignored) ");
+				  "nf_ct_tcp: invalid packed ignored ");
 		return NF_ACCEPT;
 	case TCP_CONNTRACK_MAX:
 		/* Invalid packet */
@@ -950,11 +954,12 @@
 		break;
 	case TCP_CONNTRACK_CLOSE:
 		if (index == TCP_RST_SET
-		    && test_bit(NF_S_SEEN_REPLY_BIT, &conntrack->status)
-		    && conntrack->proto.tcp.last_index <= TCP_SYNACK_SET
+		    && ((test_bit(NF_S_SEEN_REPLY_BIT, &conntrack->status)
+		         && conntrack->proto.tcp.last_index <= TCP_SYNACK_SET)
+			|| conntrack->proto.tcp.last_index == TCP_ACK_SET)
 		    && after(ntohl(th->ack_seq),
 		    	     conntrack->proto.tcp.last_seq)) {
-			/* Ignore RST closing down invalid SYN 
+			/* Ignore RST closing down invalid SYN or ACK
 			   we had let trough. */ 
 		    	WRITE_UNLOCK(&tcp_lock);
 			if (LOG_INVALID(IPPROTO_TCP))

More information about the netfilter-cvslog mailing list