[PATCH] TCP conntrack connection pickup & window tracking

Jozsef Kadlecsik kadlec at blackhole.kfki.hu
Fri Oct 7 14:37:13 CEST 2005 

Hi,

The attached patch adds a new status bit to conntrack by which TCP streams
can be marked as the ones with window tracking disabled. Also, it sets the
initial timeout parameter of picked up connections to a more reasonable
value (e.g. 5 mins instead of 5 days in the case of ACK packets).

Best regards,
Jozsef
-
E-mail  : kadlec at blackhole.kfki.hu, kadlec at sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary
-------------- next part --------------
[NETFILTER]	Window tracking disabled is now session specific
		and picked up connections get more reasonable timeout
		value.

Signed-off-by: Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>

diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.14-rc3-orig/include/linux/netfilter_ipv4/ip_conntrack.h linux-2.6.14-rc3-tcp-win/include/linux/netfilter_ipv4/ip_conntrack.h
--- linux-2.6.14-rc3-orig/include/linux/netfilter_ipv4/ip_conntrack.h	2005-09-30 23:17:35.000000000 +0200
+++ linux-2.6.14-rc3-tcp-win/include/linux/netfilter_ipv4/ip_conntrack.h	2005-10-07 12:39:19.000000000 +0200
@@ -69,6 +69,10 @@
 	/* Connection is dying (removed from lists), can not be unset. */
 	IPS_DYING_BIT = 9,
 	IPS_DYING = (1 << IPS_DYING_BIT),
+
+	/* TCP window tracking is disabled */
+	IPS_TCP_NO_WINDOW_TRACKING_BIT = 10,
+	IPS_TCP_NO_WINDOW_TRACKING = (1 << IPS_TCP_NO_WINDOW_TRACKING_BIT),
 };
 
 /* Connection tracking event bits */
diff -urN --exclude-from=/usr/src/diff.exclude linux-2.6.14-rc3-orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux-2.6.14-rc3-tcp-win/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- linux-2.6.14-rc3-orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-09-30 23:17:35.000000000 +0200
+++ linux-2.6.14-rc3-tcp-win/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-10-07 14:19:56.000000000 +0200
@@ -728,7 +728,7 @@
 			: "SEQ is under the lower bound (already ACKed data retransmitted)"
 			: "SEQ is over the upper bound (over the window of the receiver)");
 
-		res = ip_ct_tcp_be_liberal;
+		res = 0;
   	}
   
 	DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u "
@@ -965,8 +965,9 @@
 		break;
 	}
 
-	if (!tcp_in_window(&conntrack->proto.tcp, dir, index, 
-			   skb, iph, th)) {
+	if (!(test_bit(IPS_TCP_NO_WINDOW_TRACKING_BIT, &conntrack->status)
+	      || tcp_in_window(&conntrack->proto.tcp, 
+			       dir, index, skb, iph, th))) {
 		write_unlock_bh(&tcp_lock);
 		return -NF_ACCEPT;
 	}
@@ -987,7 +988,9 @@
 	    && (new_state == TCP_CONNTRACK_FIN_WAIT
 	    	|| new_state == TCP_CONNTRACK_CLOSE))
 		conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
-	timeout = conntrack->proto.tcp.retrans >= ip_ct_tcp_max_retrans
+	timeout = (conntrack->proto.tcp.retrans >= ip_ct_tcp_max_retrans
+		   || (old_state == TCP_CONNTRACK_NONE
+		       && new_state > TCP_CONNTRACK_SYN_SENT))
 		  && *tcp_timeouts[new_state] > ip_ct_tcp_timeout_max_retrans
 		  ? ip_ct_tcp_timeout_max_retrans : *tcp_timeouts[new_state];
 	write_unlock_bh(&tcp_lock);
@@ -1100,6 +1103,9 @@
 	conntrack->proto.tcp.state = TCP_CONNTRACK_NONE;
 	conntrack->proto.tcp.last_index = TCP_NONE_SET;
 	 
+	if (ip_ct_tcp_be_liberal)
+		set_bit(IPS_TCP_NO_WINDOW_TRACKING_BIT, &conntrack->status);
+
 	DEBUGP("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
 	       "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
 		sender->td_end, sender->td_maxend, sender->td_maxwin,

More information about the netfilter-devel mailing list