Hi Pablo,
On Tue, 20 Mar 2018, Pablo Neira Ayuso wrote:
> Before this patch, if TCP state is < TIME_WAIT, we skip this logic.
> Along time, we got new states over the TIME_WAIT value, such as
> SYN_SENT2, RETRANS and UNACK, that can trigger this conntrack entry
> reset, however this check was never updated.
>
> My understanding is that we should only exercise the conntrack reset
> codepath if the existing packet is triggering a transition to SYN_SENT
> state while we were in TIME_WAIT or CLOSE states.
RETRANS and UNACK are not TCP states, just mnemonics to help assign
special timeout values.
SYN_SENT2 is a TCP state which is the second one in the case of
simultaneous open but from there there's no way back to reach SYN_SENT
again.
So I think the original condition is all right. However, if you believe
the patch makes it more clean and less error-prone, then just apply it.
Best regards,
Jozsef
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> While reviewing TCP tracking code, I noticed this. This is just narrowing
> down this codepath so it only works with TIME_WAIT and CLOSE states.
>
> net/netfilter/nf_conntrack_proto_tcp.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> index e97cdc1cf98c..c765d83db574 100644
> --- a/net/netfilter/nf_conntrack_proto_tcp.c
> +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> @@ -827,7 +827,8 @@ static int tcp_packet(struct nf_conn *ct,
>
> switch (new_state) {
> case TCP_CONNTRACK_SYN_SENT:
> - if (old_state < TCP_CONNTRACK_TIME_WAIT)
> + if (old_state != TCP_CONNTRACK_TIME_WAIT &&
> + old_state != TCP_CONNTRACK_CLOSE)
> break;
> /* RFC 1122: "When a connection is closed actively,
> * it MUST linger in TIME-WAIT state for a time 2xMSL
> --
> 2.11.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
