aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c98
1 files changed, 61 insertions, 37 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index b5ccf2b4b2e7..4c7f6f0dae90 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -59,7 +59,7 @@ static const char *const tcp_conntrack_names[] = {
59 "LAST_ACK", 59 "LAST_ACK",
60 "TIME_WAIT", 60 "TIME_WAIT",
61 "CLOSE", 61 "CLOSE",
62 "LISTEN" 62 "SYN_SENT2",
63}; 63};
64 64
65#define SECS * HZ 65#define SECS * HZ
@@ -82,6 +82,7 @@ static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = {
82 [TCP_CONNTRACK_LAST_ACK] = 30 SECS, 82 [TCP_CONNTRACK_LAST_ACK] = 30 SECS,
83 [TCP_CONNTRACK_TIME_WAIT] = 2 MINS, 83 [TCP_CONNTRACK_TIME_WAIT] = 2 MINS,
84 [TCP_CONNTRACK_CLOSE] = 10 SECS, 84 [TCP_CONNTRACK_CLOSE] = 10 SECS,
85 [TCP_CONNTRACK_SYN_SENT2] = 2 MINS,
85}; 86};
86 87
87#define sNO TCP_CONNTRACK_NONE 88#define sNO TCP_CONNTRACK_NONE
@@ -93,7 +94,7 @@ static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = {
93#define sLA TCP_CONNTRACK_LAST_ACK 94#define sLA TCP_CONNTRACK_LAST_ACK
94#define sTW TCP_CONNTRACK_TIME_WAIT 95#define sTW TCP_CONNTRACK_TIME_WAIT
95#define sCL TCP_CONNTRACK_CLOSE 96#define sCL TCP_CONNTRACK_CLOSE
96#define sLI TCP_CONNTRACK_LISTEN 97#define sS2 TCP_CONNTRACK_SYN_SENT2
97#define sIV TCP_CONNTRACK_MAX 98#define sIV TCP_CONNTRACK_MAX
98#define sIG TCP_CONNTRACK_IGNORE 99#define sIG TCP_CONNTRACK_IGNORE
99 100
@@ -123,6 +124,7 @@ enum tcp_bit_set {
123 * 124 *
124 * NONE: initial state 125 * NONE: initial state
125 * SYN_SENT: SYN-only packet seen 126 * SYN_SENT: SYN-only packet seen
127 * SYN_SENT2: SYN-only packet seen from reply dir, simultaneous open
126 * SYN_RECV: SYN-ACK packet seen 128 * SYN_RECV: SYN-ACK packet seen
127 * ESTABLISHED: ACK packet seen 129 * ESTABLISHED: ACK packet seen
128 * FIN_WAIT: FIN packet seen 130 * FIN_WAIT: FIN packet seen
@@ -131,26 +133,24 @@ enum tcp_bit_set {
131 * TIME_WAIT: last ACK seen 133 * TIME_WAIT: last ACK seen
132 * CLOSE: closed connection (RST) 134 * CLOSE: closed connection (RST)
133 * 135 *
134 * LISTEN state is not used.
135 *
136 * Packets marked as IGNORED (sIG): 136 * Packets marked as IGNORED (sIG):
137 * if they may be either invalid or valid 137 * if they may be either invalid or valid
138 * and the receiver may send back a connection 138 * and the receiver may send back a connection
139 * closing RST or a SYN/ACK. 139 * closing RST or a SYN/ACK.
140 * 140 *
141 * Packets marked as INVALID (sIV): 141 * Packets marked as INVALID (sIV):
142 * if they are invalid 142 * if we regard them as truly invalid packets
143 * or we do not support the request (simultaneous open)
144 */ 143 */
145static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { 144static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
146 { 145 {
147/* ORIGINAL */ 146/* ORIGINAL */
148/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 147/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
149/*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sIV }, 148/*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
150/* 149/*
151 * sNO -> sSS Initialize a new connection 150 * sNO -> sSS Initialize a new connection
152 * sSS -> sSS Retransmitted SYN 151 * sSS -> sSS Retransmitted SYN
153 * sSR -> sIG Late retransmitted SYN? 152 * sS2 -> sS2 Late retransmitted SYN
153 * sSR -> sIG
154 * sES -> sIG Error: SYNs in window outside the SYN_SENT state 154 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
155 * are errors. Receiver will reply with RST 155 * are errors. Receiver will reply with RST
156 * and close the connection. 156 * and close the connection.
@@ -161,22 +161,30 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
161 * sTW -> sSS Reopened connection (RFC 1122). 161 * sTW -> sSS Reopened connection (RFC 1122).
