On Mon, 20 Oct 2014, vDev wrote:
> It looks like TCP conntrack is incorrectly treating "LAST ACK" (ACK
> from peer for last FIN) as the sequence number comparison does not
> take into account that the last ACK sequence number will be one
> greater than the previous sequence number.
>
> Here's the code that seems to be the cause of it in tcp_in_window()
> [nf_conntrack_proto_tcp.c]:
>
> pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
> before(seq, sender->td_maxend + 1),
> after(end, sender->td_end - receiver->td_maxwin - 1),
> before(sack, receiver->td_end + 1),
> after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
>
> if (before(seq, sender->td_maxend + 1) &&
> after(end, sender->td_end - receiver->td_maxwin - 1) &&
> before(sack, receiver->td_end + 1) &&
> after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
>
> III in pr_debug will be 0 as "before(sack, receiver->td_end + 1)" will
> evaluate to false as sack will be equal to (receiver->td_end + 1) for
> the last ACK. The sequence number will be one greater in the last ACK.
>
> Any feedback will be helpful. Thanks for looking into this.
Maybe you are not taking into account that the last ACK acks FIN+ACK and
FIN is counted in the sequence numbers and it's stored in td_end. Please
see segment_seq_plus_len() in nf_conntrack_proto_tcp.c.
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
