diff options
| -rw-r--r-- | include/linux/netfilter/nf_conntrack_tcp.h | 4 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 18 |
2 files changed, 22 insertions, 0 deletions
diff --git a/include/linux/netfilter/nf_conntrack_tcp.h b/include/linux/netfilter/nf_conntrack_tcp.h index 3066789b972a..b2f384d42611 100644 --- a/include/linux/netfilter/nf_conntrack_tcp.h +++ b/include/linux/netfilter/nf_conntrack_tcp.h | |||
| @@ -35,6 +35,9 @@ enum tcp_conntrack { | |||
| 35 | /* Has unacknowledged data */ | 35 | /* Has unacknowledged data */ |
| 36 | #define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 | 36 | #define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10 |
| 37 | 37 | ||
| 38 | /* The field td_maxack has been set */ | ||
| 39 | #define IP_CT_TCP_FLAG_MAXACK_SET 0x20 | ||
| 40 | |||
| 38 | struct nf_ct_tcp_flags { | 41 | struct nf_ct_tcp_flags { |
| 39 | __u8 flags; | 42 | __u8 flags; |
| 40 | __u8 mask; | 43 | __u8 mask; |
| @@ -46,6 +49,7 @@ struct ip_ct_tcp_state { | |||
| 46 | u_int32_t td_end; /* max of seq + len */ | 49 | u_int32_t td_end; /* max of seq + len */ |
| 47 | u_int32_t td_maxend; /* max of ack + max(win, 1) */ | 50 | u_int32_t td_maxend; /* max of ack + max(win, 1) */ |
| 48 | u_int32_t td_maxwin; /* max(win) */ | 51 | u_int32_t td_maxwin; /* max(win) */ |
| 52 | u_int32_t td_maxack; /* max of ack */ | ||
| 49 | u_int8_t td_scale; /* window scale factor */ | 53 | u_int8_t td_scale; /* window scale factor */ |
| 50 | u_int8_t flags; /* per direction options */ | 54 | u_int8_t flags; /* per direction options */ |
| 51 | }; | 55 | }; |
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index b5ccf2b4b2e7..97a6e93d742e 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
| @@ -634,6 +634,14 @@ static bool tcp_in_window(const struct nf_conn *ct, | |||
| 634 | sender->td_end = end; | 634 | sender->td_end = end; |
| 635 | sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED; | 635 | sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED; |
| 636 | } | 636 | } |
| 637 | if (tcph->ack) { | ||
| 638 | if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) { | ||
| 639 | sender->td_maxack = ack; | ||
| 640 | sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET; | ||
| 641 | } else if (after(ack, sender->td_maxack)) | ||
| 642 | sender->td_maxack = ack; | ||
| 643 | } | ||
| 644 | |||
| 637 | /* | 645 | /* |
| 638 | * Update receiver data. | 646 | * Update receiver data. |
| 639 | */ | 647 | */ |
| @@ -919,6 +927,16 @@ static int tcp_packet(struct nf_conn *ct, | |||
| 919 | return -NF_ACCEPT; | 927 | return -NF_ACCEPT; |
| 920 | case TCP_CONNTRACK_CLOSE: | 928 | case TCP_CONNTRACK_CLOSE: |
| 921 | if (index == TCP_RST_SET | 929 | if (index == TCP_RST_SET |
| 930 | && (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET) | ||
| 931 | && before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) { | ||
| 932 | /* Invalid RST */ | ||
| 933 | write_unlock_bh(&tcp_lock); | ||
| 934 | if (LOG_INVALID(net, IPPROTO_TCP)) | ||
| 935 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, | ||
| 936 | "nf_ct_tcp: invalid RST "); | ||
| 937 | return -NF_ACCEPT; | ||
| 938 | } | ||
| 939 | if (index == TCP_RST_SET | ||
| 922 | && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) | 940 | && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) |
| 923 | && ct->proto.tcp.last_index == TCP_SYN_SET) | 941 | && ct->proto.tcp.last_index == TCP_SYN_SET) |
| 924 | || (!test_bit(IPS_ASSURED_BIT, &ct->status) | 942 | || (!test_bit(IPS_ASSURED_BIT, &ct->status) |