162 * sCL -> sSS 162 * sCL -> sSS
163 */ 163 */
164/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 164/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
165/*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }, 165/*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
166/* 166/*
167 * A SYN/ACK from the client is always invalid: 167 * sNO -> sIV Too late and no reason to do anything
168 * - either it tries to set up a simultaneous open, which is 168 * sSS -> sIV Client can't send SYN and then SYN/ACK
169 * not supported; 169 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
170 * - or the firewall has just been inserted between the two hosts 170 * sSR -> sIG
171 * during the session set-up. The SYN will be retransmitted 171 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
172 * by the true client (or it'll time out). 172 * are errors. Receiver will reply with RST
173 * and close the connection.
174 * Or we are not in sync and hold a dead connection.
175 * sFW -> sIG
176 * sCW -> sIG
177 * sLA -> sIG
178 * sTW -> sIG
179 * sCL -> sIG
173 */ 180 */
174/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 181/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
175/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, 182/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
176/* 183/*
177 * sNO -> sIV Too late and no reason to do anything... 184 * sNO -> sIV Too late and no reason to do anything...
178 * sSS -> sIV Client migth not send FIN in this state: 185 * sSS -> sIV Client migth not send FIN in this state:
179 * we enforce waiting for a SYN/ACK reply first. 186 * we enforce waiting for a SYN/ACK reply first.
187 * sS2 -> sIV
180 * sSR -> sFW Close started. 188 * sSR -> sFW Close started.
181 * sES -> sFW 189 * sES -> sFW
182 * sFW -> sLA FIN seen in both directions, waiting for 190 * sFW -> sLA FIN seen in both directions, waiting for
@@ -187,11 +195,12 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
187 * sTW -> sTW 195 * sTW -> sTW
188 * sCL -> sCL 196 * sCL -> sCL
189 */ 197 */
190/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 198/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
191/*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV }, 199/*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
192/* 200/*
193 * sNO -> sES Assumed. 201 * sNO -> sES Assumed.
194 * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet. 202 * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
203 * sS2 -> sIV
195 * sSR -> sES Established state is reached. 204 * sSR -> sES Established state is reached.
196 * sES -> sES :-) 205 * sES -> sES :-)
197 * sFW -> sCW Normal close request answered by ACK. 206 * sFW -> sCW Normal close request answered by ACK.
@@ -200,29 +209,31 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
200 * sTW -> sTW Retransmitted last ACK. Remain in the same state. 209 * sTW -> sTW Retransmitted last ACK. Remain in the same state.
201 * sCL -> sCL 210 * sCL -> sCL
202 */ 211 */
203/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 212/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
204/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV }, 213/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
205/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } 214/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
206 }, 215 },
207 { 216 {
208/* REPLY */ 217/* REPLY */
209/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 218/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
210/*syn*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }, 219/*syn*/ { sIV, sS2, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sS2 },
211/* 220/*
212 * sNO -> sIV Never reached. 221 * sNO -> sIV Never reached.
213 * sSS -> sIV Simultaneous open, not supported 222 * sSS -> sS2 Simultaneous open
214 * sSR -> sIV Simultaneous open, not supported. 223 * sS2 -> sS2 Retransmitted simultaneous SYN
215 * sES -> sIV Server may not initiate a connection. 224 * sSR -> sIV Invalid SYN packets sent by the server
225 * sES -> sIV
216 * sFW -> sIV 226 * sFW -> sIV
217 * sCW -> sIV 227 * sCW -> sIV
218 * sLA -> sIV 228 * sLA -> sIV
219 * sTW -> sIV Reopened connection, but server may not do it. 229 * sTW -> sIV Reopened connection, but server may not do it.
220 * sCL -> sIV 230 * sCL -> sIV
221 */ 231 */
222/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 232/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
223/*synack*/ { sIV, sSR, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sIV }, 233/*synack*/ { sIV, sSR, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
224/* 234/*
225 * sSS -> sSR Standard open. 235 * sSS -> sSR Standard open.
236 * sS2 -> sSR Simultaneous open
226 * sSR -> sSR Retransmitted SYN/ACK. 237 * sSR -> sSR Retransmitted SYN/ACK.
227 * sES -> sIG Late retransmitted SYN/ACK? 238 * sES -> sIG Late retransmitted SYN/ACK?
228 * sFW -> sIG Might be SYN/ACK answering ignored SYN 239 * sFW -> sIG Might be SYN/ACK answering ignored SYN
@@ -231,10 +242,11 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
231 * sTW -> sIG 242 * sTW -> sIG
232 * sCL -> sIG 243 * sCL -> sIG
233 */ 244 */
234/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 245/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
235/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, 246/*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
236/* 247/*
237 * sSS -> sIV Server might not send FIN in this state. 248 * sSS -> sIV Server might not send FIN in this state.
