Re: Understanding conntrack: Delete and manual readd of same entry possible?

[Pablo Neira Ayuso <pablo@netfilter.org>]

[-- Attachment #1: Type: text/plain, Size: 1177 bytes --]

Roman Fiedler wrote:
> Hi list,
> 
> The failure to conduct a simple test with conntrack makes me believe, 
> that I misunderstood some part of the concept.
> 
> The testcase:
> 
> * Create one forwarded tcp connection via iptables-firewall and leave it 
> open
> * Delete the conntrack entry of this connection
> * Readd the same conntrack entry with conntrack -I
> * Verify, that old and new entry looked the same (conntrack -L)
> * Send one more byte over the still open tcp connection
> 
> The expected result:
> * TCP flow continues without creating a new conntrack entry, using the 
> one added manually
> * ACCEPT via ESTABLISHED rule because of valid conntrack entry
> 
> The actual result:
> * Conntrack code seems to believe, that packets do not belong to 
> conntrack entry
> * Conntrack code does not create new conntrack entry
> * Conntrack code cannot update conntrack-entry even when packet is 
> accepted.
> 
> Can someone enlighten me, if manual entry creation is possible?

I seem to have overlooked this email, sorry. You need this patch in 
order to make it work, I'm going to apply it to git.netfilter.org now so 
it will be available in the next release.

[-- Attachment #2: fix-tcp-manually.patch --]
[-- Type: text/x-patch, Size: 1464 bytes --]

conntrack: fix manually created TCP entries with window tracking enabled

From: Pablo Neira Ayuso <pablo@netfilter.org>

With this patch, we allow to manually create TCP entries in the table.
Basically, we disable TCP window tracking for this entry to avoid
problems.

Reported-by: Roman Fiedler <roman.fiedler@ait.ac.at>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libct_proto_tcp.c |   16 ++++++++++++++++
 1 files changed, 16 insertions(+), 0 deletions(-)

diff --git a/extensions/libct_proto_tcp.c b/extensions/libct_proto_tcp.c
index ac54ac7..f229aea 100644
--- a/extensions/libct_proto_tcp.c
+++ b/extensions/libct_proto_tcp.c
@@ -202,6 +202,22 @@ static void final_check(unsigned int flags,
 			break;
 		}
 	}
+	/* Disable TCP window tracking for manually created TCP entries,
+	 * otherwise this will not work.
+	 */
+	uint8_t tcp_flags = IP_CT_TCP_FLAG_BE_LIBERAL |
+			    IP_CT_TCP_FLAG_SACK_PERM;
+
+	/* This allows to reopen a new connection directly from TIME-WAIT
+	 * as RFC 1122 states. See nf_conntrack_proto_tcp.c for more info.
+	 */
+	if (nfct_get_attr_u8(ct, ATTR_TCP_STATE) >= TCP_CONNTRACK_TIME_WAIT)
+		tcp_flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
+
+	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_ORIG, tcp_flags);
+	nfct_set_attr_u8(ct, ATTR_TCP_MASK_ORIG, tcp_flags);
+	nfct_set_attr_u8(ct, ATTR_TCP_FLAGS_REPL, tcp_flags);
+	nfct_set_attr_u8(ct, ATTR_TCP_MASK_REPL, tcp_flags);
 }
 
 static struct ctproto_handler tcp = {