# This is a BitKeeper generated diff -Nru style patch. # # ChangeSet # 2005/02/01 14:14:17+01:00 kernel@linuxace.com # [NETFILTER]: Improve TCP window tracking retransmission detection # # Under certain circumstances (high latency WAN links for instance), ack # packets get stacked up and arrive in bulk. The current TCP window # tracking code interprets these numerous acks as retransmits, and # if there are >= 3 retransmits sequentially, it resets the timeout on # a conntrack to 5 minutes. # # The problem lies in the fact that the code currently only examines # the seq number of the arriving packet, but does not also look at the # seq number being acked. The patch below adds this additional check. # Unfortunately, it adds another int32 to ip_ct_tcp, but I could think # of no other fool-proof way of fixing it (short of ripping out the # retransmission test altogether). # # Signed-off-by: Phil Oester # Signed-off-by: Patrick McHardy # # net/ipv4/netfilter/ip_conntrack_proto_tcp.c # 2005/02/01 14:14:08+01:00 kernel@linuxace.com +2 -0 # [NETFILTER]: Improve TCP window tracking retransmission detection # # Under certain circumstances (high latency WAN links for instance), ack # packets get stacked up and arrive in bulk. The current TCP window # tracking code interprets these numerous acks as retransmits, and # if there are >= 3 retransmits sequentially, it resets the timeout on # a conntrack to 5 minutes. # # The problem lies in the fact that the code currently only examines # the seq number of the arriving packet, but does not also look at the # seq number being acked. The patch below adds this additional check. # Unfortunately, it adds another int32 to ip_ct_tcp, but I could think # of no other fool-proof way of fixing it (short of ripping out the # retransmission test altogether). # # Signed-off-by: Phil Oester # Signed-off-by: Patrick McHardy # # include/linux/netfilter_ipv4/ip_conntrack_tcp.h # 2005/02/01 14:14:07+01:00 kernel@linuxace.com +1 -0 # [NETFILTER]: Improve TCP window tracking retransmission detection # # Under certain circumstances (high latency WAN links for instance), ack # packets get stacked up and arrive in bulk. The current TCP window # tracking code interprets these numerous acks as retransmits, and # if there are >= 3 retransmits sequentially, it resets the timeout on # a conntrack to 5 minutes. # # The problem lies in the fact that the code currently only examines # the seq number of the arriving packet, but does not also look at the # seq number being acked. The patch below adds this additional check. # Unfortunately, it adds another int32 to ip_ct_tcp, but I could think # of no other fool-proof way of fixing it (short of ripping out the # retransmission test altogether). # # Signed-off-by: Phil Oester # Signed-off-by: Patrick McHardy # diff -Nru a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h --- a/include/linux/netfilter_ipv4/ip_conntrack_tcp.h 2005-02-04 03:35:39 +01:00 +++ b/include/linux/netfilter_ipv4/ip_conntrack_tcp.h 2005-02-04 03:35:39 +01:00 @@ -41,6 +41,7 @@ u_int8_t retrans; /* Number of retransmitted packets */ u_int8_t last_index; /* Index of the last packet */ u_int32_t last_seq; /* Last sequence number seen in dir */ + u_int32_t last_ack; /* Last sequence number seen in opposite dir */ u_int32_t last_end; /* Last seq + len */ }; diff -Nru a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-02-04 03:35:39 +01:00 +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 2005-02-04 03:35:39 +01:00 @@ -665,11 +665,13 @@ if (*index == TCP_ACK_SET) { if (state->last_dir == dir && state->last_seq == seq + && state->last_ack == ack && state->last_end == end) state->retrans++; else { state->last_dir = dir; state->last_seq = seq; + state->last_ack = ack; state->last_end = end; state->retrans = 0; }