According to Mathew Heard, the IP_CT_TCP_FLAG_BE_LIBERAL is not being propagated properly while using userspace conntrackd to replicate connections states in a firewall cluster. This change modifies the behaviour of the engine to always be liberal in the reply direction if we were liberal in the original direction as well. More info in the Netfilter bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1087 Suggested-by: Mathew Heard <mat999@xxxxxxxxx> Signed-off-by: Arturo Borrero Gonzalez <arturo@xxxxxxxxxx> --- RFC: I don't fully understand this patch. Specifically, I don't understand why this can't be done from userspace, in conntrackd, when creating/updating synced conntracks. We could just set the new/updated conntrack with the flags we want, don't we? Also, I don't fully understand the consecuences of doing this flags change in the middle of tcp_packet(). So, please, review the patch and give us comments. net/netfilter/nf_conntrack_proto_tcp.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 69f6877..ed16acf 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -835,6 +835,13 @@ static int tcp_packet(struct nf_conn *ct, new_state = tcp_conntracks[dir][index][old_state]; tuple = &ct->tuplehash[dir].tuple; + /* if we are liberal in one direction, so be it in the other */ + if (ct->proto.tcp.seen[IP_CT_DIR_ORIGINAL].flags & + IP_CT_TCP_FLAG_BE_LIBERAL) { + ct->proto.tcp.seen[IP_CT_DIR_REPLY].flags |= + IP_CT_TCP_FLAG_BE_LIBERAL; + } + switch (new_state) { case TCP_CONNTRACK_SYN_SENT: if (old_state < TCP_CONNTRACK_TIME_WAIT) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
