From: Changli Gao <xiaosuo@gmail.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org, kaber@trash.net,
kadlec@blackhole.kfki.hu
Subject: Re: [PATCH] netfilter: nf_ct_tcp: better handling for SYN retransmissions after SYN+ACK
Date: Sat, 26 Feb 2011 14:15:52 +0800 [thread overview]
Message-ID: <AANLkTiminy835GRXXsJov38TYT6feEqMcbWd3c3tz45c@mail.gmail.com> (raw)
In-Reply-To: <20110226033324.4335.53000.stgit@decadence>
On Sat, Feb 26, 2011 at 11:33 AM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> net/netfilter/nf_conntrack_proto_tcp.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> index 3fb2b73..be0b84d 100644
> --- a/net/netfilter/nf_conntrack_proto_tcp.c
> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> @@ -142,12 +142,12 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
> {
> /* ORIGINAL */
> /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
> -/*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
> +/*syn*/ { sSS, sSS, sSR, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
> /*
> * sNO -> sSS Initialize a new connection
> * sSS -> sSS Retransmitted SYN
> * sS2 -> sS2 Late retransmitted SYN
> - * sSR -> sIG
> + * sSR -> sSR Retransmitted SYN, SYN/ACK got lost?
> * sES -> sIG Error: SYNs in window outside the SYN_SENT state
> * are errors. Receiver will reply with RST
> * and close the connection.
>
I think you should change [reply][eSR][syn_ack] to ignore. Then the
following code will be executed, and in fact, the following code is
for you scenario according to the comments.
878 case TCP_CONNTRACK_IGNORE:
879 /* Ignored packets:
880 *
881 * Our connection entry may be out of sync, so ignore
882 * packets which may signal the real connection between
883 * the client and the server.
884 *
885 * a) SYN in ORIGINAL
886 * b) SYN/ACK in REPLY
887 * c) ACK in reply direction after initial SYN in original.
888 *
889 * If the ignored packet is invalid, the receiver will send
890 * a RST we'll catch below.
891 */
892 if (index == TCP_SYNACK_SET
893 && ct->proto.tcp.last_index == TCP_SYN_SET
894 && ct->proto.tcp.last_dir != dir
895 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
896 /* b) This SYN/ACK acknowledges a SYN
that we earlier
897 * ignored as invalid. This means that
the client and
898 * the server are both in sync, while the
firewall is
899 * not. We get in sync from the
previously annotated
900 * values.
901 */
902 old_state = TCP_CONNTRACK_SYN_SENT;
903 new_state = TCP_CONNTRACK_SYN_RECV;
904 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
905 ct->proto.tcp.last_end;
906
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
907 ct->proto.tcp.last_end;
908
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
909 ct->proto.tcp.last_win == 0 ?
910 1 : ct->proto.tcp.last_win;
911
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
912 ct->proto.tcp.last_wscale;
913 ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
914 ct->proto.tcp.last_flags;
915 memset(&ct->proto.tcp.seen[dir], 0,
916 sizeof(struct ip_ct_tcp_state));
917 break;
918 }
--
Regards,
Changli Gao(xiaosuo@gmail.com)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2011-02-26 6:16 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-26 3:32 [PATCH] improvement for TCP connection tracking Pablo Neira Ayuso
2011-02-26 3:33 ` [PATCH] netfilter: nf_ct_tcp: better handling for SYN retransmissions after SYN+ACK Pablo Neira Ayuso
2011-02-26 6:15 ` Changli Gao [this message]
2011-02-26 18:30 ` Jozsef Kadlecsik
2011-02-26 20:11 ` Pablo Neira Ayuso
2011-02-26 21:45 ` Jozsef Kadlecsik
2011-02-26 23:42 ` Pablo Neira Ayuso
2011-02-27 0:00 ` Pablo Neira Ayuso
2011-02-27 2:08 ` Igor 'Lo' (И.L.)
2011-02-27 15:22 ` Patrick McHardy
2011-02-27 17:28 ` Jozsef Kadlecsik
2011-02-28 17:04 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTiminy835GRXXsJov38TYT6feEqMcbWd3c3tz45c@mail.gmail.com \
--to=xiaosuo@gmail.com \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).