diff options
author | YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> | 2007-02-12 14:15:49 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-02-12 14:15:49 -0500 |
commit | 601e68e100b6bf8ba13a32db8faf92d43acaa997 (patch) | |
tree | eee0f94c2fe0e5f7d74cf2b4e473b99428cf2bbd /net/netfilter/nf_conntrack_proto_tcp.c | |
parent | a3c941b08d73e26af9030d34a73a1992cfff1703 (diff) |
[NETFILTER]: Fix whitespace errors
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/nf_conntrack_proto_tcp.c')
-rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 204 |
1 files changed, 102 insertions, 102 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 6fccdcf43e0..c2884f9db07 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
@@ -55,8 +55,8 @@ | |||
55 | /* Protects conntrack->proto.tcp */ | 55 | /* Protects conntrack->proto.tcp */ |
56 | static DEFINE_RWLOCK(tcp_lock); | 56 | static DEFINE_RWLOCK(tcp_lock); |
57 | 57 | ||
58 | /* "Be conservative in what you do, | 58 | /* "Be conservative in what you do, |
59 | be liberal in what you accept from others." | 59 | be liberal in what you accept from others." |
60 | If it's non-zero, we mark only out of window RST segments as INVALID. */ | 60 | If it's non-zero, we mark only out of window RST segments as INVALID. */ |
61 | int nf_ct_tcp_be_liberal __read_mostly = 0; | 61 | int nf_ct_tcp_be_liberal __read_mostly = 0; |
62 | 62 | ||
@@ -64,8 +64,8 @@ int nf_ct_tcp_be_liberal __read_mostly = 0; | |||
64 | connections. */ | 64 | connections. */ |
65 | int nf_ct_tcp_loose __read_mostly = 1; | 65 | int nf_ct_tcp_loose __read_mostly = 1; |
66 | 66 | ||
67 | /* Max number of the retransmitted packets without receiving an (acceptable) | 67 | /* Max number of the retransmitted packets without receiving an (acceptable) |
68 | ACK from the destination. If this number is reached, a shorter timer | 68 | ACK from the destination. If this number is reached, a shorter timer |
69 | will be started. */ | 69 | will be started. */ |
70 | int nf_ct_tcp_max_retrans __read_mostly = 3; | 70 | int nf_ct_tcp_max_retrans __read_mostly = 3; |
71 | 71 | ||
@@ -84,7 +84,7 @@ static const char *tcp_conntrack_names[] = { | |||
84 | "CLOSE", | 84 | "CLOSE", |
85 | "LISTEN" | 85 | "LISTEN" |
86 | }; | 86 | }; |
87 | 87 | ||
88 | #define SECS * HZ | 88 | #define SECS * HZ |
89 | #define MINS * 60 SECS | 89 | #define MINS * 60 SECS |
90 | #define HOURS * 60 MINS | 90 | #define HOURS * 60 MINS |
@@ -100,10 +100,10 @@ static unsigned int nf_ct_tcp_timeout_time_wait __read_mostly = 2 MINS; | |||
100 | static unsigned int nf_ct_tcp_timeout_close __read_mostly = 10 SECS; | 100 | static unsigned int nf_ct_tcp_timeout_close __read_mostly = 10 SECS; |
101 | 101 | ||
102 | /* RFC1122 says the R2 limit should be at least 100 seconds. | 102 | /* RFC1122 says the R2 limit should be at least 100 seconds. |
103 | Linux uses 15 packets as limit, which corresponds | 103 | Linux uses 15 packets as limit, which corresponds |
104 | to ~13-30min depending on RTO. */ | 104 | to ~13-30min depending on RTO. */ |
105 | static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS; | 105 | static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS; |
106 | 106 | ||
107 | static unsigned int * tcp_timeouts[] = { | 107 | static unsigned int * tcp_timeouts[] = { |
108 | NULL, /* TCP_CONNTRACK_NONE */ | 108 | NULL, /* TCP_CONNTRACK_NONE */ |
109 | &nf_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */ | 109 | &nf_ct_tcp_timeout_syn_sent, /* TCP_CONNTRACK_SYN_SENT, */ |
@@ -116,7 +116,7 @@ static unsigned int * tcp_timeouts[] = { | |||
116 | &nf_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */ | 116 | &nf_ct_tcp_timeout_close, /* TCP_CONNTRACK_CLOSE, */ |
117 | NULL, /* TCP_CONNTRACK_LISTEN */ | 117 | NULL, /* TCP_CONNTRACK_LISTEN */ |
118 | }; | 118 | }; |
119 | 119 | ||
120 | #define sNO TCP_CONNTRACK_NONE | 120 | #define sNO TCP_CONNTRACK_NONE |
121 | #define sSS TCP_CONNTRACK_SYN_SENT | 121 | #define sSS TCP_CONNTRACK_SYN_SENT |
122 | #define sSR TCP_CONNTRACK_SYN_RECV | 122 | #define sSR TCP_CONNTRACK_SYN_RECV |
@@ -139,13 +139,13 @@ enum tcp_bit_set { | |||
139 | TCP_RST_SET, | 139 | TCP_RST_SET, |
140 | TCP_NONE_SET, | 140 | TCP_NONE_SET, |
141 | }; | 141 | }; |
142 | 142 | ||
143 | /* | 143 | /* |
144 | * The TCP state transition table needs a few words... | 144 | * The TCP state transition table needs a few words... |
145 | * | 145 | * |
146 | * We are the man in the middle. All the packets go through us | 146 | * We are the man in the middle. All the packets go through us |
147 | * but might get lost in transit to the destination. | 147 | * but might get lost in transit to the destination. |
148 | * It is assumed that the destinations can't receive segments | 148 | * It is assumed that the destinations can't receive segments |
149 | * we haven't seen. | 149 | * we haven't seen. |
150 | * | 150 | * |
151 | * The checked segment is in window, but our windows are *not* | 151 | * The checked segment is in window, but our windows are *not* |
@@ -155,11 +155,11 @@ enum tcp_bit_set { | |||
155 | * The meaning of the states are: | 155 | * The meaning of the states are: |
156 | * | 156 | * |
157 | * NONE: initial state | 157 | * NONE: initial state |
158 | * SYN_SENT: SYN-only packet seen | 158 | * SYN_SENT: SYN-only packet seen |
159 | * SYN_RECV: SYN-ACK packet seen | 159 | * SYN_RECV: SYN-ACK packet seen |
160 | * ESTABLISHED: ACK packet seen | 160 | * ESTABLISHED: ACK packet seen |
161 | * FIN_WAIT: FIN packet seen | 161 | * FIN_WAIT: FIN packet seen |
162 | * CLOSE_WAIT: ACK seen (after FIN) | 162 | * CLOSE_WAIT: ACK seen (after FIN) |
163 | * LAST_ACK: FIN seen (after FIN) | 163 | * LAST_ACK: FIN seen (after FIN) |
164 | * TIME_WAIT: last ACK seen | 164 | * TIME_WAIT: last ACK seen |
165 | * CLOSE: closed connection | 165 | * CLOSE: closed connection |
@@ -167,8 +167,8 @@ enum tcp_bit_set { | |||
167 | * LISTEN state is not used. | 167 | * LISTEN state is not used. |
168 | * | 168 | * |
169 | * Packets marked as IGNORED (sIG): | 169 | * Packets marked as IGNORED (sIG): |
170 | * if they may be either invalid or valid | 170 | * if they may be either invalid or valid |
171 | * and the receiver may send back a connection | 171 | * and the receiver may send back a connection |
172 | * closing RST or a SYN/ACK. | 172 | * closing RST or a SYN/ACK. |
173 | * | 173 | * |
174 | * Packets marked as INVALID (sIV): | 174 | * Packets marked as INVALID (sIV): |
@@ -185,7 +185,7 @@ static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { | |||
185 | * sSS -> sSS Retransmitted SYN | 185 | * sSS -> sSS Retransmitted SYN |
186 | * sSR -> sIG Late retransmitted SYN? | 186 | * sSR -> sIG Late retransmitted SYN? |
187 | * sES -> sIG Error: SYNs in window outside the SYN_SENT state | 187 | * sES -> sIG Error: SYNs in window outside the SYN_SENT state |
188 | * are errors. Receiver will reply with RST | 188 | * are errors. Receiver will reply with RST |
189 | * and close the connection. | 189 | * and close the connection. |
190 | * Or we are not in sync and hold a dead connection. | 190 | * Or we are not in sync and hold a dead connection. |
191 | * sFW -> sIG | 191 | * sFW -> sIG |
@@ -198,10 +198,10 @@ static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { | |||
198 | /*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }, | 198 | /*synack*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }, |
199 | /* | 199 | /* |
200 | * A SYN/ACK from the client is always invalid: | 200 | * A SYN/ACK from the client is always invalid: |
201 | * - either it tries to set up a simultaneous open, which is | 201 | * - either it tries to set up a simultaneous open, which is |
202 | * not supported; | 202 | * not supported; |
203 | * - or the firewall has just been inserted between the two hosts | 203 | * - or the firewall has just been inserted between the two hosts |
204 | * during the session set-up. The SYN will be retransmitted | 204 | * during the session set-up. The SYN will be retransmitted |
205 | * by the true client (or it'll time out). | 205 | * by the true client (or it'll time out). |
206 | */ | 206 | */ |
207 | /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ | 207 | /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ |
@@ -213,7 +213,7 @@ static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { | |||
213 | * sSR -> sFW Close started. | 213 | * sSR -> sFW Close started. |
214 | * sES -> sFW | 214 | * sES -> sFW |
215 | * sFW -> sLA FIN seen in both directions, waiting for | 215 | * sFW -> sLA FIN seen in both directions, waiting for |
216 | * the last ACK. | 216 | * the last ACK. |
217 | * Migth be a retransmitted FIN as well... | 217 | * Migth be a retransmitted FIN as well... |
218 | * sCW -> sLA | 218 | * sCW -> sLA |
219 | * sLA -> sLA Retransmitted FIN. Remain in the same state. | 219 | * sLA -> sLA Retransmitted FIN. Remain in the same state. |
@@ -291,7 +291,7 @@ static enum tcp_conntrack tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { | |||
291 | /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ | 291 | /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sLI */ |
292 | /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV }, | 292 | /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV }, |
293 | /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } | 293 | /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } |
294 | } | 294 | } |
295 | }; | 295 | }; |
296 | 296 | ||
297 | static int tcp_pkt_to_tuple(const struct sk_buff *skb, | 297 | static int tcp_pkt_to_tuple(const struct sk_buff *skb, |
@@ -352,21 +352,21 @@ static unsigned int get_conntrack_index(const struct tcphdr *tcph) | |||
352 | 352 | ||
353 | /* TCP connection tracking based on 'Real Stateful TCP Packet Filtering | 353 | /* TCP connection tracking based on 'Real Stateful TCP Packet Filtering |
354 | in IP Filter' by Guido van Rooij. | 354 | in IP Filter' by Guido van Rooij. |
355 | 355 | ||
356 | http://www.nluug.nl/events/sane2000/papers.html | 356 | http://www.nluug.nl/events/sane2000/papers.html |
357 | http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz | 357 | http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz |
358 | 358 | ||
359 | The boundaries and the conditions are changed according to RFC793: | 359 | The boundaries and the conditions are changed according to RFC793: |
360 | the packet must intersect the window (i.e. segments may be | 360 | the packet must intersect the window (i.e. segments may be |
361 | after the right or before the left edge) and thus receivers may ACK | 361 | after the right or before the left edge) and thus receivers may ACK |
362 | segments after the right edge of the window. | 362 | segments after the right edge of the window. |
363 | 363 | ||
364 | td_maxend = max(sack + max(win,1)) seen in reply packets | 364 | td_maxend = max(sack + max(win,1)) seen in reply packets |
365 | td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets | 365 | td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets |
366 | td_maxwin += seq + len - sender.td_maxend | 366 | td_maxwin += seq + len - sender.td_maxend |
367 | if seq + len > sender.td_maxend | 367 | if seq + len > sender.td_maxend |
368 | td_end = max(seq + len) seen in sent packets | 368 | td_end = max(seq + len) seen in sent packets |
369 | 369 | ||
370 | I. Upper bound for valid data: seq <= sender.td_maxend | 370 | I. Upper bound for valid data: seq <= sender.td_maxend |
371 | II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin | 371 | II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin |
372 | III. Upper bound for valid ack: sack <= receiver.td_end | 372 | III. Upper bound for valid ack: sack <= receiver.td_end |
@@ -374,8 +374,8 @@ static unsigned int get_conntrack_index(const struct tcphdr *tcph) | |||
374 | 374 | ||
375 | where sack is the highest right edge of sack block found in the packet. | 375 | where sack is the highest right edge of sack block found in the packet. |
376 | 376 | ||
377 | The upper bound limit for a valid ack is not ignored - | 377 | The upper bound limit for a valid ack is not ignored - |
378 | we doesn't have to deal with fragments. | 378 | we doesn't have to deal with fragments. |
379 | */ | 379 | */ |
380 | 380 | ||
381 | static inline __u32 segment_seq_plus_len(__u32 seq, | 381 | static inline __u32 segment_seq_plus_len(__u32 seq, |
@@ -388,19 +388,19 @@ static inline __u32 segment_seq_plus_len(__u32 seq, | |||
388 | return (seq + len - dataoff - tcph->doff*4 | 388 | return (seq + len - dataoff - tcph->doff*4 |
389 | + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0)); | 389 | + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0)); |
390 | } | 390 | } |
391 | 391 | ||
392 | /* Fixme: what about big packets? */ | 392 | /* Fixme: what about big packets? */ |
393 | #define MAXACKWINCONST 66000 | 393 | #define MAXACKWINCONST 66000 |
394 | #define MAXACKWINDOW(sender) \ | 394 | #define MAXACKWINDOW(sender) \ |
395 | ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \ | 395 | ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \ |
396 | : MAXACKWINCONST) | 396 | : MAXACKWINCONST) |
397 | 397 | ||
398 | /* | 398 | /* |
399 | * Simplified tcp_parse_options routine from tcp_input.c | 399 | * Simplified tcp_parse_options routine from tcp_input.c |
400 | */ | 400 | */ |
401 | static void tcp_options(const struct sk_buff *skb, | 401 | static void tcp_options(const struct sk_buff *skb, |
402 | unsigned int dataoff, | 402 | unsigned int dataoff, |
403 | struct tcphdr *tcph, | 403 | struct tcphdr *tcph, |
404 | struct ip_ct_tcp_state *state) | 404 | struct ip_ct_tcp_state *state) |
405 | { | 405 | { |
406 | unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; | 406 | unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; |
@@ -414,7 +414,7 @@ static void tcp_options(const struct sk_buff *skb, | |||
414 | length, buff); | 414 | length, buff); |
415 | BUG_ON(ptr == NULL); | 415 | BUG_ON(ptr == NULL); |
416 | 416 | ||
417 | state->td_scale = | 417 | state->td_scale = |
418 | state->flags = 0; | 418 | state->flags = 0; |
419 | 419 | ||
420 | while (length > 0) { | 420 | while (length > 0) { |
@@ -434,7 +434,7 @@ static void tcp_options(const struct sk_buff *skb, | |||
434 | if (opsize > length) | 434 | if (opsize > length) |
435 | break; /* don't parse partial options */ | 435 | break; /* don't parse partial options */ |
436 | 436 | ||
437 | if (opcode == TCPOPT_SACK_PERM | 437 | if (opcode == TCPOPT_SACK_PERM |
438 | && opsize == TCPOLEN_SACK_PERM) | 438 | && opsize == TCPOLEN_SACK_PERM) |
439 | state->flags |= IP_CT_TCP_FLAG_SACK_PERM; | 439 | state->flags |= IP_CT_TCP_FLAG_SACK_PERM; |
440 | else if (opcode == TCPOPT_WINDOW | 440 | else if (opcode == TCPOPT_WINDOW |
@@ -457,7 +457,7 @@ static void tcp_options(const struct sk_buff *skb, | |||
457 | static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, | 457 | static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, |
458 | struct tcphdr *tcph, __u32 *sack) | 458 | struct tcphdr *tcph, __u32 *sack) |
459 | { | 459 | { |
460 | unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; | 460 | unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; |
461 | unsigned char *ptr; | 461 | unsigned char *ptr; |
462 | int length = (tcph->doff*4) - sizeof(struct tcphdr); | 462 | int length = (tcph->doff*4) - sizeof(struct tcphdr); |
463 | __u32 tmp; | 463 | __u32 tmp; |
@@ -472,10 +472,10 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, | |||
472 | /* Fast path for timestamp-only option */ | 472 | /* Fast path for timestamp-only option */ |
473 | if (length == TCPOLEN_TSTAMP_ALIGNED*4 | 473 | if (length == TCPOLEN_TSTAMP_ALIGNED*4 |
474 | && *(__be32 *)ptr == | 474 | && *(__be32 *)ptr == |
475 | __constant_htonl((TCPOPT_NOP << 24) | 475 | __constant_htonl((TCPOPT_NOP << 24) |
476 | | (TCPOPT_NOP << 16) | 476 | | (TCPOPT_NOP << 16) |
477 | | (TCPOPT_TIMESTAMP << 8) | 477 | | (TCPOPT_TIMESTAMP << 8) |
478 | | TCPOLEN_TIMESTAMP)) | 478 | | TCPOLEN_TIMESTAMP)) |
479 | return; | 479 | return; |
480 | 480 | ||
481 | while (length > 0) { | 481 | while (length > 0) { |
@@ -495,15 +495,15 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, | |||
495 | if (opsize > length) | 495 | if (opsize > length) |
496 | break; /* don't parse partial options */ | 496 | break; /* don't parse partial options */ |
497 | 497 | ||
498 | if (opcode == TCPOPT_SACK | 498 | if (opcode == TCPOPT_SACK |
499 | && opsize >= (TCPOLEN_SACK_BASE | 499 | && opsize >= (TCPOLEN_SACK_BASE |
500 | + TCPOLEN_SACK_PERBLOCK) | 500 | + TCPOLEN_SACK_PERBLOCK) |
501 | && !((opsize - TCPOLEN_SACK_BASE) | 501 | && !((opsize - TCPOLEN_SACK_BASE) |
502 | % TCPOLEN_SACK_PERBLOCK)) { | 502 | % TCPOLEN_SACK_PERBLOCK)) { |
503 | for (i = 0; | 503 | for (i = 0; |
504 | i < (opsize - TCPOLEN_SACK_BASE); | 504 | i < (opsize - TCPOLEN_SACK_BASE); |
505 | i += TCPOLEN_SACK_PERBLOCK) { | 505 | i += TCPOLEN_SACK_PERBLOCK) { |
506 | tmp = ntohl(*((__be32 *)(ptr+i)+1)); | 506 | tmp = ntohl(*((__be32 *)(ptr+i)+1)); |
507 | 507 | ||
508 | if (after(tmp, *sack)) | 508 | if (after(tmp, *sack)) |
509 | *sack = tmp; | 509 | *sack = tmp; |
@@ -516,12 +516,12 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, | |||
516 | } | 516 | } |
517 | } | 517 | } |
518 | 518 | ||
519 | static int tcp_in_window(struct ip_ct_tcp *state, | 519 | static int tcp_in_window(struct ip_ct_tcp *state, |
520 | enum ip_conntrack_dir dir, | 520 | enum ip_conntrack_dir dir, |
521 | unsigned int index, | 521 | unsigned int index, |
522 | const struct sk_buff *skb, | 522 | const struct sk_buff *skb, |
523 | unsigned int dataoff, | 523 | unsigned int dataoff, |
524 | struct tcphdr *tcph, | 524 | struct tcphdr *tcph, |
525 | int pf) | 525 | int pf) |
526 | { | 526 | { |
527 | struct ip_ct_tcp_state *sender = &state->seen[dir]; | 527 | struct ip_ct_tcp_state *sender = &state->seen[dir]; |
@@ -543,14 +543,14 @@ static int tcp_in_window(struct ip_ct_tcp *state, | |||
543 | DEBUGP("tcp_in_window: START\n"); | 543 | DEBUGP("tcp_in_window: START\n"); |
544 | DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu " | 544 | DEBUGP("tcp_in_window: src=%u.%u.%u.%u:%hu dst=%u.%u.%u.%u:%hu " |
545 | "seq=%u ack=%u sack=%u win=%u end=%u\n", | 545 | "seq=%u ack=%u sack=%u win=%u end=%u\n", |
546 | NIPQUAD(iph->saddr), ntohs(tcph->source), | 546 | NIPQUAD(iph->saddr), ntohs(tcph->source), |
547 | NIPQUAD(iph->daddr), ntohs(tcph->dest), | 547 | NIPQUAD(iph->daddr), ntohs(tcph->dest), |
548 | seq, ack, sack, win, end); | 548 | seq, ack, sack, win, end); |
549 | DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " | 549 | DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " |
550 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", | 550 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", |
551 | sender->td_end, sender->td_maxend, sender->td_maxwin, | 551 | sender->td_end, sender->td_maxend, sender->td_maxwin, |
552 | sender->td_scale, | 552 | sender->td_scale, |
553 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, | 553 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, |
554 | receiver->td_scale); | 554 | receiver->td_scale); |
555 | 555 | ||
556 | if (sender->td_end == 0) { | 556 | if (sender->td_end == 0) { |
@@ -561,26 +561,26 @@ static int tcp_in_window(struct ip_ct_tcp *state, | |||
561 | /* | 561 | /* |
562 | * Outgoing SYN-ACK in reply to a SYN. | 562 | * Outgoing SYN-ACK in reply to a SYN. |
563 | */ | 563 | */ |
564 | sender->td_end = | 564 | sender->td_end = |
565 | sender->td_maxend = end; | 565 | sender->td_maxend = end; |
566 | sender->td_maxwin = (win == 0 ? 1 : win); | 566 | sender->td_maxwin = (win == 0 ? 1 : win); |
567 | 567 | ||
568 | tcp_options(skb, dataoff, tcph, sender); | 568 | tcp_options(skb, dataoff, tcph, sender); |
569 | /* | 569 | /* |
570 | * RFC 1323: | 570 | * RFC 1323: |
571 | * Both sides must send the Window Scale option | 571 | * Both sides must send the Window Scale option |
572 | * to enable window scaling in either direction. | 572 | * to enable window scaling in either direction. |
573 | */ | 573 | */ |
574 | if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE | 574 | if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE |
575 | && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE)) | 575 | && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE)) |
576 | sender->td_scale = | 576 | sender->td_scale = |
577 | receiver->td_scale = 0; | 577 | receiver->td_scale = 0; |
578 | } else { | 578 | } else { |
579 | /* | 579 | /* |
580 | * We are in the middle of a connection, | 580 | * We are in the middle of a connection, |
581 | * its history is lost for us. | 581 | * its history is lost for us. |
582 | * Let's try to use the data from the packet. | 582 | * Let's try to use the data from the packet. |
583 | */ | 583 | */ |
584 | sender->td_end = end; | 584 | sender->td_end = end; |
585 | sender->td_maxwin = (win == 0 ? 1 : win); | 585 | sender->td_maxwin = (win == 0 ? 1 : win); |
586 | sender->td_maxend = end + sender->td_maxwin; | 586 | sender->td_maxend = end + sender->td_maxwin; |
@@ -592,7 +592,7 @@ static int tcp_in_window(struct ip_ct_tcp *state, | |||
592 | && after(end, sender->td_end)) { | 592 | && after(end, sender->td_end)) { |
593 | /* | 593 | /* |
594 | * RFC 793: "if a TCP is reinitialized ... then it need | 594 | * RFC 793: "if a TCP is reinitialized ... then it need |
595 | * not wait at all; it must only be sure to use sequence | 595 | * not wait at all; it must only be sure to use sequence |
596 | * numbers larger than those recently used." | 596 | * numbers larger than those recently used." |
597 | */ | 597 | */ |
598 | sender->td_end = | 598 | sender->td_end = |
@@ -607,8 +607,8 @@ static int tcp_in_window(struct ip_ct_tcp *state, | |||
607 | * If there is no ACK, just pretend it was set and OK. | 607 | * If there is no ACK, just pretend it was set and OK. |
608 | */ | 608 | */ |
609 | ack = sack = receiver->td_end; | 609 | ack = sack = receiver->td_end; |
610 | } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) == | 610 | } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) == |
611 | (TCP_FLAG_ACK|TCP_FLAG_RST)) | 611 | (TCP_FLAG_ACK|TCP_FLAG_RST)) |
612 | && (ack == 0)) { | 612 | && (ack == 0)) { |
613 | /* | 613 | /* |
614 | * Broken TCP stacks, that set ACK in RST packets as well | 614 | * Broken TCP stacks, that set ACK in RST packets as well |
@@ -637,21 +637,21 @@ static int tcp_in_window(struct ip_ct_tcp *state, | |||
637 | DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " | 637 | DEBUGP("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " |
638 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", | 638 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", |
639 | sender->td_end, sender->td_maxend, sender->td_maxwin, | 639 | sender->td_end, sender->td_maxend, sender->td_maxwin, |
640 | sender->td_scale, | 640 | sender->td_scale, |
641 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, | 641 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, |
642 | receiver->td_scale); | 642 | receiver->td_scale); |
643 | 643 | ||
644 | DEBUGP("tcp_in_window: I=%i II=%i III=%i IV=%i\n", | 644 | DEBUGP("tcp_in_window: I=%i II=%i III=%i IV=%i\n", |
645 | before(seq, sender->td_maxend + 1), | 645 | before(seq, sender->td_maxend + 1), |
646 | after(end, sender->td_end - receiver->td_maxwin - 1), | 646 | after(end, sender->td_end - receiver->td_maxwin - 1), |
647 | before(sack, receiver->td_end + 1), | 647 | before(sack, receiver->td_end + 1), |
648 | after(ack, receiver->td_end - MAXACKWINDOW(sender))); | 648 | after(ack, receiver->td_end - MAXACKWINDOW(sender))); |
649 | 649 | ||
650 | if (before(seq, sender->td_maxend + 1) && | 650 | if (before(seq, sender->td_maxend + 1) && |
651 | after(end, sender->td_end - receiver->td_maxwin - 1) && | 651 | after(end, sender->td_end - receiver->td_maxwin - 1) && |
652 | before(sack, receiver->td_end + 1) && | 652 | before(sack, receiver->td_end + 1) && |
653 | after(ack, receiver->td_end - MAXACKWINDOW(sender))) { | 653 | after(ack, receiver->td_end - MAXACKWINDOW(sender))) { |
654 | /* | 654 | /* |
655 | * Take into account window scaling (RFC 1323). | 655 | * Take into account window scaling (RFC 1323). |
656 | */ | 656 | */ |
657 | if (!tcph->syn) | 657 | if (!tcph->syn) |
@@ -676,7 +676,7 @@ static int tcp_in_window(struct ip_ct_tcp *state, | |||
676 | receiver->td_maxend++; | 676 | receiver->td_maxend++; |
677 | } | 677 | } |
678 | 678 | ||
679 | /* | 679 | /* |
680 | * Check retransmissions. | 680 | * Check retransmissions. |
681 | */ | 681 | */ |
682 | if (index == TCP_ACK_SET) { | 682 | if (index == TCP_ACK_SET) { |
@@ -712,11 +712,11 @@ static int tcp_in_window(struct ip_ct_tcp *state, | |||
712 | : "ACK is over the upper bound (ACKed data not seen yet)" | 712 | : "ACK is over the upper bound (ACKed data not seen yet)" |
713 | : "SEQ is under the lower bound (already ACKed data retransmitted)" | 713 | : "SEQ is under the lower bound (already ACKed data retransmitted)" |
714 | : "SEQ is over the upper bound (over the window of the receiver)"); | 714 | : "SEQ is over the upper bound (over the window of the receiver)"); |
715 | } | 715 | } |
716 | 716 | ||
717 | DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u " | 717 | DEBUGP("tcp_in_window: res=%i sender end=%u maxend=%u maxwin=%u " |
718 | "receiver end=%u maxend=%u maxwin=%u\n", | 718 | "receiver end=%u maxend=%u maxwin=%u\n", |
719 | res, sender->td_end, sender->td_maxend, sender->td_maxwin, | 719 | res, sender->td_end, sender->td_maxend, sender->td_maxwin, |
720 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin); | 720 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin); |
721 | 721 | ||
722 | return res; | 722 | return res; |
@@ -727,7 +727,7 @@ static int tcp_in_window(struct ip_ct_tcp *state, | |||
727 | /* Caller must linearize skb at tcp header. */ | 727 | /* Caller must linearize skb at tcp header. */ |
728 | void nf_conntrack_tcp_update(struct sk_buff *skb, | 728 | void nf_conntrack_tcp_update(struct sk_buff *skb, |
729 | unsigned int dataoff, | 729 | unsigned int dataoff, |
730 | struct nf_conn *conntrack, | 730 | struct nf_conn *conntrack, |
731 | int dir) | 731 | int dir) |
732 | { | 732 | { |
733 | struct tcphdr *tcph = (void *)skb->data + dataoff; | 733 | struct tcphdr *tcph = (void *)skb->data + dataoff; |
@@ -750,7 +750,7 @@ void nf_conntrack_tcp_update(struct sk_buff *skb, | |||
750 | DEBUGP("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i " | 750 | DEBUGP("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i " |
751 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", | 751 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", |
752 | sender->td_end, sender->td_maxend, sender->td_maxwin, | 752 | sender->td_end, sender->td_maxend, sender->td_maxwin, |
753 | sender->td_scale, | 753 | sender->td_scale, |
754 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, | 754 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, |
755 | receiver->td_scale); | 755 | receiver->td_scale); |
756 | } | 756 | } |
@@ -804,8 +804,8 @@ static int tcp_error(struct sk_buff *skb, | |||
804 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, | 804 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, |
805 | "nf_ct_tcp: short packet "); | 805 | "nf_ct_tcp: short packet "); |
806 | return -NF_ACCEPT; | 806 | return -NF_ACCEPT; |
807 | } | 807 | } |
808 | 808 | ||
809 | /* Not whole TCP header or malformed packet */ | 809 | /* Not whole TCP header or malformed packet */ |
810 | if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) { | 810 | if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) { |
811 | if (LOG_INVALID(IPPROTO_TCP)) | 811 | if (LOG_INVALID(IPPROTO_TCP)) |
@@ -813,7 +813,7 @@ static int tcp_error(struct sk_buff *skb, | |||
813 | "nf_ct_tcp: truncated/malformed packet "); | 813 | "nf_ct_tcp: truncated/malformed packet "); |
814 | return -NF_ACCEPT; | 814 | return -NF_ACCEPT; |
815 | } | 815 | } |
816 | 816 | ||
817 | /* Checksum invalid? Ignore. | 817 | /* Checksum invalid? Ignore. |
818 | * We skip checking packets on the outgoing path | 818 | * We skip checking packets on the outgoing path |
819 | * because the checksum is assumed to be correct. | 819 | * because the checksum is assumed to be correct. |
@@ -870,28 +870,28 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
870 | * | 870 | * |
871 | * a) SYN in ORIGINAL | 871 | * a) SYN in ORIGINAL |
872 | * b) SYN/ACK in REPLY | 872 | * b) SYN/ACK in REPLY |
873 | * c) ACK in reply direction after initial SYN in original. | 873 | * c) ACK in reply direction after initial SYN in original. |
874 | */ | 874 | */ |
875 | if (index == TCP_SYNACK_SET | 875 | if (index == TCP_SYNACK_SET |
876 | && conntrack->proto.tcp.last_index == TCP_SYN_SET | 876 | && conntrack->proto.tcp.last_index == TCP_SYN_SET |
877 | && conntrack->proto.tcp.last_dir != dir | 877 | && conntrack->proto.tcp.last_dir != dir |
878 | && ntohl(th->ack_seq) == | 878 | && ntohl(th->ack_seq) == |
879 | conntrack->proto.tcp.last_end) { | 879 | conntrack->proto.tcp.last_end) { |
880 | /* This SYN/ACK acknowledges a SYN that we earlier | 880 | /* This SYN/ACK acknowledges a SYN that we earlier |
881 | * ignored as invalid. This means that the client and | 881 | * ignored as invalid. This means that the client and |
882 | * the server are both in sync, while the firewall is | 882 | * the server are both in sync, while the firewall is |
883 | * not. We kill this session and block the SYN/ACK so | 883 | * not. We kill this session and block the SYN/ACK so |
884 | * that the client cannot but retransmit its SYN and | 884 | * that the client cannot but retransmit its SYN and |
885 | * thus initiate a clean new session. | 885 | * thus initiate a clean new session. |
886 | */ | 886 | */ |
887 | write_unlock_bh(&tcp_lock); | 887 | write_unlock_bh(&tcp_lock); |
888 | if (LOG_INVALID(IPPROTO_TCP)) | 888 | if (LOG_INVALID(IPPROTO_TCP)) |
889 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, | 889 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, |
890 | "nf_ct_tcp: killing out of sync session "); | 890 | "nf_ct_tcp: killing out of sync session "); |
891 | if (del_timer(&conntrack->timeout)) | 891 | if (del_timer(&conntrack->timeout)) |
892 | conntrack->timeout.function((unsigned long) | 892 | conntrack->timeout.function((unsigned long) |
893 | conntrack); | 893 | conntrack); |
894 | return -NF_DROP; | 894 | return -NF_DROP; |
895 | } | 895 | } |
896 | conntrack->proto.tcp.last_index = index; | 896 | conntrack->proto.tcp.last_index = index; |
897 | conntrack->proto.tcp.last_dir = dir; | 897 | conntrack->proto.tcp.last_dir = dir; |
@@ -921,13 +921,13 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
921 | IP_CT_TCP_FLAG_CLOSE_INIT) | 921 | IP_CT_TCP_FLAG_CLOSE_INIT) |
922 | || after(ntohl(th->seq), | 922 | || after(ntohl(th->seq), |
923 | conntrack->proto.tcp.seen[dir].td_end)) { | 923 | conntrack->proto.tcp.seen[dir].td_end)) { |
924 | /* Attempt to reopen a closed connection. | 924 | /* Attempt to reopen a closed connection. |
925 | * Delete this connection and look up again. */ | 925 | * Delete this connection and look up again. */ |
926 | write_unlock_bh(&tcp_lock); | 926 | write_unlock_bh(&tcp_lock); |
927 | if (del_timer(&conntrack->timeout)) | 927 | if (del_timer(&conntrack->timeout)) |
928 | conntrack->timeout.function((unsigned long) | 928 | conntrack->timeout.function((unsigned long) |
929 | conntrack); | 929 | conntrack); |
930 | return -NF_REPEAT; | 930 | return -NF_REPEAT; |
931 | } else { | 931 | } else { |
932 | write_unlock_bh(&tcp_lock); | 932 | write_unlock_bh(&tcp_lock); |
933 | if (LOG_INVALID(IPPROTO_TCP)) | 933 | if (LOG_INVALID(IPPROTO_TCP)) |
@@ -938,9 +938,9 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
938 | case TCP_CONNTRACK_CLOSE: | 938 | case TCP_CONNTRACK_CLOSE: |
939 | if (index == TCP_RST_SET | 939 | if (index == TCP_RST_SET |
940 | && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) | 940 | && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) |
941 | && conntrack->proto.tcp.last_index == TCP_SYN_SET) | 941 | && conntrack->proto.tcp.last_index == TCP_SYN_SET) |
942 | || (!test_bit(IPS_ASSURED_BIT, &conntrack->status) | 942 | || (!test_bit(IPS_ASSURED_BIT, &conntrack->status) |
943 | && conntrack->proto.tcp.last_index == TCP_ACK_SET)) | 943 | && conntrack->proto.tcp.last_index == TCP_ACK_SET)) |
944 | && ntohl(th->ack_seq) == conntrack->proto.tcp.last_end) { | 944 | && ntohl(th->ack_seq) == conntrack->proto.tcp.last_end) { |
945 | /* RST sent to invalid SYN or ACK we had let through | 945 | /* RST sent to invalid SYN or ACK we had let through |
946 | * at a) and c) above: | 946 | * at a) and c) above: |
@@ -1005,8 +1005,8 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
1005 | && (old_state == TCP_CONNTRACK_SYN_RECV | 1005 | && (old_state == TCP_CONNTRACK_SYN_RECV |
1006 | || old_state == TCP_CONNTRACK_ESTABLISHED) | 1006 | || old_state == TCP_CONNTRACK_ESTABLISHED) |
1007 | && new_state == TCP_CONNTRACK_ESTABLISHED) { | 1007 | && new_state == TCP_CONNTRACK_ESTABLISHED) { |
1008 | /* Set ASSURED if we see see valid ack in ESTABLISHED | 1008 | /* Set ASSURED if we see see valid ack in ESTABLISHED |
1009 | after SYN_RECV or a valid answer for a picked up | 1009 | after SYN_RECV or a valid answer for a picked up |
1010 | connection. */ | 1010 | connection. */ |
