[PATCH 1/2] netfilter: nf_ct_tcp: disable pick by default for first ACK packet seen

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Wed, 02 Feb 2011 15:03:28 +0100

This patch disables a by-default TCP connection pickup facility that
allows entering TCP Established if a TCP ACK packet is seen as first
packet in the original direction. With this patch, this state pickup
facility is only enabled if nf_ct_tcp_loose > 0.

If pickup is disabled, it means that the user wants strict TCP
tracking. The current behaviour assumes the opposite.

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 net/netfilter/nf_conntrack_proto_tcp.c |   17 ++++++++++++-----
 1 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 3fb2b73..407b87c 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -193,9 +193,9 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
  *	sCL -> sCL
  */
 /* 	     sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2	*/
-/*ack*/	   { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
+/*ack*/	   { sIV, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
 /*
- *	sNO -> sES	Assumed.
+ *	sNO -> sIV	if pickup is enabled, enter sES. See tcp_new()
  *	sSS -> sIV	ACK is invalid: we haven't seen a SYN/ACK yet.
  *	sS2 -> sIV
  *	sSR -> sES	Established state is reached.
@@ -1061,14 +1061,21 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
 	struct tcphdr _tcph;
 	const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
 	const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
+	unsigned int index;
 
 	th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
 	BUG_ON(th == NULL);
 
+	index = get_conntrack_index(th);
 	/* Don't need lock here: this conntrack not in circulation yet */
-	new_state
-		= tcp_conntracks[0][get_conntrack_index(th)]
-		[TCP_CONNTRACK_NONE];
+	new_state = tcp_conntracks[0][index][TCP_CONNTRACK_NONE];
+
+	/* We assume TCP established if the first packet that we see is
+	 * an ACK, the picking up facility has to be enabled, of course. */
+	if (nf_ct_tcp_loose > 0 && index == TCP_ACK_SET &&
+	    new_state == TCP_CONNTRACK_MAX) {
+		new_state = TCP_CONNTRACK_ESTABLISHED;
+	}
 
 	/* Invalid: delete conntrack */
 	if (new_state >= TCP_CONNTRACK_MAX) {

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





