On Mon, May 11, 2015 at 12:02:17PM +0200, Jozsef Kadlecsik wrote:
> Hi,
>
> On Thu, 7 May 2015, Jesper Dangaard Brouer wrote:
>
> > In compliance with RFC5961, the network stack send challenge ACK in
> > response to spurious SYN packets, since commit 0c228e833c88 ("tcp:
> > Restore RFC5961-compliant behavior for SYN packets").
> >
> > This pose a problem for netfilter conntrack in state LAST_ACK, because
> > this challenge ACK is (falsely) seen as ACKing last FIN, causing a
> > false state transition (into TIME_WAIT).
> >
> > The challenge ACK is hard to distinguish from real last ACK. Thus,
> > solution introduce a flag that tracks the potential for seeing a
> > challenge ACK, in case a SYN packet is let through and current state
> > is LAST_ACK.
> >
> > When conntrack transition LAST_ACK to TIME_WAIT happens, this flag is
> > used for determining if we are expecting a challenge ACK.
> >
> > Scapy based reproducer script avail here:
> > https://github.com/netoptimizer/network-testing/blob/master/scapy/tcp_hacks_3WHS_LAST_ACK.py
> >
> > Fixes: 0c228e833c88 ("tcp: Restore RFC5961-compliant behavior for SYN packets")
> > Signed-off-by: Jesper Dangaard Brouer <brouer@xxxxxxxxxx>
>
> The patch looks OK to me, thanks Jesper.
>
> Acked-by: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
