[netfilter-cvslog] r3725 - trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter

[yasuyuki at netfilter.org]

Author: yasuyuki at netfilter.org
Date: 2005-02-17 17:37:38 +0100 (Thu, 17 Feb 2005)
New Revision: 3725

Modified:
   trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c
Log:
[PATCH] Fix broken RST handling in ip_conntrack

Here's a patch that fixes a pretty serious bug introduced by a recent
"bugfix".  The problem is that RST packets are ignored if they follow an
ACK packet, this means that the timeout of the connection isn't decreased,
so we get lots of old connections lingering around until the timeout
expires, the default timeout for state ESTABLISHED is 5 days.

This needs to go into -bk as soon as possible.  The bug is present in
2.6.10 as well.

Signed-off-by: Andrew Morton <akpm at osdl.org>
Signed-off-by: Linus Torvalds <torvalds at osdl.org>



Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c	2005-02-17 16:29:34 UTC (rev 3724)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_proto_tcp.c	2005-02-17 16:37:38 UTC (rev 3725)
@@ -958,7 +958,8 @@
 		if (index == TCP_RST_SET
 		    && ((test_bit(NF_S_SEEN_REPLY_BIT, &conntrack->status)
 		         && conntrack->proto.tcp.last_index <= TCP_SYNACK_SET)
-			|| conntrack->proto.tcp.last_index == TCP_ACK_SET)
+			|| (!test_bit(NF_S_ASSURED_BIT, &conntrack->status)
+			 && conntrack->proto.tcp.last_index == TCP_ACK_SET))
 		    && after(ntohl(th->ack_seq),
 		    	     conntrack->proto.tcp.last_seq)) {
 			/* Ignore RST closing down invalid SYN or ACK