On Sat, Feb 26, 2011 at 11:33 AM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> net/netfilter/nf_conntrack_proto_tcp.c | 4 ++--
> 1 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> index 3fb2b73..be0b84d 100644
> --- a/net/netfilter/nf_conntrack_proto_tcp.c
> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> @@ -142,12 +142,12 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
> {
> /* ORIGINAL */
> /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
> -/*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
> +/*syn*/ { sSS, sSS, sSR, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
> /*
> * sNO -> sSS Initialize a new connection
> * sSS -> sSS Retransmitted SYN
> * sS2 -> sS2 Late retransmitted SYN
> - * sSR -> sIG
> + * sSR -> sSR Retransmitted SYN, SYN/ACK got lost?
> * sES -> sIG Error: SYNs in window outside the SYN_SENT state
> * are errors. Receiver will reply with RST
> * and close the connection.
>
I think you should change [reply][eSR][syn_ack] to ignore. Then the
following code will be executed, and in fact, the following code is
for you scenario according to the comments.
878 case TCP_CONNTRACK_IGNORE:
879 /* Ignored packets:
880 *
881 * Our connection entry may be out of sync, so ignore
882 * packets which may signal the real connection between
883 * the client and the server.
884 *
885 * a) SYN in ORIGINAL
886 * b) SYN/ACK in REPLY
887 * c) ACK in reply direction after initial SYN in original.
888 *
889 * If the ignored packet is invalid, the receiver will send
890 * a RST we'll catch below.
891 */
892 if (index == TCP_SYNACK_SET
893 && ct->proto.tcp.last_index == TCP_SYN_SET
894 && ct->proto.tcp.last_dir != dir
895 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
896 /* b) This SYN/ACK acknowledges a SYN
that we earlier
897 * ignored as invalid. This means that
the client and
898 * the server are both in sync, while the
firewall is
899 * not. We get in sync from the
previously annotated
900 * values.
901 */
902 old_state = TCP_CONNTRACK_SYN_SENT;
903 new_state = TCP_CONNTRACK_SYN_RECV;
904 ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
905 ct->proto.tcp.last_end;
906
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
907 ct->proto.tcp.last_end;
908
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
909 ct->proto.tcp.last_win == 0 ?
910 1 : ct->proto.tcp.last_win;
911
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
912 ct->proto.tcp.last_wscale;
913 ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
914 ct->proto.tcp.last_flags;
915 memset(&ct->proto.tcp.seen[dir], 0,
916 sizeof(struct ip_ct_tcp_state));
917 break;
918 }
--
Regards,
Changli Gao(xiaosuo@xxxxxxxxx)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
