From: Patrick McHardy <kaber@xxxxxxxxx> Date: Mon, 30 Jun 2008 17:56:10 +0200 (MEST) > netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK > > Lost connections was reported by Thomas Bätzler (running 2.6.25 kernel) on > the netfilter mailing list (see the thread "Weird nat/conntrack Problem > with PASV FTP upload"). He provided tcpdump recordings which helped to > find a long lingering bug in conntrack. > > In TCP connection tracking, checking the lower bound of valid ACK could > lead to mark valid packets as INVALID because: > > - We have got a "higher or equal" inequality, but the test checked > the "higher" condition only; fixed. > - If the packet contains a SACK option, it could occur that the ACK > value was before the left edge of our (S)ACK "window": if a previous > packet from the other party intersected the right edge of the window > of the receiver, we could move forward the window parameters beyond > accepting a valid ack. Therefore in this patch we check the rightmost > SACK edge instead of the ACK value in the lower bound of valid (S)ACK > test. > > Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> > Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx> Applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
