[PATCH] Resend: TCP window tracking fixes

[PATCH] Resend: TCP window tracking fixes

[Phil Oester]

[-- Attachment #1: Type: text/plain, Size: 663 bytes --]

Resending two patches which have not yet made it to mainline, and
which (IMO) are fairly important and should go in before 2.6.11.

1) retransmission handling -- window tracking needs to look at both
   seq numbers in determining whether a retransmission has occurred

   http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/018241.html

2) over-window handling -- window tracking should not adjust down
   the maximum seq number which it thinks a client has received --
   the client may disagree with this number

   http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/018278.html

Patches attached below, comments welcomed.

Phil




[-- Attachment #2: patch-ack --]
[-- Type: text/plain, Size: 1305 bytes --]

diff -ru linux-orig/include/linux/netfilter_ipv4/ip_conntrack_tcp.h linux-new/include/linux/netfilter_ipv4/ip_conntrack_tcp.h
--- linux-orig/include/linux/netfilter_ipv4/ip_conntrack_tcp.h	2004-12-24 16:34:31.000000000 -0500
+++ linux-new/include/linux/netfilter_ipv4/ip_conntrack_tcp.h	2005-01-25 00:31:46.772442512 -0500
@@ -41,6 +41,7 @@
 	u_int8_t	retrans;	/* Number of retransmitted packets */
 	u_int8_t	last_index;	/* Index of the last packet */
 	u_int32_t	last_seq;	/* Last sequence number seen in dir */
+	u_int32_t	last_ack;	/* Last sequence number seen in opposite dir */
 	u_int32_t	last_end;	/* Last seq + len */
 };
 
diff -ru linux-orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux-new/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- linux-orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-01-25 00:46:13.192726608 -0500
+++ linux-new/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-01-25 00:43:35.340723760 -0500
@@ -665,11 +665,13 @@
 		if (*index == TCP_ACK_SET) {
 			if (state->last_dir == dir
 			    && state->last_seq == seq
+			    && state->last_ack == ack
 			    && state->last_end == end)
 				state->retrans++;
 			else {
 				state->last_dir = dir;
 				state->last_seq = seq;
+				state->last_ack = ack;
 				state->last_end = end;
 				state->retrans = 0;
 			}

[-- Attachment #3: patch-overwindow --]
[-- Type: text/plain, Size: 1285 bytes --]

diff -ru linux-orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux-testdellfw/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- linux-orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-01-28 17:48:10.620973992 -0500
+++ linux-testdellfw/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-01-28 17:54:02.799434728 -0500
@@ -622,7 +622,6 @@
 	/* Ignore data over the right edge of the receiver's window. */
 	if (after(end, sender->td_maxend) &&
 	    before(seq, sender->td_maxend)) {
-		end = sender->td_maxend;
 		if (*index == TCP_FIN_SET)
 			*index = TCP_ACK_SET;
 	}
@@ -691,9 +690,9 @@
 			after(seq, sender->td_end - receiver->td_maxwin - 1) ?
 			before(sack, receiver->td_end + 1) ?
 			after(ack, receiver->td_end - MAXACKWINDOW(sender)) ? "BUG"
-			: "ACK is under the lower bound (possibly overly delayed ACK)"
-			: "ACK is over the upper bound (ACKed data has never seen yet)"
-			: "SEQ is under the lower bound (retransmitted already ACKed data)"
+			: "ACK is under the lower bound (possible overly delayed ACK)"
+			: "ACK is over the upper bound (ACKed data not seen yet)"
+			: "SEQ is under the lower bound (already ACKed data retransmitted)"
 			: "SEQ is over the upper bound (over the window of the receiver)");
 
 		res = ip_ct_tcp_be_liberal && !tcph->rst;

Re: [PATCH] Resend: TCP window tracking fixes

[Patrick McHardy]

Phil Oester wrote:

>Resending two patches which have not yet made it to mainline, and
>which (IMO) are fairly important and should go in before 2.6.11.
>
>1) retransmission handling -- window tracking needs to look at both
>   seq numbers in determining whether a retransmission has occurred
>
>   http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/018241.html
>
>2) over-window handling -- window tracking should not adjust down
>   the maximum seq number which it thinks a client has received --
>   the client may disagree with this number
>
>   http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/018278.html
>
>Patches attached below, comments welcomed.
>
I already have the retransmission handling patch queued, I'm just
a little behind with pushing it to Dave. I would like to hear
Jozsef's opinion before applying your second patch, he knows the
code much better than me. Jozsef, does the second patch look ok
to you ?

Regards
Patrick


>Phil
>
>
>  
>
>------------------------------------------------------------------------
>
>diff -ru linux-orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c linux-testdellfw/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
>--- linux-orig/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-01-28 17:48:10.620973992 -0500
>+++ linux-testdellfw/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2005-01-28 17:54:02.799434728 -0500
>@@ -622,7 +622,6 @@
> 	/* Ignore data over the right edge of the receiver's window. */
> 	if (after(end, sender->td_maxend) &&
> 	    before(seq, sender->td_maxend)) {
>-		end = sender->td_maxend;
> 		if (*index == TCP_FIN_SET)
> 			*index = TCP_ACK_SET;
> 	}
>@@ -691,9 +690,9 @@
> 			after(seq, sender->td_end - receiver->td_maxwin - 1) ?
> 			before(sack, receiver->td_end + 1) ?
> 			after(ack, receiver->td_end - MAXACKWINDOW(sender)) ? "BUG"
>-			: "ACK is under the lower bound (possibly overly delayed ACK)"
>-			: "ACK is over the upper bound (ACKed data has never seen yet)"
>-			: "SEQ is under the lower bound (retransmitted already ACKed data)"
>+			: "ACK is under the lower bound (possible overly delayed ACK)"
>+			: "ACK is over the upper bound (ACKed data not seen yet)"
>+			: "SEQ is under the lower bound (already ACKed data retransmitted)"
> 			: "SEQ is over the upper bound (over the window of the receiver)");
> 
> 		res = ip_ct_tcp_be_liberal && !tcph->rst;
>  
>