[PATCH 0/2] netfilter updates for nf_ct_tcp

[PATCH 0/2] netfilter updates for nf_ct_tcp

[Pablo Neira Ayuso]

Hi Patrick,

This patchset contain a couple of updates for the TCP tracking
and the TCP flow pickup facility.

The first patch changes the current behaviour that allows to
pickup a flow from the middle if we see an ACK packet by default.
The second patch adds the TCP protocol information in events for
flows that have been picked up from the middle.

I think that these can also be qualified as bugfix, please apply
them to nf-2.6 (2.6.38-rc).

CC'ing Jozsef to ask for his ACK.

Thanks!

---

Pablo Neira Ayuso (2):
      netfilter: nf_ct_tcp: disable pick by default for first ACK packet seen
      netfilter: nf_ct_tcp: fix missing TCP protocol information during pickup


 net/netfilter/nf_conntrack_proto_tcp.c |   20 +++++++++++++++-----
 1 files changed, 15 insertions(+), 5 deletions(-)

-- 
1+1=2

[PATCH 1/2] netfilter: nf_ct_tcp: disable pick by default for first ACK packet seen

[Pablo Neira Ayuso]

This patch disables a by-default TCP connection pickup facility that
allows entering TCP Established if a TCP ACK packet is seen as first
packet in the original direction. With this patch, this state pickup
facility is only enabled if nf_ct_tcp_loose > 0.

If pickup is disabled, it means that the user wants strict TCP
tracking. The current behaviour assumes the opposite.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_proto_tcp.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 3fb2b73..407b87c 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -193,9 +193,9 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
  *	sCL -> sCL
  */
 /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
-/*ack*/	   { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
+/*ack*/	   { sIV, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
 /*
- *	sNO -> sES	Assumed.
+ *	sNO -> sIV	if pickup is enabled, enter sES. See tcp_new()
  *	sSS -> sIV	ACK is invalid: we haven't seen a SYN/ACK yet.
  *	sS2 -> sIV
  *	sSR -> sES	Established state is reached.
@@ -1061,14 +1061,21 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
 	struct tcphdr _tcph;
 	const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
 	const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
+	unsigned int index;
 
 	th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
 	BUG_ON(th == NULL);
 
+	index = get_conntrack_index(th);
 	/* Don't need lock here: this conntrack not in circulation yet */
-	new_state
-		= tcp_conntracks[0][get_conntrack_index(th)]
-		[TCP_CONNTRACK_NONE];
+	new_state = tcp_conntracks[0][index][TCP_CONNTRACK_NONE];
+
+	/* We assume TCP established if the first packet that we see is
+	 * an ACK, the picking up facility has to be enabled, of course. */
+	if (nf_ct_tcp_loose > 0 && index == TCP_ACK_SET &&
+	    new_state == TCP_CONNTRACK_MAX) {
+		new_state = TCP_CONNTRACK_ESTABLISHED;
+	}
 
 	/* Invalid: delete conntrack */
 	if (new_state >= TCP_CONNTRACK_MAX) {

Re: [PATCH 0/2] netfilter updates for nf_ct_tcp

[Pablo Neira Ayuso]

On 02/02/11 15:03, Pablo Neira Ayuso wrote:
[...]
>       netfilter: nf_ct_tcp: disable pick by default for first ACK packet seen
>       netfilter: nf_ct_tcp: fix missing TCP protocol information during pickup

Please, drop these patches.

I found them in a pile of old patches but it seems that the latter is
not finished. The former was actually fixed in 2.6.30.

Sorry.