Hi, On Wed, 30 Jul 2008, Herbert Xu wrote: > All I'm trying say is that the state transition as it stands is bogus. > Here is why: > > If you see receive a FIN in one direction but no ack in the other, > you go from sES to sFW. If that isn't acked and a FIN retransmit > occurs you go from sFW to sLA. Now if the other direction is still > transmitting and you get an ACK in the direction being shut down, > it goes from sLA to sTW. However, in reality the side that's still > transmitting may still be in ESTABLISHED because it never received > those FINs. Yes, absolutely right. From the comments of the state transition table: * sFW -> sLA FIN seen in both directions, waiting for * the last ACK. * Migth be a retransmitted FIN as well... As we already handle a lot of exceptions, what do you think about the next (untested) patch? diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 6f61261..a9b3b8f 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -911,6 +911,15 @@ static int tcp_packet(struct nf_conn *ct, nf_log_packet(pf, 0, skb, NULL, NULL, NULL, "nf_ct_tcp: invalid state "); return -NF_ACCEPT; + case TCP_CONNTRACK_LAST_ACK: + case TCP_CONNTRACK_CLOSE_WAIT: + /* Check and compensate retransmitted FIN or + * reordered ACK packets */ + if (old_state == TCP_CONNTRACK_FIN_WAIT + && (ct->proto.tcp.seen[dir].flags + & IP_CT_TCP_FLAG_CLOSE_INIT)) + new_state = TCP_CONNTRACK_FIN_WAIT; + break; case TCP_CONNTRACK_CLOSE: if (index == TCP_RST_SET && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
