diff options
Diffstat (limited to 'net/netfilter/nf_conntrack_proto_tcp.c')
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 64 |
1 files changed, 26 insertions, 38 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 97a82ba7537..ba2b7693728 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
| @@ -492,6 +492,21 @@ static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, | |||
| 492 | } | 492 | } |
| 493 | } | 493 | } |
| 494 | 494 | ||
| 495 | #ifdef CONFIG_NF_NAT_NEEDED | ||
| 496 | static inline s16 nat_offset(const struct nf_conn *ct, | ||
| 497 | enum ip_conntrack_dir dir, | ||
| 498 | u32 seq) | ||
| 499 | { | ||
| 500 | typeof(nf_ct_nat_offset) get_offset = rcu_dereference(nf_ct_nat_offset); | ||
| 501 | |||
| 502 | return get_offset != NULL ? get_offset(ct, dir, seq) : 0; | ||
| 503 | } | ||
| 504 | #define NAT_OFFSET(pf, ct, dir, seq) \ | ||
| 505 | (pf == NFPROTO_IPV4 ? nat_offset(ct, dir, seq) : 0) | ||
| 506 | #else | ||
| 507 | #define NAT_OFFSET(pf, ct, dir, seq) 0 | ||
| 508 | #endif | ||
| 509 | |||
| 495 | static bool tcp_in_window(const struct nf_conn *ct, | 510 | static bool tcp_in_window(const struct nf_conn *ct, |
| 496 | struct ip_ct_tcp *state, | 511 | struct ip_ct_tcp *state, |
| 497 | enum ip_conntrack_dir dir, | 512 | enum ip_conntrack_dir dir, |
| @@ -506,6 +521,7 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
| 506 | struct ip_ct_tcp_state *receiver = &state->seen[!dir]; | 521 | struct ip_ct_tcp_state *receiver = &state->seen[!dir]; |
| 507 | const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; | 522 | const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; |
| 508 | __u32 seq, ack, sack, end, win, swin; | 523 | __u32 seq, ack, sack, end, win, swin; |
| 524 | s16 receiver_offset; | ||
| 509 | bool res; | 525 | bool res; |
| 510 | 526 | ||
| 511 | /* | 527 | /* |
| @@ -519,11 +535,16 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
| 519 | if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM) | 535 | if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM) |
| 520 | tcp_sack(skb, dataoff, tcph, &sack); | 536 | tcp_sack(skb, dataoff, tcph, &sack); |
| 521 | 537 | ||
| 538 | /* Take into account NAT sequence number mangling */ | ||
| 539 | receiver_offset = NAT_OFFSET(pf, ct, !dir, ack - 1); | ||
| 540 | ack -= receiver_offset; | ||
| 541 | sack -= receiver_offset; | ||
| 542 | |||
| 522 | pr_debug("tcp_in_window: START\n"); | 543 | pr_debug("tcp_in_window: START\n"); |
| 523 | pr_debug("tcp_in_window: "); | 544 | pr_debug("tcp_in_window: "); |
| 524 | nf_ct_dump_tuple(tuple); | 545 | nf_ct_dump_tuple(tuple); |
| 525 | pr_debug("seq=%u ack=%u sack=%u win=%u end=%u\n", | 546 | pr_debug("seq=%u ack=%u+(%d) sack=%u+(%d) win=%u end=%u\n", |
| 526 | seq, ack, sack, win, end); | 547 | seq, ack, receiver_offset, sack, receiver_offset, win, end); |
| 527 | pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " | 548 | pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " |
| 528 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", | 549 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", |
| 529 | sender->td_end, sender->td_maxend, sender->td_maxwin, | 550 | sender->td_end, sender->td_maxend, sender->td_maxwin, |
| @@ -613,8 +634,8 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
| 613 | 634 | ||
| 614 | pr_debug("tcp_in_window: "); | 635 | pr_debug("tcp_in_window: "); |
| 615 | nf_ct_dump_tuple(tuple); | 636 | nf_ct_dump_tuple(tuple); |
| 616 | pr_debug("seq=%u ack=%u sack =%u win=%u end=%u\n", | 637 | pr_debug("seq=%u ack=%u+(%d) sack=%u+(%d) win=%u end=%u\n", |
| 617 | seq, ack, sack, win, end); | 638 | seq, ack, receiver_offset, sack, receiver_offset, win, end); |
| 618 | pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " | 639 | pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " |
| 619 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", | 640 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", |
| 620 | sender->td_end, sender->td_maxend, sender->td_maxwin, | 641 | sender->td_end, sender->td_maxend, sender->td_maxwin, |
| @@ -700,7 +721,7 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
| 700 | before(seq, sender->td_maxend + 1) ? | 721 | before(seq, sender->td_maxend + 1) ? |
| 701 | after(end, sender->td_end - receiver->td_maxwin - 1) ? | 722 | after(end, sender->td_end - receiver->td_maxwin - 1) ? |
| 702 | before(sack, receiver->td_end + 1) ? | 723 | before(sack, receiver->td_end + 1) ? |
| 703 | after(ack, receiver->td_end - MAXACKWINDOW(sender)) ? "BUG" | 724 | after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1) ? "BUG" |
| 704 | : "ACK is under the lower bound (possible overly delayed ACK)" | 725 | : "ACK is under the lower bound (possible overly delayed ACK)" |
| 705 | : "ACK is over the upper bound (ACKed data not seen yet)" | 726 | : "ACK is over the upper bound (ACKed data not seen yet)" |
| 706 | : "SEQ is under the lower bound (already ACKed data retransmitted)" | 727 | : "SEQ is under the lower bound (already ACKed data retransmitted)" |
| @@ -715,39 +736,6 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
| 715 | return res; | 736 | return res; |
| 716 | } | 737 | } |
| 717 | 738 | ||
| 718 | #ifdef CONFIG_NF_NAT_NEEDED | ||
| 719 | /* Update sender->td_end after NAT successfully mangled the packet */ | ||
| 720 | /* Caller must linearize skb at tcp header. */ | ||
| 721 | void nf_conntrack_tcp_update(const struct sk_buff *skb, | ||
| 722 | unsigned int dataoff, | ||
| 723 | struct nf_conn *ct, int dir, | ||
| 724 | s16 offset) | ||
| 725 | { | ||
| 726 | const struct tcphdr *tcph = (const void *)skb->data + dataoff; | ||
| 727 | const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir]; | ||
| 728 | const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[!dir]; | ||
| 729 | __u32 end; | ||
| 730 | |||
| 731 | end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph); | ||
| 732 | |||
| 733 | spin_lock_bh(&ct->lock); | ||
| 734 | /* | ||
| 735 | * We have to worry for the ack in the reply packet only... | ||
| 736 | */ | ||
| 737 | if (ct->proto.tcp.seen[dir].td_end + offset == end) | ||
| 738 | ct->proto.tcp.seen[dir].td_end = end; | ||
| 739 | ct->proto.tcp.last_end = end; | ||
| 740 | spin_unlock_bh(&ct->lock); | ||
| 741 | pr_debug("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i " | ||
| 742 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", | ||
| 743 | sender->td_end, sender->td_maxend, sender->td_maxwin, | ||
| 744 | sender->td_scale, | ||
| 745 | receiver->td_end, receiver->td_maxend, receiver->td_maxwin, | ||
| 746 | receiver->td_scale); | ||
| 747 | } | ||
| 748 | EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update); | ||
| 749 | #endif | ||
| 750 | |||
| 751 | #define TH_FIN 0x01 | 739 | #define TH_FIN 0x01 |
| 752 | #define TH_SYN 0x02 | 740 | #define TH_SYN 0x02 |
| 753 | #define TH_RST 0x04 | 741 | #define TH_RST 0x04 |