[PATCH 1/1] netfilter: Ignore bogus SACK option values in TCP conntrack

[Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>]

The netfilter TCP conntrack used to mark packets with bogus SACK option
values as INVALID. However, it seems broken SEQ anonymizers, which are
responsible for such traffic, are not going to die out soon and conntrack
effectively blocks traffic coming through such devices.

Better be liberal at conntrack level: when SACK is bogus, ignore it.

Signed-off-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Reported-by: Corey Hickey <bugfood-ml@xxxxxxxxxx>
Tested-by: Corey Hickey <bugfood-ml@xxxxxxxxxx>
---
 net/netfilter/nf_conntrack_proto_tcp.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 44d1ea3..cd67de8 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -640,6 +640,11 @@ static bool tcp_in_window(const struct nf_conn *ct,
 	in_recv_win = !receiver->td_maxwin ||
 		      after(end, sender->td_end - receiver->td_maxwin - 1);
 
+	/* Fall back to ACK when SACK is bogus */
+	if (!(before(sack, receiver->td_end + 1) &&
+	      after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)))
+		sack = ack;
+
 	pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
 		 before(seq, sender->td_maxend + 1),
 		 (in_recv_win ? 1 : 0),
-- 
1.7.0.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html