netfilter: nf_conntrack_tcp: fixing to check the lower bound of valid ACK

Lost connections was reported by Thomas Bätzler (running 2.6.25 kernel) on the netfilter mailing list (see the thread "Weird nat/conntrack Problem with PASV FTP upload"). He provided tcpdump recordings which helped to find a long lingering bug in conntrack. In TCP connection tracking, checking the lower bound of valid ACK could lead to mark valid packets as INVALID because: - We have got a "higher or equal" inequality, but the test checked the "higher" condition only; fixed. - If the packet contains a SACK option, it could occur that the ACK value was before the left edge of our (S)ACK "window": if a previous packet from the other party intersected the right edge of the window of the receiver, we could move forward the window parameters beyond accepting a valid ack. Therefore in this patch we check the rightmost SACK edge instead of the ACK value in the lower bound of valid (S)ACK test. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2008-06-30 15:41:30 -0400
committer: David S. Miller <davem@davemloft.net> 2008-06-30 15:41:30 -0400
commit: 84ebe1cdae56707b9aa1b40ae5aa7d817ba745f5 (patch)
tree: d325c80abe018baac9cd492a76d38b998ae87d4c /net
parent: d420895efb259a78dda50f95289571faa6e10e41 (diff)
1 files changed, 7 insertions, 6 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index ba94004fe323..271cd01d57ae 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -331,12 +331,13 @@ static unsigned int get_conntrack_index(const struct tcphdr *tcph)
   I.   Upper bound for valid data:     seq <= sender.td_maxend
   II.  Lower bound for valid data:     seq + len >= sender.td_end - receiver.td_maxwin
-   III. Upper bound for valid ack:      sack <= receiver.td_end
+   III. Upper bound for valid (s)ack:   sack <= receiver.td_end
-   IV.  Lower bound for valid ack:      ack >= receiver.td_end - MAXACKWINDOW
+   IV.  Lower bound for valid (s)ack:   sack >= receiver.td_end - MAXACKWINDOW
-   where sack is the highest right edge of sack block found in the packet.
+   where sack is the highest right edge of sack block found in the packet
+   or ack in the case of packet without SACK option.
-   The upper bound limit for a valid ack is not ignored -
+   The upper bound limit for a valid (s)ack is not ignored -
   we doesn't have to deal with fragments.
 */
@@ -606,12 +607,12 @@ static bool tcp_in_window(const struct nf_conn *ct,
                 before(seq, sender->td_maxend + 1),
                 after(end, sender->td_end - receiver->td_maxwin - 1),
                 before(sack, receiver->td_end + 1),
-                 after(ack, receiver->td_end - MAXACKWINDOW(sender)));
+                 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
        if (before(seq, sender->td_maxend + 1) &&
            after(end, sender->td_end - receiver->td_maxwin - 1) &&
            before(sack, receiver->td_end + 1) &&
-            after(ack, receiver->td_end - MAXACKWINDOW(sender))) {
+            after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
                /*
                 * Take into account window scaling (RFC 1323).
                 */
author	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>	2008-06-30 15:41:30 -0400
committer	David S. Miller <davem@davemloft.net>	2008-06-30 15:41:30 -0400
commit	84ebe1cdae56707b9aa1b40ae5aa7d817ba745f5 (patch)
tree	d325c80abe018baac9cd492a76d38b998ae87d4c /net
parent	d420895efb259a78dda50f95289571faa6e10e41 (diff)