On Sun, 3 Mar 2019, Florian Westphal wrote:
> Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote:
> > > The ESTABLISHED timeout is 5 minutes because of missing ACKs
> > > (outstanding data) in this case though (the RST has "wrong" sequence
> > > number, so the conntrack is flagged accordingly until something acks the
> > > data).
> >
> > Sorry, but I don't see where is the outstanding data. Up to the RST and
> > the challenge ACK there's no missing ACK. The RST hasn't got wrong seq
> > because it's in the window. The RST flag is not counted. What do I miss?
>
> There is no outstanding data, but conntrack thinks there is.
>
> If we have this:
> seq 100 ack x len 100
> seq 200 rst x len 0
>
> Then rst is accepted immediately and we move to CLOSE.
>
> When we get this:
> seq 100 ack x len 100
> seq 210 rst x len 0
>
> Then from conntrack point of view, we're 10 bytes "short" because td_end
> is 200, and new sequence is 210. So we hit this:
> if (after(end, sender->td_end)) {
> sender->td_end = end;
> sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
> }
> in tcp_in_window().
I see, thanks indeed! That explains perfectly.
I did not think about the packet before the RST one. :-)
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
