[NETFILTER]: tcp conntrack: do liberal tracking for picked up connections

Do liberal tracking (only RSTs need to be in-window) for connections picked up without seeing a SYN to deal with window scaling. Also change logging of invalid packets not to log packets accepted by liberal tracking to avoid spamming the logs. Based on suggestion from James Ralston <ralston@pobox.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Patrick McHardy <kaber@trash.net> 2007-02-07 18:05:33 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2007-02-08 15:39:10 -0500
commit: a09113c2c8ec59a5cc228efa5869aade2b8f13f7 (patch)
tree: df582dfa453cb8e1c6eb397062f60d69508c38fe /net/ipv4
parent: 6fecd1985116fb08bdee3b9db6719e159fe5e43d (diff)
1 files changed, 15 insertions, 25 deletions
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index 06e4e8a6dd9..c34f48fe547 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -50,12 +50,9 @@ static DEFINE_RWLOCK(tcp_lock);
    If it's non-zero, we mark only out of window RST segments as INVALID. */
 int ip_ct_tcp_be_liberal __read_mostly = 0;
-/* When connection is picked up from the middle, how many packets are required
+/* If it is set to zero, we disable picking up already established
-   to pass in each direction when we assume we are in sync - if any side uses
-   window scaling, we lost the game. 
-   If it is set to zero, we disable picking up already established 
   connections. */
-int ip_ct_tcp_loose __read_mostly = 3;
+int ip_ct_tcp_loose __read_mostly = 1;
 /* Max number of the retransmitted packets without receiving an (acceptable) 
   ACK from the destination. If this number is reached, a shorter timer 
@@ -694,11 +691,10 @@ static int tcp_in_window(struct ip_ct_tcp *state,
                before(sack, receiver->td_end + 1),
                after(ack, receiver->td_end - MAXACKWINDOW(sender)));
        
-        if (sender->loose || receiver->loose ||
+        if (before(seq, sender->td_maxend + 1) &&
-            (before(seq, sender->td_maxend + 1) &&
+            after(end, sender->td_end - receiver->td_maxwin - 1) &&
-             after(end, sender->td_end - receiver->td_maxwin - 1) &&
+            before(sack, receiver->td_end + 1) &&
-             before(sack, receiver->td_end + 1) &&
+            after(ack, receiver->td_end - MAXACKWINDOW(sender))) {
-             after(ack, receiver->td_end - MAXACKWINDOW(sender)))) {
                /*
                 * Take into account window scaling (RFC 1323).
                 */
@@ -743,15 +739,13 @@ static int tcp_in_window(struct ip_ct_tcp *state,
                                state->retrans = 0;
                        }
                }
-                /*
-                 * Close the window of disabled window tracking :-)
-                 */
-                if (sender->loose)
-                        sender->loose--;
-                
                res = 1;
        } else {
-                if (LOG_INVALID(IPPROTO_TCP))
+                res = 0;
+                if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
+                    ip_ct_tcp_be_liberal)
+                        res = 1;
+                if (!res && LOG_INVALID(IPPROTO_TCP))
                        nf_log_packet(PF_INET, 0, skb, NULL, NULL, NULL,
                        "ip_ct_tcp: %s ",
                        before(seq, sender->td_maxend + 1) ?
@@ -762,8 +756,6 @@ static int tcp_in_window(struct ip_ct_tcp *state,
                        : "ACK is over the upper bound (ACKed data not seen yet)"
                        : "SEQ is under the lower bound (already ACKed data retransmitted)"
                        : "SEQ is over the upper bound (over the window of the receiver)");
-                res = ip_ct_tcp_be_liberal;
        }
  
        DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u "
@@ -1105,8 +1097,6 @@ static int tcp_new(struct ip_conntrack *conntrack,
                tcp_options(skb, iph, th, &conntrack->proto.tcp.seen[0]);
                conntrack->proto.tcp.seen[1].flags = 0;
-                conntrack->proto.tcp.seen[0].loose = 
-                conntrack->proto.tcp.seen[1].loose = 0;
        } else if (ip_ct_tcp_loose == 0) {
                /* Don't try to pick up connections. */
                return 0;
@@ -1127,11 +1117,11 @@ static int tcp_new(struct ip_conntrack *conntrack,
                        conntrack->proto.tcp.seen[0].td_maxwin;
                conntrack->proto.tcp.seen[0].td_scale = 0;
-                /* We assume SACK. Should we assume window scaling too? */
+                /* We assume SACK and liberal window checking to handle
+                 * window scaling */
                conntrack->proto.tcp.seen[0].flags =
-                conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM;
+                conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
-                conntrack->proto.tcp.seen[0].loose = 
+                                                     IP_CT_TCP_FLAG_BE_LIBERAL;
-                conntrack->proto.tcp.seen[1].loose = ip_ct_tcp_loose;
        }
    
        conntrack->proto.tcp.seen[1].td_end = 0;
author	Patrick McHardy <kaber@trash.net>	2007-02-07 18:05:33 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2007-02-08 15:39:10 -0500
commit	a09113c2c8ec59a5cc228efa5869aade2b8f13f7 (patch)
tree	df582dfa453cb8e1c6eb397062f60d69508c38fe /net/ipv4
parent	6fecd1985116fb08bdee3b9db6719e159fe5e43d (diff)