[conntrack-tools] netlink: avoid errors related to the expected bit handling
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Thu Aug 7 15:22:07 CEST 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=d8df7a62cf50cc1af868b22e4d301a78e7f5c450
commit d8df7a62cf50cc1af868b22e4d301a78e7f5c450
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Thu Aug 7 15:22:00 2008 +0200
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Thu Aug 7 15:22:00 2008 +0200
netlink: avoid errors related to the expected bit handling
We hit error if we try to change the expected bit for already existing
conntracks. On the other hand, if the conntrack does not exist, do not
change the expected bit, otherwise we also hit error.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via d8df7a62cf50cc1af868b22e4d301a78e7f5c450 (commit)
from 8a78dda3e6676286f09f5c78cca60a8178186930 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d8df7a62cf50cc1af868b22e4d301a78e7f5c450
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Thu Aug 7 15:22:00 2008 +0200
netlink: avoid errors related to the expected bit handling
We hit error if we try to change the expected bit for already existing
conntracks. On the other hand, if the conntrack does not exist, do not
change the expected bit, otherwise we also hit error.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
src/netlink.c | 17 +++++++++++++++--
1 files changed, 15 insertions(+), 2 deletions(-)
We hit error if we try to change the expected bit for already existing
conntracks. On the other hand, if the conntrack does not exist, do not
change the expected bit, otherwise we also hit error.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/src/netlink.c b/src/netlink.c
index e9b1cfd..8b02ac5 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -301,7 +301,7 @@ int nl_create_conntrack(struct nf_conntrack *ct)
{
uint8_t flags;
- /* XXX: related connections */
+ /* we hit error if we try to change the expected bit */
if (nfct_attr_is_set(ct, ATTR_STATUS)) {
uint32_t status = nfct_get_attr_u32(ct, ATTR_STATUS);
status &= ~IPS_EXPECTED;
@@ -325,6 +325,8 @@ int nl_create_conntrack(struct nf_conntrack *ct)
/* This function modifies the conntrack passed as argument! */
int nl_update_conntrack(struct nf_conntrack *ct)
{
+ uint8_t flags;
+
/* unset NAT info, otherwise we hit error */
nfct_attr_unset(ct, ATTR_SNAT_IPV4);
nfct_attr_unset(ct, ATTR_DNAT_IPV4);
@@ -349,7 +351,18 @@ int nl_update_conntrack(struct nf_conntrack *ct)
nfct_attr_unset(ct, ATTR_MASTER_PORT_DST);
}
- return nl_create_conntrack(ct);
+ nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
+
+ /*
+ * TCP flags to overpass window tracking for recovered connections
+ */
+ flags = IP_CT_TCP_FLAG_BE_LIBERAL | IP_CT_TCP_FLAG_SACK_PERM;
+ nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, flags);
+ nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, flags);
+
+ return nfct_query(STATE(dump), NFCT_Q_CREATE_UPDATE, ct);
}
int nl_destroy_conntrack(struct nf_conntrack *ct)
More information about the netfilter-cvslog
mailing list