Re: PATCH: "invalid SYNIN=" - a patch and a question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Wed, 10 Oct 2007, Jozsef Kadlecsik wrote:

Hi,

On Wed, 3 Oct 2007, Krzysztof Oledzki wrote:

I also wondering if the code from nf_conntrack_proto_tcp.c is correct:

--- cut here ---
new_state = tcp_conntracks[dir][index][old_state];

switch (new_state)
(...)
case TCP_CONNTRACK_SYN_SENT:
if (old_state < TCP_CONNTRACK_TIME_WAIT)
        break;
if ((conntrack->proto.tcp.seen[dir].flags &
        IP_CT_TCP_FLAG_CLOSE_INIT)
    || after(ntohl(th->seq),
             conntrack->proto.tcp.seen[dir].td_end)) {
        /* Attempt to reopen a closed connection.
        * Delete this connection and look up again. */
        write_unlock_bh(&tcp_lock);
        if (del_timer(&conntrack->timeout))
                conntrack->timeout.function((unsigned long)
                                            conntrack);
        return -NF_REPEAT;

With your description I could reproduce the bug and actually you were
completely right: the code above is incorrect. Somehow I was able to
misread RFC1122 and mixed the roles :-(:

  When a connection is >>closed actively<<, it MUST linger in
  TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
  However, it MAY >>accept<< a new SYN from the remote TCP to
  reopen the connection directly from TIME-WAIT state, if it:
  [...]

The fix is as follows: if the receiver initiated an active close, then the
sender may reopen the connection - otherwise try to figure out if we hold
a dead connection.

Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>

Thank you, it seems that this patch solved my problem.

Tested-by: Krzysztof Piotr Oledzki <ole@xxxxxx>

Best regards,

					Krzysztof Olędzki

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux