aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJozsef Kadlecsik <kadlec@blackhole.kfki.hu>2008-06-30 15:41:30 -0400
committerDavid S. Miller <davem@davemloft.net>2008-06-30 15:41:30 -0400
commit84ebe1cdae56707b9aa1b40ae5aa7d817ba745f5 (patch)
treed325c80abe018baac9cd492a76d38b998ae87d4c
parentd420895efb259a78dda50f95289571faa6e10e41 (diff)
netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK
Lost connections was reported by Thomas Bätzler (running 2.6.25 kernel) on the netfilter mailing list (see the thread "Weird nat/conntrack Problem with PASV FTP upload"). He provided tcpdump recordings which helped to find a long lingering bug in conntrack. In TCP connection tracking, checking the lower bound of valid ACK could lead to mark valid packets as INVALID because: - We have got a "higher or equal" inequality, but the test checked the "higher" condition only; fixed. - If the packet contains a SACK option, it could occur that the ACK value was before the left edge of our (S)ACK "window": if a previous packet from the other party intersected the right edge of the window of the receiver, we could move forward the window parameters beyond accepting a valid ack. Therefore in this patch we check the rightmost SACK edge instead of the ACK value in the lower bound of valid (S)ACK test. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c13
1 files changed, 7 insertions, 6 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index ba94004fe323..271cd01d57ae 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -331,12 +331,13 @@ static unsigned int get_conntrack_index(const struct tcphdr *tcph)
331 331
332 I. Upper bound for valid data: seq <= sender.td_maxend 332 I. Upper bound for valid data: seq <= sender.td_maxend
333 II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin 333 II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin
334 III. Upper bound for valid ack: sack <= receiver.td_end 334 III. Upper bound for valid (s)ack: sack <= receiver.td_end
335 IV. Lower bound for valid ack: ack >= receiver.td_end - MAXACKWINDOW 335 IV. Lower bound for valid (s)ack: sack >= receiver.td_end - MAXACKWINDOW
336 336
337 where sack is the highest right edge of sack block found in the packet. 337 where sack is the highest right edge of sack block found in the packet
338 or ack in the case of packet without SACK option.
338 339
339 The upper bound limit for a valid ack is not ignored - 340 The upper bound limit for a valid (s)ack is not ignored -
340 we doesn't have to deal with fragments. 341 we doesn't have to deal with fragments.
341*/ 342*/
342 343
@@ -606,12 +607,12 @@ static bool tcp_in_window(const struct nf_conn *ct,
606 before(seq, sender->td_maxend + 1), 607 before(seq, sender->td_maxend + 1),
607 after(end, sender->td_end - receiver->td_maxwin - 1), 608 after(end, sender->td_end - receiver->td_maxwin - 1),
608 before(sack, receiver->td_end + 1), 609 before(sack, receiver->td_end + 1),
609 after(ack, receiver->td_end - MAXACKWINDOW(sender))); 610 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
610 611
611 if (before(seq, sender->td_maxend + 1) && 612 if (before(seq, sender->td_maxend + 1) &&
612 after(end, sender->td_end - receiver->td_maxwin - 1) && 613 after(end, sender->td_end - receiver->td_maxwin - 1) &&
613 before(sack, receiver->td_end + 1) && 614 before(sack, receiver->td_end + 1) &&
614 after(ack, receiver->td_end - MAXACKWINDOW(sender))) { 615 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
615 /* 616 /*
616 * Take into account window scaling (RFC 1323). 617 * Take into account window scaling (RFC 1323).
617 */ 618 */