Thank you all. Got entangled in other stuff again, just wanted to say I
appreciate the effort that went into this.
Kind Regards,
Jaco
On 2022/04/27 15:49, Pablo Neira Ayuso wrote:
> On Mon, Apr 25, 2022 at 11:47:11AM +0200, Florian Westphal wrote:
>> Jaco Kroon reported tcp problems that Eric Dumazet and Neal Cardwell
>> pinpointed to nf_conntrack tcp_in_window() bug.
>>
>> tcp trace shows following sequence:
>>
>> I > R Flags [S], seq 3451342529, win 62580, options [.. tfo [|tcp]>
>> R > I Flags [S.], seq 2699962254, ack 3451342530, win 65535, options [..]
>> R > I Flags [P.], seq 1:89, ack 1, [..]
>>
>> Note 3rd ACK is from responder to initiator so following branch is taken:
>> } else if (((state->state == TCP_CONNTRACK_SYN_SENT
>> && dir == IP_CT_DIR_ORIGINAL)
>> || (state->state == TCP_CONNTRACK_SYN_RECV
>> && dir == IP_CT_DIR_REPLY))
>> && after(end, sender->td_end)) {
>>
>> ... because state == TCP_CONNTRACK_SYN_RECV and dir is REPLY.
>> This causes the scaling factor to be reset to 0: window scale option
>> is only present in syn(ack) packets. This in turn makes nf_conntrack
>> mark valid packets as out-of-window.
>>
>> This was always broken, it exists even in original commit where
>> window tracking was added to ip_conntrack (nf_conntrack predecessor)
>> in 2.6.9-rc1 kernel.
>>
>> Restrict to 'tcph->syn', just like the 3rd condtional added in
>> commit 82b72cb94666 ("netfilter: conntrack: re-init state for retransmitted syn-ack").
>>
>> Upon closer look, those conditionals/branches can be merged:
>>
>> Because earlier checks prevent syn-ack from showing up in
>> original direction, the 'dir' checks in the conditional quoted above are
>> redundant, remove them. Return early for pure syn retransmitted in reply
>> direction (simultaneous open).
> Applied, thanks
