[PATCH] Don't drop out of segments RST if tcp_be_liberal is set

Ali Abdallah <ali.abdallah@xxxxxxxx> · Wed, 28 Apr 2021 15:09:11 +0200

When tcp_be_liberal is set, don't be conservative on out of segments RSTs.

Signed-off-by: Ali Abdallah <aabdallah@xxxxxxx>
---
 Documentation/networking/nf_conntrack-sysctl.rst | 2 +-
 net/netfilter/nf_conntrack_proto_tcp.c           | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst
index 11a9b76786cb..4278fad31a43 100644
--- a/Documentation/networking/nf_conntrack-sysctl.rst
+++ b/Documentation/networking/nf_conntrack-sysctl.rst
@@ -108,7 +108,7 @@ nf_conntrack_tcp_be_liberal - BOOLEAN
 	- not 0 - enabled
 
 	Be conservative in what you do, be liberal in what you accept from others.
-	If it's non-zero, we mark only out of window RST segments as INVALID.
+	If it's non-zero, we don't mark out of window segments as INVALID.
 
 nf_conntrack_tcp_loose - BOOLEAN
 	- 0 - disabled
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 02fab7a8ec92..83890a700ef8 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1048,7 +1048,8 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
 		if (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) {
 			u32 seq = ntohl(th->seq);
 
-			if (before(seq, ct->proto.tcp.seen[!dir].td_maxack)) {
+			if (before(seq, ct->proto.tcp.seen[!dir].td_maxack) &&
+			    !tn->tcp_be_liberal) {
 				/* Invalid RST  */
 				spin_unlock_bh(&ct->lock);
 				nf_ct_l4proto_log_invalid(skb, ct, "invalid rst");
-- 
2.26.2