249 * sS2 -> sIV
238 * sSR -> sFW Close started. 250 * sSR -> sFW Close started.
239 * sES -> sFW 251 * sES -> sFW
240 * sFW -> sLA FIN seen in both directions. 252 * sFW -> sLA FIN seen in both directions.
@@ -243,10 +255,11 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
243 * sTW -> sTW 255 * sTW -> sTW
244 * sCL -> sCL 256 * sCL -> sCL
245 */ 257 */
246/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 258/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
247/*ack*/ { sIV, sIG, sSR, sES, sCW, sCW, sTW, sTW, sCL, sIV }, 259/*ack*/ { sIV, sIG, sSR, sES, sCW, sCW, sTW, sTW, sCL, sIG },
248/* 260/*
249 * sSS -> sIG Might be a half-open connection. 261 * sSS -> sIG Might be a half-open connection.
262 * sS2 -> sIG
250 * sSR -> sSR Might answer late resent SYN. 263 * sSR -> sSR Might answer late resent SYN.
251 * sES -> sES :-) 264 * sES -> sES :-)
252 * sFW -> sCW Normal close request answered by ACK. 265 * sFW -> sCW Normal close request answered by ACK.
@@ -255,8 +268,8 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
255 * sTW -> sTW Retransmitted last ACK. 268 * sTW -> sTW Retransmitted last ACK.
256 * sCL -> sCL 269 * sCL -> sCL
257 */ 270 */
258/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ 271/* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
259/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV }, 272/*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
260/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } 273/*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
261 } 274 }
262}; 275};
@@ -521,13 +534,14 @@ static bool tcp_in_window(const struct nf_conn *ct,
521 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 534 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
522 receiver->td_scale); 535 receiver->td_scale);
523 536
524 if (sender->td_end == 0) { 537 if (sender->td_maxwin == 0) {
525 /* 538 /*
526 * Initialize sender data. 539 * Initialize sender data.
527 */ 540 */
528 if (tcph->syn && tcph->ack) { 541 if (tcph->syn) {
529 /* 542 /*
530 * Outgoing SYN-ACK in reply to a SYN. 543 * SYN-ACK in reply to a SYN
544 * or SYN from reply direction in simultaneous open.
531 */ 545 */
532 sender->td_end = 546 sender->td_end =
533 sender->td_maxend = end; 547 sender->td_maxend = end;
@@ -543,6 +557,9 @@ static bool tcp_in_window(const struct nf_conn *ct,
543 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE)) 557 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))
544 sender->td_scale = 558 sender->td_scale =
545 receiver->td_scale = 0; 559 receiver->td_scale = 0;
560 if (!tcph->ack)
561 /* Simultaneous open */
562 return true;
546 } else { 563 } else {
547 /* 564 /*
548 * We are in the middle of a connection, 565 * We are in the middle of a connection,
@@ -1068,7 +1085,7 @@ static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
1068 1085
1069 ct->proto.tcp.seen[1].td_end = 0; 1086 ct->proto.tcp.seen[1].td_end = 0;
1070 ct->proto.tcp.seen[1].td_maxend = 0; 1087 ct->proto.tcp.seen[1].td_maxend = 0;
1071 ct->proto.tcp.seen[1].td_maxwin = 1; 1088 ct->proto.tcp.seen[1].td_maxwin = 0;
1072 ct->proto.tcp.seen[1].td_scale = 0; 1089 ct->proto.tcp.seen[1].td_scale = 0;
1073 1090
1074 /* tcp_packet will set them */ 1091 /* tcp_packet will set them */
@@ -1310,6 +1327,13 @@ static struct ctl_table tcp_compat_sysctl_table[] = {
1310 .proc_handler = proc_dointvec_jiffies, 1327 .proc_handler = proc_dointvec_jiffies,
1311 }, 1328 },
1312 { 1329 {
1330 .procname = "ip_conntrack_tcp_timeout_syn_sent2",
1331 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT2],
1332 .maxlen = sizeof(unsigned int),
1333 .mode = 0644,
1334 .proc_handler = proc_dointvec_jiffies,
1335 },
1336 {
1313 .procname = "ip_conntrack_tcp_timeout_syn_recv", 1337 .procname = "ip_conntrack_tcp_timeout_syn_recv",
1314 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV], 1338 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
1315 .maxlen = sizeof(unsigned int), 1339 .maxlen = sizeof(unsigned int),