From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net, kadlec@blackhole.kfki.hu
Subject: [PATCH 1/2] netfilter: nf_ct_tcp: disable pick by default for first ACK packet seen
Date: Wed, 02 Feb 2011 15:03:28 +0100 [thread overview]
Message-ID: <20110202140328.12173.27571.stgit@decadence> (raw)
In-Reply-To: <20110202140007.12173.41157.stgit@decadence>
This patch disables a by-default TCP connection pickup facility that
allows entering TCP Established if a TCP ACK packet is seen as first
packet in the original direction. With this patch, this state pickup
facility is only enabled if nf_ct_tcp_loose > 0.
If pickup is disabled, it means that the user wants strict TCP
tracking. The current behaviour assumes the opposite.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_proto_tcp.c | 17 ++++++++++++-----
1 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 3fb2b73..407b87c 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -193,9 +193,9 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
* sCL -> sCL
*/
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
-/*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
+/*ack*/ { sIV, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
/*
- * sNO -> sES Assumed.
+ * sNO -> sIV if pickup is enabled, enter sES. See tcp_new()
* sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
* sS2 -> sIV
* sSR -> sES Established state is reached.
@@ -1061,14 +1061,21 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
struct tcphdr _tcph;
const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
+ unsigned int index;
th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
BUG_ON(th == NULL);
+ index = get_conntrack_index(th);
/* Don't need lock here: this conntrack not in circulation yet */
- new_state
- = tcp_conntracks[0][get_conntrack_index(th)]
- [TCP_CONNTRACK_NONE];
+ new_state = tcp_conntracks[0][index][TCP_CONNTRACK_NONE];
+
+ /* We assume TCP established if the first packet that we see is
+ * an ACK, the picking up facility has to be enabled, of course. */
+ if (nf_ct_tcp_loose > 0 && index == TCP_ACK_SET &&
+ new_state == TCP_CONNTRACK_MAX) {
+ new_state = TCP_CONNTRACK_ESTABLISHED;
+ }
/* Invalid: delete conntrack */
if (new_state >= TCP_CONNTRACK_MAX) {
next prev parent reply other threads:[~2011-02-02 14:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-02 14:03 [PATCH 0/2] netfilter updates for nf_ct_tcp Pablo Neira Ayuso
2011-02-02 14:03 ` Pablo Neira Ayuso [this message]
2011-02-02 15:42 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110202140328.12173.27571.stgit@decadence \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.