[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    [PATCH] Fix RST handling in ip_conntrack_proto_tcp.c
From:       Martin Josefsson <gandalf () wlug ! westbo ! se>
Date:       2004-12-31 16:38:56
Message-ID: 1104511137.3821.20.camel () tux ! rsn ! bth ! se
[Download RAW message or body]


Hi Jozsef

Your latest patch contained a change to the RST handling.
The change was that an RST is ignored if the previous packet was an ACK.
This is happens all the time. I know it was intended as a fix for the
SYN - ACK probe - RST sequence but it breaks normal usage. The problem
is that connections that end with RST never get their state changed and
are left in ESTABLISHED state with a large timeout.

The patch below adds a check for
!test_bit(IPS_ASSURED_BIT, &conntrack->status) so your change will only
be active for unassured connections. Maybe you have a better idea for
how to fix both cases.

This patch has been tested by a user that reported the problem on irc
and it fixes the problem for him. I'm also running it on a machine with
lots of traffic and it fixes the problem for me as well.

Please make sure something that fixes the problem is submitted fairly
quickly.

<hint> A tcp-state/windowtracking testcase for nfsim would be great
</hint> :)

--- linux-2.6.10-rc3-bk14/net/ipv4/netfilter/ip_conntrack_proto_tcp.c.orig	2004-12-30 \
                19:48:33.000000000 +0100
+++ linux-2.6.10-rc3-bk14/net/ipv4/netfilter/ip_conntrack_proto_tcp.c	2004-12-30 \
19:49:46.000000000 +0100 @@ -906,7 +906,8 @@ static int tcp_packet(struct ip_conntrac
 		if (index == TCP_RST_SET
 		    && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
 		         && conntrack->proto.tcp.last_index <= TCP_SYNACK_SET)
-		        || conntrack->proto.tcp.last_index == TCP_ACK_SET)
+		        || (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
+			 && conntrack->proto.tcp.last_index == TCP_ACK_SET))
 		    && after(ntohl(th->ack_seq),
 		    	     conntrack->proto.tcp.last_seq)) {
 			/* Ignore RST closing down invalid SYN or ACK

-- 
/Martin


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]