On Wed, Jul 30, 2008 at 11:18:42PM +0200, Jozsef Kadlecsik wrote: > > diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c > index 6f61261..a9b3b8f 100644 > --- a/net/netfilter/nf_conntrack_proto_tcp.c > +++ b/net/netfilter/nf_conntrack_proto_tcp.c > @@ -911,6 +911,15 @@ static int tcp_packet(struct nf_conn *ct, > nf_log_packet(pf, 0, skb, NULL, NULL, NULL, > "nf_ct_tcp: invalid state "); > return -NF_ACCEPT; > + case TCP_CONNTRACK_LAST_ACK: > + case TCP_CONNTRACK_CLOSE_WAIT: > + /* Check and compensate retransmitted FIN or > + * reordered ACK packets */ > + if (old_state == TCP_CONNTRACK_FIN_WAIT > + && (ct->proto.tcp.seen[dir].flags > + & IP_CT_TCP_FLAG_CLOSE_INIT)) > + new_state = TCP_CONNTRACK_FIN_WAIT; This is slightly better but it is still fundamentally broken. Do we really need to establish a committee just to add a new state? :) We can squeeze out the requisite number of bits (4) from the existing state variable. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
