In 'commit b303e7b80ff1 ("Reset the max ACK flag on SYN in ignore state")'
we reset the max ACK number to avoid dropping valid RST that is a
response to a SYN.
Unfortunately that might not be enough, an out of order ACK in origin
might reset it back, and we might end up again dropping valid RST.
This patch disables the RST check when we are not in established state
and we receive an RST with SEQ=0 that is most likely a response to a
SYN we had let it go through.
Signed-off-by: Ali Abdallah <aabdallah@xxxxxxx>
---
net/netfilter/nf_conntrack_proto_tcp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 83890a700ef8..fb1c389a97fe 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -1048,6 +1048,12 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct,
if (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) {
u32 seq = ntohl(th->seq);
+ /* If we are not in established state, and an RST is
+ * observed with SEQ=0, this is most likely an answer
+ * to a SYN we had let go through above.
+ */
+ if (seq == 0 && !nf_conntrack_tcp_established(ct))
+ break;
+
if (before(seq, ct->proto.tcp.seen[!dir].td_maxack) &&
!tn->tcp_be_liberal) {
/* Invalid RST */
--
2.26.2
