[netfilter-cvslog] r3723 - in trunk/patch-o-matic-ng/nf_conntrack/linux-2.6: include/linux/netfilter net/netfilter

yasuyuki at netfilter.org yasuyuki at netfilter.org
Thu Feb 17 17:25:49 CET 2005


Author: yasuyuki at netfilter.org
Date: 2005-02-17 17:25:49 +0100 (Thu, 17 Feb 2005)
New Revision: 3723

Modified:
   trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tcp.h
   trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c
Log:
[NETFILTER]: Improve TCP window tracking retransmission detection

Under certain circumstances
(high latency WAN links for instance), ack
packets get stacked up and arrive in bulk.  The current TCP window
tracking code interprets these numerous acks as retransmits, and
if there are >= 3 retransmits sequentially, it resets the timeout on
a conntrack to 5 minutes.

The problem lies in the fact that the code currently only examines
the seq number of the arriving packet, but does not also look at the
seq number being acked.  The patch below adds this additional check.
Unfortunately, it adds another int32 to ip_ct_tcp, but I could think
of no other fool-proof way of fixing it (short of ripping out the
retransmission test altogether).

Signed-off-by: Phil Oester <kernel at linuxace.com>
Signed-off-by: Patrick McHardy <kaber at trash.net>



Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tcp.h
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tcp.h	2005-02-17 16:15:22 UTC (rev 3722)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tcp.h	2005-02-17 16:25:49 UTC (rev 3723)
@@ -46,6 +46,7 @@
 	u_int8_t	retrans;	/* Number of retransmitted packets */
 	u_int8_t	last_index;	/* Index of the last packet */
 	u_int32_t	last_seq;	/* Last sequence number seen in dir */
+	u_int32_t	last_ack;	/* Last sequence number seen in opposite dir */
 	u_int32_t	last_end;	/* Last seq + len */
 };
 

Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c	2005-02-17 16:15:22 UTC (rev 3722)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c	2005-02-17 16:25:49 UTC (rev 3723)
@@ -679,12 +679,14 @@
 		if (*index == TCP_ACK_SET) {
 			if (state->last_dir == dir
 			    && state->last_seq == seq
+			    && state->last_ack == ack
 			    && state->last_end == end)
 				state->retrans++;
 			else {
 				state->last_dir = dir;
 				state->last_seq = seq;
 				state->last_end = end;
+				state->last_end = end;
 				state->retrans = 0;
 			}
 		}




More information about the netfilter-cvslog mailing list