This is a note to let you know that we have just queued up the patch titled Subject: NETFILTER: nf_conntrack_tcp: fix connection reopening to the 2.6.23-stable tree. Its filename is netfilter-nf_conntrack_tcp-fix-connection-reopening.patch A git repo of this tree can be found at http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary >From stable-bounces@xxxxxxxxxxxxxxxx Mon Nov 5 03:38:25 2007 From: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> Date: Mon, 05 Nov 2007 12:37:55 +0100 Subject: NETFILTER: nf_conntrack_tcp: fix connection reopening To: stable@xxxxxxxxxx Cc: Netfilter Development Mailinglist <netfilter-devel@xxxxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Krzysztof Piotr Oledzki <ole@xxxxxx>, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> Message-ID: <472F0093.6040508@xxxxxxxxx> From: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> Upstream commits: 17311393 + bc34b841 merged together. Merge done by Patrick McHardy <kaber@xxxxxxxxx> [NETFILTER]: nf_conntrack_tcp: fix connection reopening With your description I could reproduce the bug and actually you were completely right: the code above is incorrect. Somehow I was able to misread RFC1122 and mixed the roles :-(: When a connection is >>closed actively<<, it MUST linger in TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime). However, it MAY >>accept<< a new SYN from the remote TCP to reopen the connection directly from TIME-WAIT state, if it: [...] The fix is as follows: if the receiver initiated an active close, then the sender may reopen the connection - otherwise try to figure out if we hold a dead connection. Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> Tested-by: Krzysztof Piotr Oledzki <ole@xxxxxx> Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx> --- net/netfilter/nf_conntrack_proto_tcp.c | 38 ++++++++++++++------------------- 1 file changed, 17 insertions(+), 21 deletions(-) --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -831,6 +831,22 @@ static int tcp_packet(struct nf_conn *co tuple = &conntrack->tuplehash[dir].tuple; switch (new_state) { + case TCP_CONNTRACK_SYN_SENT: + if (old_state < TCP_CONNTRACK_TIME_WAIT) + break; + if ((conntrack->proto.tcp.seen[!dir].flags & + IP_CT_TCP_FLAG_CLOSE_INIT) + || (conntrack->proto.tcp.last_dir == dir + && conntrack->proto.tcp.last_index == TCP_RST_SET)) { + /* Attempt to reopen a closed/aborted connection. + * Delete this connection and look up again. */ + write_unlock_bh(&tcp_lock); + if (del_timer(&conntrack->timeout)) + conntrack->timeout.function((unsigned long) + conntrack); + return -NF_REPEAT; + } + /* Fall through */ case TCP_CONNTRACK_IGNORE: /* Ignored packets: * @@ -879,27 +895,6 @@ static int tcp_packet(struct nf_conn *co nf_log_packet(pf, 0, skb, NULL, NULL, NULL, "nf_ct_tcp: invalid state "); return -NF_ACCEPT; - case TCP_CONNTRACK_SYN_SENT: - if (old_state < TCP_CONNTRACK_TIME_WAIT) - break; - if ((conntrack->proto.tcp.seen[dir].flags & - IP_CT_TCP_FLAG_CLOSE_INIT) - || after(ntohl(th->seq), - conntrack->proto.tcp.seen[dir].td_end)) { - /* Attempt to reopen a closed connection. - * Delete this connection and look up again. */ - write_unlock_bh(&tcp_lock); - if (del_timer(&conntrack->timeout)) - conntrack->timeout.function((unsigned long) - conntrack); - return -NF_REPEAT; - } else { - write_unlock_bh(&tcp_lock); - if (LOG_INVALID(IPPROTO_TCP)) - nf_log_packet(pf, 0, skb, NULL, NULL, - NULL, "nf_ct_tcp: invalid SYN"); - return -NF_ACCEPT; - } case TCP_CONNTRACK_CLOSE: if (index == TCP_RST_SET && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) @@ -932,6 +927,7 @@ static int tcp_packet(struct nf_conn *co in_window: /* From now on we have got in-window packets */ conntrack->proto.tcp.last_index = index; + conntrack->proto.tcp.last_dir = dir; pr_debug("tcp_conntracks: "); NF_CT_DUMP_TUPLE(tuple); Patches currently in stable-queue which might be from kadlec@xxxxxxxxxxxxxxxxx are queue-2.6.23/netfilter-nf_conntrack_tcp-fix-connection-reopening.patch - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html