Re: [PATCH] conntrack_tcp: Reset the max ACK flag on SYN in ignore state

Ali Abdallah <ali.abdallah@xxxxxxxx> · Tue, 13 Apr 2021 14:24:36 +0200

Hi,

Please find out the updated patch with the fixed comment.

PS: I'm just wondering if isn't better to just reset the MAXACK_SET on
both directions once an RST is observed on the tracked connection, what
do you think?

Thanks,
Ali

---

>From e9d4d3a70a19d8a3868d16c93281119797fb54df Mon Sep 17 00:00:00 2001
From: Ali Abdallah <aabdallah@xxxxxxx>
Date: Thu, 13 Apr 2021 14:18:02 +0200
Subject: [PATCH] Reset the max ACK flag on SYN in ignore state

In ignore state, we let SYN goes in original, the server might respond
with RST/ACK, and that RST packet is erroneously dropped because of the
flag IP_CT_TCP_FLAG_MAXACK_SET being already set.
---
 net/netfilter/nf_conntrack_proto_tcp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index ec23330687a5..891a66e35afd 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -963,6 +963,9 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
 
             ct->proto.tcp.last_flags =
             ct->proto.tcp.last_wscale = 0;
+            /* Reset the max ack flag so in case the server replies
+             * with RST/ACK it will not be marked as an invalid rst */
+            ct->proto.tcp.seen[dir].flags &= ~IP_CT_TCP_FLAG_MAXACK_SET;
             tcp_options(skb, dataoff, th, &seen);
             if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
                 ct->proto.tcp.last_flags |=
-- 
2.26.2

On 08.04.2021 11:04, Florian Westphal wrote:
> Ali Abdallah <ali.abdallah@xxxxxxxx> wrote:
> > In ignore state, we let SYN goes in original, the server might respond
> > with RST/ACK, and that RST packet is erroneously dropped because of the
> > flag IP_CT_TCP_FLAG_MAXACK_SET being already set.
> > ---
> >  net/netfilter/nf_conntrack_proto_tcp.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> > index ec23330687a5..891a66e35afd 100644
> > --- a/net/netfilter/nf_conntrack_proto_tcp.c
> > +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> > @@ -963,6 +963,9 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
> >  
> >  			ct->proto.tcp.last_flags =
> >  			ct->proto.tcp.last_wscale = 0;
> > +			/* Reset the max ack flag so in case the server replies
> > +			 * with RST/ACK it will be marked as an invalid rst */
> 
> "not be marked"?
> 
> > +			ct->proto.tcp.seen[dir].flags &= ~IP_CT_TCP_FLAG_MAXACK_SET;
> >  			tcp_options(skb, dataoff, th, &seen);
> >  			if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
> 

-- 
Ali Abdallah | SUSE Linux L3 Engineer
GPG fingerprint: 51A0 F4A0 C8CF C98F 842E  A9A8 B945 56F8 1C85 D0D5







