On Thu, Apr 7, 2022 at 5:48 AM Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx> wrote:
>
> On Thu, 7 Apr 2022, Florian Westphal wrote:
>
> > Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx> wrote:
> > > I'd merge the two conditions so that it'd cover both original condition
> > > branches:
> > >
> > > diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
> > > index 8ec55cd72572..87375ce2f995 100644
> > > --- a/net/netfilter/nf_conntrack_proto_tcp.c
> > > +++ b/net/netfilter/nf_conntrack_proto_tcp.c
> > > @@ -556,33 +556,26 @@ static bool tcp_in_window(struct nf_conn *ct,
> > > }
> > >
> > > }
> > > - } else if (((state->state == TCP_CONNTRACK_SYN_SENT
> > > - && dir == IP_CT_DIR_ORIGINAL)
> > > - || (state->state == TCP_CONNTRACK_SYN_RECV
> > > - && dir == IP_CT_DIR_REPLY))
> > > - && after(end, sender->td_end)) {
> > > + } else if (tcph->syn &&
> > > + ((after(end, sender->td_end) &&
> > > + (state->state == TCP_CONNTRACK_SYN_SENT ||
> > > + state->state == TCP_CONNTRACK_SYN_RECV)) ||
> > > + (dir == IP_CT_DIR_REPLY &&
> > > + state->state == TCP_CONNTRACK_SYN_SENT))) {
> >
> > Thats what I did as well, I merged the two branches but I made the
> > 2nd clause stricter to also consider the after() test; it would no
> > longer re-init for syn-acks when sequence did not advance.
>
> That's perfectly fine.
>
> But what about simultaneous syn? The TCP state is zeroed in the REPLY
> direction, so the after() test can easily be false and the state wouldn't
> be picked up. Therefore I extended the condition.
>
Hi Jozsef and Florian
Any updates for this issue ?
Thanks !
