On Thu, 11 Oct 2007, Krzysztof Oledzki wrote:
> Something is still wrong in this area. With the recent fix there are no
> more "invalid SYNIN=" messages, but with unsuccessful request simulated
> with "echo|nc" next connections are not possible.
[...]
> --- cut here ---
> sysctl net.ipv4.ip_local_port_range="50000 50003"
> sysctl net.netfilter.nf_conntrack_log_invalid=255
>
> while true ; do echo|nc -w 1 wp.pl 80 2>/dev/null >/dev/null; echo -ne "HEAD /
> HTTP/1.0\r\nHost: www.wp.pl\r\n\r\n"|nc -w 2 wp.pl 80 ; sleep 1 ; done
> --- cut here ---
Odd, but I could not reproduce it using my local test webserver. However
looking through the tcpdump and the kernel log, I think the problem is as
follows: the aborted connection still lingers in conntrack for 10s (in
order to catch late packets) and reopening after RST is not handled
properly yet. You are digging into the grey areas of TCP conntrack ;-).
Could you check the patch below?
If one side aborts an established connection, the entry still lingers for
10s in conntrack for the late packets. Allow to open up the connection
again for the party which sent the RST packet.
Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
---
net/netfilter/nf_conntrack_proto_tcp.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 1b836d0..10a04ff 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -834,9 +834,11 @@ static int tcp_packet(struct nf_conn *conntrack,
case TCP_CONNTRACK_SYN_SENT:
if (old_state < TCP_CONNTRACK_TIME_WAIT)
break;
- if (conntrack->proto.tcp.seen[!dir].flags &
- IP_CT_TCP_FLAG_CLOSE_INIT) {
- /* Attempt to reopen a closed connection.
+ if ((conntrack->proto.tcp.seen[!dir].flags &
+ IP_CT_TCP_FLAG_CLOSE_INIT)
+ || (conntrack->proto.tcp.last_dir == dir
+ && conntrack->proto.tcp.last_index == TCP_RST_SET)) {
+ /* Attempt to reopen a closed/aborted connection.
* Delete this connection and look up again. */
write_unlock_bh(&tcp_lock);
if (del_timer(&conntrack->timeout))
--
1.5.3.4
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
