* [PATCH] ip_conntrack_proto_tcp
@ 2005-11-10 15:48 Vlad Drukker
2005-11-11 13:00 ` Pablo Neira
0 siblings, 1 reply; 7+ messages in thread
From: Vlad Drukker @ 2005-11-10 15:48 UTC (permalink / raw)
To: coreteam; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 207 bytes --]
Hi there,
Attached patch for ip_conntrack to account TCP sessions started with SYN
+PUSH flags. Looks weird, but some HW vendors do TCP their own way.
Let's earn some points from RFC 1025.
Cheers,
Vlad.
[-- Attachment #2: SYN_PUSH.patch --]
[-- Type: text/x-patch, Size: 1085 bytes --]
[NETFILTER] ip_conntrack SYN PUSH patch
Some Qlogic iSCSI HBA hardware like QLA4010 up to firmware 3.0.0.4
initiates TCP with SYN and PUSH flags set.
Linux TCP/IP stack works fine with that.
Make ip_conntrack do the same.
Signed-off-by: Vlad Drukker <vlad@storewiz.com>
---
commit c02dd55183e5f8330da96fb82291a76492b6e7c4
tree 0aca6b3836eef97bfc552ed00883ce8f73c3e5f9
parent 407cf928e19d8cd8bb91160da6fd7a900b1e4705
author <vlad@storewiz.com> Thu, 10 Nov 2005 17:07:25 +0200
committer <vlad@storewiz.com> Thu, 10 Nov 2005 17:07:25 +0200
net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -813,6 +813,7 @@ static u8 tcp_valid_flags[(TH_FIN|TH_SYN
{
[TH_SYN] = 1,
[TH_SYN|TH_ACK] = 1,
+ [TH_SYN|TH_PUSH] = 1,
[TH_SYN|TH_ACK|TH_PUSH] = 1,
[TH_RST] = 1,
[TH_RST|TH_ACK] = 1,
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH] ip_conntrack_proto_tcp 2005-11-10 15:48 [PATCH] ip_conntrack_proto_tcp Vlad Drukker @ 2005-11-11 13:00 ` Pablo Neira 2005-11-11 13:02 ` Pablo Neira 2005-11-11 13:58 ` [netfilter-core] " Patrick McHardy 0 siblings, 2 replies; 7+ messages in thread From: Pablo Neira @ 2005-11-11 13:00 UTC (permalink / raw) To: Vlad Drukker; +Cc: coreteam, netfilter-devel Vlad Drukker wrote: > Attached patch for ip_conntrack to account TCP sessions started with SYN > +PUSH flags. Looks weird, but some HW vendors do TCP their own way. > > Let's earn some points from RFC 1025. I see this patch like a sort of workaround to make broken devices with the TCP connection tracking, right? In that case, I don't think that it's a good idea polluting our code with workarounds for every existing broken device. The HW vendors must fix their devices. -- Pablo ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ip_conntrack_proto_tcp 2005-11-11 13:00 ` Pablo Neira @ 2005-11-11 13:02 ` Pablo Neira 2005-11-11 13:58 ` [netfilter-core] " Patrick McHardy 1 sibling, 0 replies; 7+ messages in thread From: Pablo Neira @ 2005-11-11 13:02 UTC (permalink / raw) To: Pablo Neira; +Cc: coreteam, Vlad Drukker, netfilter-devel Pablo Neira wrote: > Vlad Drukker wrote: > >>Attached patch for ip_conntrack to account TCP sessions started with SYN >>+PUSH flags. Looks weird, but some HW vendors do TCP their own way. >> >>Let's earn some points from RFC 1025. > > > I see this patch like a sort of workaround to make broken devices with Sorry, I meant: ... to get working broken devices with ... -- Pablo ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [netfilter-core] Re: [PATCH] ip_conntrack_proto_tcp 2005-11-11 13:00 ` Pablo Neira 2005-11-11 13:02 ` Pablo Neira @ 2005-11-11 13:58 ` Patrick McHardy 2005-11-11 19:48 ` David S. Miller 1 sibling, 1 reply; 7+ messages in thread From: Patrick McHardy @ 2005-11-11 13:58 UTC (permalink / raw) To: Pablo Neira; +Cc: coreteam, Vlad Drukker, netfilter-devel Pablo Neira wrote: > Vlad Drukker wrote: > >>Attached patch for ip_conntrack to account TCP sessions started with SYN >>+PUSH flags. Looks weird, but some HW vendors do TCP their own way. >> >>Let's earn some points from RFC 1025. > > I see this patch like a sort of workaround to make broken devices with > the TCP connection tracking, right? In that case, I don't think that > it's a good idea polluting our code with workarounds for every existing > broken device. The HW vendors must fix their devices. Unfortunately this is unlikely to happen, and if Linux itself accepts SYN|PSH, I don't see a reason why ip_conntrack shouldn't as well. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [netfilter-core] Re: [PATCH] ip_conntrack_proto_tcp 2005-11-11 13:58 ` [netfilter-core] " Patrick McHardy @ 2005-11-11 19:48 ` David S. Miller 2005-11-12 10:39 ` [PATCH] [NETFILTER]: Allow SYN+PSH as valid flag combination Harald Welte 0 siblings, 1 reply; 7+ messages in thread From: David S. Miller @ 2005-11-11 19:48 UTC (permalink / raw) To: kaber; +Cc: vlad, coreteam, pablo, netfilter-devel From: Patrick McHardy <kaber@trash.net> Date: Fri, 11 Nov 2005 14:58:01 +0100 > Unfortunately this is unlikely to happen, and if Linux itself > accepts SYN|PSH, I don't see a reason why ip_conntrack shouldn't > as well. I totally agree. ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] [NETFILTER]: Allow SYN+PSH as valid flag combination 2005-11-11 19:48 ` David S. Miller @ 2005-11-12 10:39 ` Harald Welte 2005-11-12 20:14 ` David S. Miller 0 siblings, 1 reply; 7+ messages in thread From: Harald Welte @ 2005-11-12 10:39 UTC (permalink / raw) To: David S. Miller; +Cc: Linux Netdev List, netfilter-devel, vlad, kaber [-- Attachment #1: Type: text/plain, Size: 2544 bytes --] On Fri, Nov 11, 2005 at 11:48:01AM -0800, David S. Miller wrote: > From: Patrick McHardy <kaber@trash.net> > Date: Fri, 11 Nov 2005 14:58:01 +0100 > > > Unfortunately this is unlikely to happen, and if Linux itself > > accepts SYN|PSH, I don't see a reason why ip_conntrack shouldn't > > as well. > > I totally agree. Me, too. However, we also need to update nf_conntrack now: [NETFILTER] {ip,nf}_conntrack TCP: Accept SYN+PUSH like SYN Some devices (e.g. Qlogic iSCSI HBA hardware like QLA4010 up to firmware 3.0.0.4) initiates TCP with SYN and PUSH flags set. The Linux TCP/IP stack deals fine with that, but the connection tracking code doesn't. This patch alters TCP connection tracking to accept SYN+PUSH as a valid flag combination. Signed-off-by: Vlad Drukker <vlad@storewiz.com> Signed-off-by: Harald Welte <laforge@netfilter.org> --- commit 933c4adfa34fbc151dd9908b2ce59335b22e6fe4 tree 041e7fc4116cd3b2774429cf8da9caee6e77a74b parent 106c77b9b51b61bcd926ab5100761b2832791b74 author Harald Welte <laforge@netfilter.org> Sat, 12 Nov 2005 11:36:56 +0100 committer Harald Welte <laforge@netfilter.org> Sat, 12 Nov 2005 11:36:56 +0100 net/ipv4/netfilter/ip_conntrack_proto_tcp.c | 1 + net/netfilter/nf_conntrack_proto_tcp.c | 1 + 2 files changed, 2 insertions(+), 0 deletions(-) diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c @@ -814,6 +814,7 @@ static u8 tcp_valid_flags[(TH_FIN|TH_SYN { [TH_SYN] = 1, [TH_SYN|TH_ACK] = 1, + [TH_SYN|TH_PUSH] = 1, [TH_SYN|TH_ACK|TH_PUSH] = 1, [TH_RST] = 1, [TH_RST|TH_ACK] = 1, diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -779,6 +779,7 @@ static u8 tcp_valid_flags[(TH_FIN|TH_SYN { [TH_SYN] = 1, [TH_SYN|TH_ACK] = 1, + [TH_SYN|TH_PUSH] = 1, [TH_SYN|TH_ACK|TH_PUSH] = 1, [TH_RST] = 1, [TH_RST|TH_ACK] = 1, -- - Harald Welte <laforge@netfilter.org> http://netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] [NETFILTER]: Allow SYN+PSH as valid flag combination 2005-11-12 10:39 ` [PATCH] [NETFILTER]: Allow SYN+PSH as valid flag combination Harald Welte @ 2005-11-12 20:14 ` David S. Miller 0 siblings, 0 replies; 7+ messages in thread From: David S. Miller @ 2005-11-12 20:14 UTC (permalink / raw) To: laforge; +Cc: netdev, netfilter-devel, vlad, kaber From: Harald Welte <laforge@netfilter.org> Date: Sat, 12 Nov 2005 11:39:18 +0100 > [NETFILTER] {ip,nf}_conntrack TCP: Accept SYN+PUSH like SYN > > Some devices (e.g. Qlogic iSCSI HBA hardware like QLA4010 up to firmware > 3.0.0.4) initiates TCP with SYN and PUSH flags set. > > The Linux TCP/IP stack deals fine with that, but the connection tracking > code doesn't. > > This patch alters TCP connection tracking to accept SYN+PUSH as a valid > flag combination. > > Signed-off-by: Vlad Drukker <vlad@storewiz.com> > Signed-off-by: Harald Welte <laforge@netfilter.org> Applied. I think this one is a -stable candidate (sans the nf_conntrack bits of course :-). But that's up to you. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-11-12 20:14 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2005-11-10 15:48 [PATCH] ip_conntrack_proto_tcp Vlad Drukker 2005-11-11 13:00 ` Pablo Neira 2005-11-11 13:02 ` Pablo Neira 2005-11-11 13:58 ` [netfilter-core] " Patrick McHardy 2005-11-11 19:48 ` David S. Miller 2005-11-12 10:39 ` [PATCH] [NETFILTER]: Allow SYN+PSH as valid flag combination Harald Welte 2005-11-12 20:14 ` David S. Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.