On Thu, 2008-05-22 at 10:13 +0100, Fabian Hugelshofer wrote:
> If a connection fails with a TCP reset, the conntrack is destroyed
> immediately. This patch sets the SEEN_REPLY bit before destroying the
> conntrack.
This updated version also increments the accounting counters.
Do I see this right, that the commits should be observable in the
patch-o-matic git, if they are done?
--- linux-2.6.25.4.orig/net/netfilter/nf_conntrack_proto_tcp.c 2008-05-26 17:43:01.000000000 +0100
+++ linux-2.6.25.4/net/netfilter/nf_conntrack_proto_tcp.c 2008-05-26 17:32:17.000000000 +0100
@@ -22,6 +22,7 @@
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_log.h>
@@ -960,8 +961,19 @@
/* If only reply is a RST, we can consider ourselves not to
have an established connection: this is a fairly common
problem case, so we can delete the conntrack
- immediately. --RR */
+ immediately. --RR
+ The SEEN_REPLY bit and the accounting counters are updated
+ here to have the correct information in the ct event. */
if (th->rst) {
+ if (ctinfo >= IP_CT_IS_REPLY)
+ set_bit(IPS_SEEN_REPLY_BIT, &ct->status);
+#ifdef CONFIG_NF_CT_ACCT
+ spin_lock_bh(&nf_conntrack_lock);
+ ct->counters[CTINFO2DIR(ctinfo)].packets++;
+ ct->counters[CTINFO2DIR(ctinfo)].bytes +=
+ skb->len - skb_network_offset(skb);
+ spin_unlock_bh(&nf_conntrack_lock);
+#endif
if (del_timer(&ct->timeout))
ct->timeout.function((unsigned long)ct);
return NF_ACCEPT;
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
