From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: [PATCH] TCP simultaneous open support Date: Tue, 02 Jun 2009 13:32:42 +0200 Message-ID: <4A250DDA.1010406@trash.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: netfilter-devel@vger.kernel.org, Saatvik Agarwal To: Jozsef Kadlecsik Return-path: Received: from stinky.trash.net ([213.144.137.162]:37057 "EHLO stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758029AbZFBLcq (ORCPT ); Tue, 2 Jun 2009 07:32:46 -0400 In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: Jozsef Kadlecsik wrote: > Hi Patrick, > > The patch below adds supporting TCP simultaneous open to conntrack. The > unused LISTEN state is replaced by a new state (SYN_SENT2) denoting the > second SYN sent from the reply direction in the new case. The state table > is updated and the function tcp_in_window is modified to handle > simultaneous open. > > The functionality can fairly easily be tested by socat. A sample tcpdump > recording > > ... > and the corresponding netlink events: > > [NEW] tcp 6 120 SYN_SENT src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 [UNREPLIED] src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020 > [UPDATE] tcp 6 120 LISTEN src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020 > [UPDATE] tcp 6 60 SYN_RECV src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020 > [UPDATE] tcp 6 432000 ESTABLISHED src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020 [ASSURED] > > The RST packet was dropped in the raw table, thus it did not reach > conntrack. nfnetlink_conntrack is unpatched so it shows the new SYN_SENT2 > state as the old unused LISTEN. > > With TCP simultaneous open support we satisfy REQ-2 in RFC 5382 ;-). > > Additional minor correction in this patch is that in order to catch > uninitialized reply directions, "td_maxwin == 0" is used instead of > "td_end == 0" because the former can't be true except in uninitialized > state while td_end may accidentally be equal to zero in the mid of a > connection. Thanks Jozsef. Just one question: > - TCP_CONNTRACK_LISTEN, > + TCP_CONNTRACK_SYN_SENT2, is this constant already used in userspace? From your conntrack output above I'd assume the answer is yes, so we should keep it around as an alias to avoid compilation errors.