1011 | set_bit(IPS_ASSURED_BIT, &conntrack->status); | 1011 | set_bit(IPS_ASSURED_BIT, &conntrack->status); |
1012 | nf_conntrack_event_cache(IPCT_STATUS, skb); | 1012 | nf_conntrack_event_cache(IPCT_STATUS, skb); |
@@ -1015,7 +1015,7 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
1015 | 1015 | ||
1016 | return NF_ACCEPT; | 1016 | return NF_ACCEPT; |
1017 | } | 1017 | } |
1018 | 1018 | ||
1019 | /* Called when a new connection for this protocol found. */ | 1019 | /* Called when a new connection for this protocol found. */ |
1020 | static int tcp_new(struct nf_conn *conntrack, | 1020 | static int tcp_new(struct nf_conn *conntrack, |
1021 | const struct sk_buff *skb, | 1021 | const struct sk_buff *skb, |
@@ -1071,7 +1071,7 @@ static int tcp_new(struct nf_conn *conntrack, | |||
1071 | if (conntrack->proto.tcp.seen[0].td_maxwin == 0) | 1071 | if (conntrack->proto.tcp.seen[0].td_maxwin == 0) |
1072 | conntrack->proto.tcp.seen[0].td_maxwin = 1; | 1072 | conntrack->proto.tcp.seen[0].td_maxwin = 1; |
1073 | conntrack->proto.tcp.seen[0].td_maxend = | 1073 | conntrack->proto.tcp.seen[0].td_maxend = |
1074 | conntrack->proto.tcp.seen[0].td_end + | 1074 | conntrack->proto.tcp.seen[0].td_end + |
1075 | conntrack->proto.tcp.seen[0].td_maxwin; | 1075 | conntrack->proto.tcp.seen[0].td_maxwin; |
1076 | conntrack->proto.tcp.seen[0].td_scale = 0; | 1076 | conntrack->proto.tcp.seen[0].td_scale = 0; |
1077 | 1077 | ||
@@ -1081,20 +1081,20 @@ static int tcp_new(struct nf_conn *conntrack, | |||
1081 | conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | | 1081 | conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | |
1082 | IP_CT_TCP_FLAG_BE_LIBERAL; | 1082 | IP_CT_TCP_FLAG_BE_LIBERAL; |
1083 | } | 1083 | } |
1084 | 1084 | ||
1085 | conntrack->proto.tcp.seen[1].td_end = 0; | 1085 | conntrack->proto.tcp.seen[1].td_end = 0; |
1086 | conntrack->proto.tcp.seen[1].td_maxend = 0; | 1086 | conntrack->proto.tcp.seen[1].td_maxend = 0; |
1087 | conntrack->proto.tcp.seen[1].td_maxwin = 1; | 1087 | conntrack->proto.tcp.seen[1].td_maxwin = 1; |
1088 | conntrack->proto.tcp.seen[1].td_scale = 0; | 1088 | conntrack->proto.tcp.seen[1].td_scale = 0; |
1089 | 1089 | ||
1090 | /* tcp_packet will set them */ | 1090 | /* tcp_packet will set them */ |
1091 | conntrack->proto.tcp.state = TCP_CONNTRACK_NONE; | 1091 | conntrack->proto.tcp.state = TCP_CONNTRACK_NONE; |
1092 | conntrack->proto.tcp.last_index = TCP_NONE_SET; | 1092 | conntrack->proto.tcp.last_index = TCP_NONE_SET; |
1093 | 1093 | ||
1094 | DEBUGP("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i " | 1094 | DEBUGP("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i " |
1095 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", | 1095 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", |
1096 | sender->td_end, sender->td_maxend, sender->td_maxwin, | 1096 | sender->td_end, sender->td_maxend, sender->td_maxwin, |
1097 | sender->td_scale, | 1097 | sender->td_scale, |
1098 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, | 1098 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, |
1099 | receiver->td_scale); | 1099 | receiver->td_scale); |
1100 | return 1; | 1100 | return 1; |
@@ -1110,7 +1110,7 @@ static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa, | |||
1110 | const struct nf_conn *ct) | 1110 | const struct nf_conn *ct) |
1111 | { | 1111 | { |
1112 | struct nfattr *nest_parms; | 1112 | struct nfattr *nest_parms; |
1113 | 1113 | ||
1114 | read_lock_bh(&tcp_lock); | 1114 | read_lock_bh(&tcp_lock); |
1115 | nest_parms = NFA_NEST(skb, CTA_PROTOINFO_TCP); | 1115 | nest_parms = NFA_NEST(skb, CTA_PROTOINFO_TCP); |
1116 | NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t), | 1116 | NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t), |
@@ -1140,7 +1140,7 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct nf_conn *ct) | |||
1140 | if (!attr) | 1140 | if (!attr) |
1141 | return 0; | 1141 | return 0; |
1142 | 1142 | ||
1143 | nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr); | 1143 | nfattr_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, attr); |
1144 | 1144 | ||
1145 | if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp)) | 1145 | if (nfattr_bad_size(tb, CTA_PROTOINFO_TCP_MAX, cta_min_tcp)) |
1146 | return -EINVAL; | 1146 | return -EINVAL; |
@@ -1149,7 +1149,7 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct nf_conn *ct) | |||
1149 | return -EINVAL; | 1149 | return -EINVAL; |
1150 | 1150 | ||
1151 | write_lock_bh(&tcp_lock); | 1151 | write_lock_bh(&tcp_lock); |
1152 | ct->proto.tcp.state = | 1152 | ct->proto.tcp.state = |
1153 | *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); | 1153 | *(u_int8_t *)NFA_DATA(tb[CTA_PROTOINFO_TCP_STATE-1]); |
1154 | write_unlock_bh(&tcp_lock); | 1154 | write_unlock_bh(&tcp_lock); |
1155 | 1155 | ||