[conntrack-tools] conntrack: fix manually created TCP entries with window tracking enabled

Pablo Neira netfilter-cvslog-bounces at lists.netfilter.org
Thu Dec 24 00:06:45 CET 2009 

Gitweb:		http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=b78aa333ae1a73683afd44b8819186a91784d929
commit b78aa333ae1a73683afd44b8819186a91784d929
Author:     Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Wed Dec 23 23:29:06 2009 +0100
Commit:     Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Wed Dec 23 23:29:06 2009 +0100

    conntrack: fix manually created TCP entries with window tracking enabled
    
    With this patch, we allow to manually create TCP entries in the table.
    Basically, we disable TCP window tracking for this entry to avoid
    problems.
    
    Reported-by: Roman Fiedler <roman.fiedler at ait.ac.at>
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
       via  b78aa333ae1a73683afd44b8819186a91784d929 (commit)
      from  f49cfb7598c0433d3cb3dc3d829b510a205313f4 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b78aa333ae1a73683afd44b8819186a91784d929
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date:   Wed Dec 23 23:29:06 2009 +0100

    conntrack: fix manually created TCP entries with window tracking enabled
    
    With this patch, we allow to manually create TCP entries in the table.
    Basically, we disable TCP window tracking for this entry to avoid
    problems.
    
    Reported-by: Roman Fiedler <roman.fiedler at ait.ac.at>
    Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

-----------------------------------------------------------------------

 extensions/libct_proto_tcp.c |   14 ++++++++++++++
 1 files changed, 14 insertions(+), 0 deletions(-)
With this patch, we allow to manually create TCP entries in the table.
Basically, we disable TCP window tracking for this entry to avoid
problems.

Reported-by: Roman Fiedler <roman.fiedler at ait.ac.at>
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>

diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
index ac54ac7..cb573d0 100644
--- a/extensions/libct_proto_tcp.c
+++ b/extensions/libct_proto_tcp.c
@@ -202,6 +202,20 @@ static void final_check(unsigned int flags,
 			break;
 		}
 	}
+	/* Disable TCP window tracking for manually created TCP entries,
+	 * otherwise this will not work. */
+	uint8_t tcp_flags = IP_CT_TCP_FLAG_BE_LIBERAL |
+			    IP_CT_TCP_FLAG_SACK_PERM;
+
+	/* This allows to reopen a new connection directly from TIME-WAIT
+	 * as RFC 1122 states. See nf_conntrack_proto_tcp.c for more info. */
+	if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= TCP_CONNTRACK_TIME_WAIT)
+		tcp_flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
+
+	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, tcp_flags);
+	nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, tcp_flags);
+	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, tcp_flags);
+	nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, tcp_flags);
 }
 
 static struct ctproto_handler tcp = {

More information about the netfilter-cvslog mailing list