From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: kaber@trash.net, kadlec@blackhole.kfki.hu
Subject: [PATCH 1/2] netfilter: nf_ct_tcp: disable pick by default for first ACK packet seen
Date: Wed, 02 Feb 2011 15:03:28 +0100 [thread overview]
Message-ID: <20110202140328.12173.27571.stgit@decadence> (raw)
In-Reply-To: <20110202140007.12173.41157.stgit@decadence>
This patch disables a by-default TCP connection pickup facility that
allows entering TCP Established if a TCP ACK packet is seen as first
packet in the original direction. With this patch, this state pickup
facility is only enabled if nf_ct_tcp_loose > 0.
If pickup is disabled, it means that the user wants strict TCP
tracking. The current behaviour assumes the opposite.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_proto_tcp.c | 17 ++++++++++++-----
1 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 3fb2b73..407b87c 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -193,9 +193,9 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
* sCL -> sCL
*/
/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
-/*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
+/*ack*/ { sIV, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
/*
- * sNO -> sES Assumed.
+ * sNO -> sIV if pickup is enabled, enter sES. See tcp_new()
* sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
* sS2 -> sIV
* sSR -> sES Established state is reached.
@@ -1061,14 +1061,21 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
struct tcphdr _tcph;
const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
+ unsigned int index;
th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
BUG_ON(th == NULL);
+ index = get_conntrack_index(th);
/* Don't need lock here: this conntrack not in circulation yet */
- new_state
- = tcp_conntracks[0][get_conntrack_index(th)]
- [TCP_CONNTRACK_NONE];
+ new_state = tcp_conntracks[0][index][TCP_CONNTRACK_NONE];
+
+ /* We assume TCP established if the first packet that we see is
+ * an ACK, the picking up facility has to be enabled, of course. */
+ if (nf_ct_tcp_loose > 0 && index == TCP_ACK_SET &&
+ new_state == TCP_CONNTRACK_MAX) {
+ new_state = TCP_CONNTRACK_ESTABLISHED;
+ }
/* Invalid: delete conntrack */
if (new_state >= TCP_CONNTRACK_MAX) {
next prev parent reply other threads:[~2011-02-02 14:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-02 14:03 [PATCH 0/2] netfilter updates for nf_ct_tcp Pablo Neira Ayuso
2011-02-02 14:03 ` Pablo Neira Ayuso [this message]
2011-02-02 15:42 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110202140328.12173.27571.stgit@decadence \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).